Permalink
Browse files

return NOTIMP for direct RRSIG request

  • Loading branch information...
1 parent c79addc commit f0b3b248ac6dd4b35aa72ca8fe8ed1e0093bae3c @mind04 mind04 committed with mind04 Apr 11, 2013
Showing with 5 additions and 135 deletions.
  1. +5 −135 pdns/packethandler.cc
View
@@ -839,138 +839,6 @@ DNSPacket *PacketHandler::question(DNSPacket *p)
return ret;
}
-void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
-{
- DLOG(L<<"Need to synthesise the RRSIGs if someone asked for them explicitly"<<endl);
- typedef map<uint16_t, vector<shared_ptr<DNSRecordContent> > > records_t;
- typedef map<uint16_t, uint32_t> ttls_t;
- records_t records;
- ttls_t ttls;
-
- NSECRecordContent nrc;
- NSEC3RecordContent n3rc;
- nrc.d_set.insert(QType::RRSIG);
-
- DNSResourceRecord rr;
-
- SOAData sd;
- sd.db=(DNSBackend *)-1; // force uncached answer
- getAuth(p, &sd, p->qdomain, 0);
-
- bool narrow;
- NSEC3PARAMRecordContent ns3pr;
- bool doNSEC3= d_dk.getNSEC3PARAM(sd.qname, &ns3pr, &narrow);
-
- B.lookup(QType(QType::ANY), p->qdomain, p);
-
- bool haveone=false;
- while(B.get(rr)) {
- haveone=true;
- if(!((rr.auth && rr.qtype.getCode()) || (!(doNSEC3 && ns3pr.d_flags) && rr.qtype.getCode() == QType::NS)))
- continue;
-
- // make sure all fields are present in the SOA content
- if(rr.qtype.getCode() == QType::SOA) {
- rr.content = serializeSOAData(sd);
- }
-
- // this deals with the 'prio' mismatch!
- if(rr.qtype.getCode()==QType::MX || rr.qtype.getCode() == QType::SRV) {
- rr.content = lexical_cast<string>(rr.priority) + " " + rr.content;
- }
-
- // fix direct DNSKEY ttl
- if(::arg().mustDo("direct-dnskey") && rr.qtype.getCode() == QType::DNSKEY) {
- rr.ttl = sd.default_ttl;
- }
-
- if(!rr.content.empty() && rr.qtype.getCode()==QType::TXT && rr.content[0]!='"') {
- rr.content="\""+rr.content+"\"";
- }
- if(rr.content.empty()) // empty contents confuse the MOADNS setup
- rr.content=".";
- shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content));
-
- records[rr.qtype.getCode()].push_back(drc);
- ttls[rr.qtype.getCode()]=rr.ttl;
- nrc.d_set.insert(rr.qtype.getCode());
- }
-
- if(records.empty()) {
- if (haveone)
- makeNOError(p, r, p->qdomain, "", sd, 0);
- return;
- }
-
- if(pdns_iequals(p->qdomain, sd.qname)) { // Add DNSKEYs at apex
- DNSSECPrivateKey dpk;
-
- DNSSECKeeper::keyset_t keyset = d_dk.getKeys(p->qdomain);
- BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, keyset) {
-
- records[QType::DNSKEY].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::DNSKEY, 1, value.first.getDNSKEY().getZoneRepresentation())));
- ttls[QType::DNSKEY]=sd.default_ttl;
- nrc.d_set.insert(QType::DNSKEY);
- }
- }
-
- string before,after;
- string unhashed(p->qdomain);
-
- if(doNSEC3) {
- // now get the NSEC3 and NSEC3PARAM
- string hashed=hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, unhashed);
- getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
- unhashed=dotConcat(toLower(toBase32Hex(before)), sd.qname);
-
- n3rc.d_set=nrc.d_set; // Copy d_set from NSEC
- n3rc.d_algorithm=ns3pr.d_algorithm;
- n3rc.d_flags=ns3pr.d_flags;
- n3rc.d_iterations=ns3pr.d_iterations;
- n3rc.d_salt=ns3pr.d_salt;
- n3rc.d_nexthash=after;
-
- if(pdns_iequals(p->qdomain, sd.qname)) {
- ns3pr.d_flags = 0; // the NSEC3PARAM 'flag' is defined to always be zero in RFC5155.
-
- records[QType::NSEC3PARAM].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, ns3pr.getZoneRepresentation())));
- ttls[QType::NSEC3PARAM]=sd.default_ttl;
- n3rc.d_set.insert(QType::NSEC3PARAM);
- }
-
- // ok, the NSEC3PARAM is in..
- }
- else {
- // now get the NSEC too (since we must sign it!)
- sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after);
-
- nrc.d_set.insert(QType::NSEC);
- nrc.d_next=after;
-
- records[QType::NSEC].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC, 1, nrc.getZoneRepresentation())));
- ttls[QType::NSEC]=sd.default_ttl;
-
- // ok, the NSEC is in..
- }
- DLOG(L<<"Have "<<records.size()<<" rrsets to sign"<<endl);
-
- rr.auth = 0; // please don't sign this!
- rr.d_place = DNSResourceRecord::ANSWER;
- rr.qtype = QType::RRSIG;
-
- vector<DNSResourceRecord> rrsigs;
-
- BOOST_FOREACH(records_t::value_type& iter, records) {
- rr.qname=(doNSEC3 && iter.first == QType::NSEC3) ? unhashed : p->qdomain;
- rr.ttl=ttls[iter.first];
-
- addSignature(d_dk, B, sd.qname, rr.qname, rr.qname, iter.first, rr.ttl, DNSPacketWriter::ANSWER, iter.second, rrsigs, rr.ttl);
- }
-
- BOOST_FOREACH(DNSResourceRecord& rr, rrsigs)
- r->addRecord(rr);
-}
-
void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd)
{
DNSResourceRecord rr;
@@ -1193,7 +1061,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
if(doVersionRequest(p,r,target)) // catch version.bind requests
goto sendit;
- if((p->qtype.getCode() == QType::ANY || p->qtype.getCode() == QType::RRSIG) && !p->d_tcp && g_anyToTcp) {
+ // send TC for udp ANY query if any-to-tcp is enabled.
+ if(p->qtype.getCode() == QType::ANY && !p->d_tcp && g_anyToTcp) {
r->d.tc = 1;
r->commitD();
return r;
@@ -1268,8 +1137,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
}
// this TRUMPS a cname!
- if(p->qtype.getCode() == QType::RRSIG && d_dk.isSecuredZone(sd.qname)) {
- synthesiseRRSIGs(p, r);
+ if(p->qtype.getCode() == QType::RRSIG) {
+ L<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p->getRemote()<<endl;
+ r->setRcode(RCode::NotImp);
goto sendit;
}

0 comments on commit f0b3b24

Please sign in to comment.