Created
April 26, 2013 11:42
-
-
Save Habbie/5466758 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.cc pdns-3.1.new/pdns/backends/bind/bindbackend2.cc | |
--- pdns-3.1/pdns/backends/bind/bindbackend2.cc 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.cc 2012-07-03 10:43:25.000000000 +0200 | |
@@ -890,7 +890,7 @@ | |
return true; | |
} | |
-bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after) | |
+bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after) | |
{ | |
shared_ptr<State> state = s_state; | |
BB2DomainInfo& bbd = state->id_zone_map[id]; | |
diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.hh pdns-3.1.new/pdns/backends/bind/bindbackend2.hh | |
--- pdns-3.1/pdns/backends/bind/bindbackend2.hh 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.hh 2012-07-03 10:28:47.000000000 +0200 | |
@@ -132,7 +132,7 @@ | |
bool getDomainInfo(const string &domain, DomainInfo &di); | |
time_t getCtime(const string &fname); | |
// DNSSEC | |
- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after); | |
+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after); | |
void lookup(const QType &, const string &qdomain, DNSPacket *p=0, int zoneId=-1); | |
bool list(const string &target, int id); | |
bool get(DNSResourceRecord &); | |
diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.cc pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc | |
--- pdns-3.1/pdns/backends/gsql/gsqlbackend.cc 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc 2012-07-03 12:05:06.000000000 +0200 | |
@@ -34,6 +34,7 @@ | |
#include "pdns/ahuexception.hh" | |
#include "pdns/logger.hh" | |
#include "pdns/arguments.hh" | |
+#include "pdns/base32.hh" | |
#include <boost/algorithm/string.hpp> | |
#include <sstream> | |
#include <boost/foreach.hpp> | |
@@ -337,7 +338,7 @@ | |
return true; | |
} | |
-bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after) | |
+bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after) | |
{ | |
if(!d_dnssecQueries) | |
return false; | |
@@ -365,6 +366,11 @@ | |
} | |
} | |
+ if (previous) { | |
+ fromBase32Hex(lcqname); | |
+ decrementHash(lcqname); | |
+ toBase32Hex(lcqname); | |
+ } | |
snprintf(output, sizeof(output)-1, d_beforeOrderQuery.c_str(), sqlEscape(lcqname).c_str(), id); | |
d_db->doQuery(output); | |
while(d_db->getRow(row)) { | |
diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.hh pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh | |
--- pdns-3.1/pdns/backends/gsql/gsqlbackend.hh 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh 2012-07-03 09:31:15.000000000 +0200 | |
@@ -40,7 +40,7 @@ | |
void getUpdatedMasters(vector<DomainInfo> *updatedDomains); | |
bool getDomainInfo(const string &domain, DomainInfo &di); | |
void setNotified(uint32_t domain_id, uint32_t serial); | |
- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after); | |
+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after); | |
bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth); | |
virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth); | |
virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type); | |
diff -ur pdns-3.1/pdns/dnsbackend.cc pdns-3.1.new/pdns/dnsbackend.cc | |
--- pdns-3.1/pdns/dnsbackend.cc 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/dnsbackend.cc 2012-07-03 10:52:31.000000000 +0200 | |
@@ -249,14 +249,14 @@ | |
return true; | |
} | |
-bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after) | |
+bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after) | |
{ | |
string lcqname=toLower(qname); | |
lcqname=makeRelative(qname, zonename); | |
lcqname=labelReverse(lcqname); | |
string dnc; | |
- bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, dnc, before, after); | |
+ bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, previous, dnc, before, after); | |
before=dotConcat(labelReverse(before), zonename); | |
after=dotConcat(labelReverse(after), zonename); | |
diff -ur pdns-3.1/pdns/dnsbackend.hh pdns-3.1.new/pdns/dnsbackend.hh | |
--- pdns-3.1/pdns/dnsbackend.hh 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/dnsbackend.hh 2012-07-03 10:52:19.000000000 +0200 | |
@@ -117,14 +117,14 @@ | |
virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; } | |
- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after) | |
+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previos, std::string& unhashed, std::string& before, std::string& after) | |
{ | |
std::cerr<<"Default beforeAndAfterAbsolute called!"<<std::endl; | |
abort(); | |
return false; | |
} | |
- bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after); | |
+ bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after); | |
virtual bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth) | |
{ | |
diff -ur pdns-3.1/pdns/misc.cc pdns-3.1.new/pdns/misc.cc | |
--- pdns-3.1/pdns/misc.cc 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/misc.cc 2012-07-03 10:04:13.000000000 +0200 | |
@@ -531,6 +531,37 @@ | |
return ret; | |
} | |
+void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-) | |
+{ | |
+ if(raw.empty()) | |
+ return; | |
+ | |
+ for(string::size_type pos=raw.size(); pos; ) { | |
+ --pos; | |
+ unsigned char c = (unsigned char)raw[pos]; | |
+ ++c; | |
+ raw[pos] = (char) c; | |
+ if(c) | |
+ break; | |
+ } | |
+} | |
+ | |
+void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-) | |
+{ | |
+ if(raw.empty()) | |
+ return; | |
+ | |
+ for(string::size_type pos=raw.size(); pos; ) { | |
+ --pos; | |
+ unsigned char c = (unsigned char)raw[pos]; | |
+ --c; | |
+ raw[pos] = (char) c; | |
+ if(c != 0xff) | |
+ break; | |
+ } | |
+} | |
+ | |
+ | |
// shuffle, maintaining some semblance of order | |
void shuffle(vector<DNSResourceRecord>& rrs) | |
{ | |
diff -ur pdns-3.1/pdns/misc.hh pdns-3.1.new/pdns/misc.hh | |
--- pdns-3.1/pdns/misc.hh 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/misc.hh 2012-07-03 10:07:39.000000000 +0200 | |
@@ -286,7 +286,11 @@ | |
throw runtime_error(why+": "+strerror(errno)); | |
} | |
+ | |
+ | |
string makeHexDump(const string& str); | |
+void incrementHash(std::string& raw); | |
+void decrementHash(std::string& raw); | |
void shuffle(vector<DNSResourceRecord>& rrs); | |
void normalizeTV(struct timeval& tv); | |
diff -ur pdns-3.1/pdns/packethandler.cc pdns-3.1.new/pdns/packethandler.cc | |
--- pdns-3.1/pdns/packethandler.cc 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/packethandler.cc 2012-07-03 11:55:52.000000000 +0200 | |
@@ -537,14 +537,14 @@ | |
mode 2 = ANY or direct NSEC request -> an NSEC that starts with 'target' | |
mode 3 = a covering NSEC in the authority section (like 1, except for first) | |
*/ | |
-void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode) | |
+void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const string& wildcard, int mode) | |
{ | |
NSEC3PARAMRecordContent ns3rc; | |
// cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": "; | |
bool narrow; | |
if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow)) { | |
// cerr<<"Present, narrow="<<narrow<<endl; | |
- addNSEC3(p, r, target, auth, ns3rc, narrow, mode); | |
+ addNSEC3(p, r, target, auth, wildcard, ns3rc, narrow, mode); | |
} | |
else { | |
// cerr<<"Not present"<<endl; | |
@@ -552,38 +552,7 @@ | |
} | |
} | |
-static void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-) | |
-{ | |
- if(raw.empty()) | |
- return; | |
- | |
- for(string::size_type pos=raw.size(); pos; ) { | |
- --pos; | |
- unsigned char c = (unsigned char)raw[pos]; | |
- ++c; | |
- raw[pos] = (char) c; | |
- if(c) | |
- break; | |
- } | |
-} | |
- | |
-static void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-) | |
-{ | |
- if(raw.empty()) | |
- return; | |
- | |
- for(string::size_type pos=raw.size(); pos; ) { | |
- --pos; | |
- unsigned char c = (unsigned char)raw[pos]; | |
- --c; | |
- raw[pos] = (char) c; | |
- if(c != 0xff) | |
- break; | |
- } | |
-} | |
- | |
- | |
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after) | |
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, const bool decrement, string& unhashed, string& before, string& after) | |
{ | |
bool ret; | |
if(narrow) { // nsec3-narrow | |
@@ -595,7 +564,7 @@ | |
incrementHash(after); | |
} | |
else { | |
- ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), unhashed, before, after); | |
+ ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), decrement, unhashed, before, after); | |
before=fromBase32Hex(before); | |
after=fromBase32Hex(after); | |
} | |
@@ -603,9 +572,9 @@ | |
return ret; | |
} | |
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode) | |
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const string& wildcard, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode) | |
{ | |
- string hashed; | |
+ string closest, next, hashed; | |
SOAData sd; | |
sd.db = (DNSBackend*)-1; | |
@@ -617,26 +586,49 @@ | |
string unhashed, before,after; | |
// now add the closest encloser | |
- unhashed=auth; | |
+ if (mode == 3) { | |
+ closest=wildcard; | |
+ chopOffDotted(closest); | |
+ unhashed=closest; | |
+ } | |
+ else { | |
+ unhashed=auth; | |
+ } | |
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed); | |
getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after); | |
- DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
+ DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode); | |
- // now add the main nsec3 | |
- unhashed = p->qdomain; | |
+ // now add the main nsec3 or next closer name | |
+ if (mode == 3) { | |
+ next=p->qdomain; | |
+ do { | |
+ unhashed=next; | |
+ } | |
+ while( chopOff( next ) && !pdns_iequals(next, closest)); | |
+ } | |
+ else { | |
+ unhashed=p->qdomain; | |
+ } | |
+ | |
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed); | |
+ | |
getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, true, unhashed, before, after); | |
- DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
+ DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode); | |
// now add the * | |
- unhashed=dotConcat("*", auth); | |
+ if (mode == 3) { | |
+ unhashed=wildcard; | |
+ } | |
+ else { | |
+ unhashed=dotConcat("*", auth); | |
+ } | |
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed); | |
getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, true, unhashed, before, after); | |
- DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
+ DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl); | |
emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode); | |
} | |
@@ -659,7 +651,7 @@ | |
string before,after; | |
//cerr<<"Calling getBeforeandAfter!"<<endl; | |
- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after); | |
+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, target, before, after); | |
// cerr<<"Done calling, before='"<<before<<"', after='"<<after<<"'"<<endl; | |
// this stuff is wrong (but it appears to work) | |
@@ -671,7 +663,7 @@ | |
emitNSEC(before, after, target, sd, r, mode); | |
// this one does wildcard denial, if applicable | |
- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after); | |
+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, auth, before, after); | |
emitNSEC(before, after, auth, sd, r, mode); | |
} | |
@@ -894,7 +886,7 @@ | |
else { | |
// now get the NSEC too (since we must sign it!) | |
string before,after; | |
- sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after); | |
+ sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, false, p->qdomain, before, after); | |
nrc.d_next=after; | |
@@ -939,7 +931,7 @@ | |
r->addRecord(rr); | |
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname)) | |
- addNSECX(p, r, target, sd.qname, 1); | |
+ addNSECX(p, r, target, sd.qname, "", 1); | |
r->setRcode(RCode::NXDomain); | |
S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName()); | |
@@ -958,7 +950,7 @@ | |
r->addRecord(rr); | |
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname)) | |
- addNSECX(p, r, target, sd.qname, 0); | |
+ addNSECX(p, r, target, sd.qname, "", 0); | |
S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName()); | |
} | |
@@ -994,7 +986,7 @@ | |
r->setA(false); | |
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname)) | |
- addNSECX(p, r, rrset.begin()->qname, sd.qname, 0); | |
+ addNSECX(p, r, rrset.begin()->qname, sd.qname, "", 0); | |
return true; | |
} | |
@@ -1008,7 +1000,7 @@ | |
if(!d_dk.isSecuredZone(sd.qname)) | |
return; | |
- addNSECX(p, r, target, sd.qname, 2); | |
+ addNSECX(p, r, target, sd.qname, "", 2); | |
if(pdns_iequals(sd.qname, p->qdomain)) { | |
DNSSECKeeper::keyset_t zskset = d_dk.getKeys(p->qdomain); | |
DNSResourceRecord rr; | |
@@ -1052,7 +1044,7 @@ | |
} | |
} | |
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname)) { | |
- addNSECX(p, r, p->qdomain, sd.qname, 3); | |
+ addNSECX(p, r, p->qdomain, sd.qname, rrset.begin()->qname, 3); | |
} | |
return true; | |
} | |
diff -ur pdns-3.1/pdns/packethandler.hh pdns-3.1.new/pdns/packethandler.hh | |
--- pdns-3.1/pdns/packethandler.hh 2012-05-04 12:13:23.000000000 +0200 | |
+++ pdns-3.1.new/pdns/packethandler.hh 2012-06-30 22:47:20.000000000 +0200 | |
@@ -98,9 +98,9 @@ | |
bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId); | |
int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd); | |
bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r); | |
- void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode); | |
+ void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const std::string& wildcard, int mode); | |
void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode); | |
- void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode); | |
+ void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const std::string& wildcard, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode); | |
void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const SOAData& sd, DNSPacket *r, int mode); | |
void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment