PowerDNS does not return RRSIG records for wildcard records in presigned zones #460

Closed
Habbie opened this Issue Apr 26, 2013 · 5 comments

Projects

None yet

1 participant

@Habbie
Member
Habbie commented Apr 26, 2013

When running a presigned zone with DNSSEC enabled, PowerDNS does not return an RRSIG record for 'wildcard' DNS records of the form *.domain.com. Instead it just returns the matching wildcard record and the correct NSEC3 records denying the existence of an exact match. For live signing or non-wildcard records the behaviour is as expected (an RRSIG for the wildcard + NSEC3s).

I believe this can be fixed by changing line 87 in function addSignature in dnssecsigner.cc from:

dk.getPreRRSIGs(db, signer, signQName, QType(signQType), signPlace, outsigned); // does it all

to:

dk.getPreRRSIGs(db, signer, wildcardname.empty() ? signQName : wildcardname, QType(signQType), signPlace, outsigned); // does it all

which is similar to the line below that code pertaining to the live-signing case.

@Habbie Habbie was assigned Apr 26, 2013
@Habbie Habbie closed this Apr 26, 2013
@Habbie
Member
Habbie commented Apr 26, 2013

Attachment 'Patch as submitted to pdns-dev' (pdns-ticket-460.diff) https://gist.github.com/5466742

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
That patch is not sufficient, as it does not correctly sets the name of the RRSIG record (it keeps it as *.domain.com which does not match the name of the returned record). Maybe getPreRRSIGs needs to be changed to accept an additional parameter?

@Habbie
Member
Habbie commented Apr 26, 2013

Author: anon
In addition to the patch above, it would be necessary to change the parameters of getPreRRSIGs to include addSignature's signQName, then use that to set rr.qname on the RRSIG records in the loop.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
Text from pdns-dev related to the attached patch:

In short: when running a zone in presigned mode and querying a name for which only a matching *.domain.com record exists, PowerDNS does not add an RRSIG record to the result. The attached patch lets PowerDNS add the RRSIG record for the wildcard record with the same name as the original queried name, which is identical to the records PowerDNS returns when doing live signing.

@Habbie
Member
Habbie commented Apr 26, 2013

Author: peter
Applied in r2676, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment