Habbie/nsec3.patch

## nsec3.patch
diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.cc pdns-3.1.new/pdns/backends/bind/bindbackend2.cc
--- pdns-3.1/pdns/backends/bind/bindbackend2.cc	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.cc	2012-07-03 10:43:25.000000000 +0200
@@ -890,7 +890,7 @@
   return true;
 }

-bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
+bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after)
 {
   shared_ptr<State> state = s_state;
   BB2DomainInfo& bbd = state->id_zone_map[id];
diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.hh pdns-3.1.new/pdns/backends/bind/bindbackend2.hh
--- pdns-3.1/pdns/backends/bind/bindbackend2.hh	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.hh	2012-07-03 10:28:47.000000000 +0200
@@ -132,7 +132,7 @@
   bool getDomainInfo(const string &domain, DomainInfo &di);
   time_t getCtime(const string &fname);
   // DNSSEC
-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after);
   void lookup(const QType &, const string &qdomain, DNSPacket *p=0, int zoneId=-1);
   bool list(const string &target, int id);
   bool get(DNSResourceRecord &);
diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.cc pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc
--- pdns-3.1/pdns/backends/gsql/gsqlbackend.cc	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc	2012-07-03 12:05:06.000000000 +0200
@@ -34,6 +34,7 @@
 #include "pdns/ahuexception.hh"
 #include "pdns/logger.hh"
 #include "pdns/arguments.hh"
+#include "pdns/base32.hh"
 #include <boost/algorithm/string.hpp>
 #include <sstream>
 #include <boost/foreach.hpp>
@@ -337,7 +338,7 @@
   return true;
 }

-bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
+bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after)
 {
   if(!d_dnssecQueries)
     return false;
@@ -365,6 +366,11 @@
     }
   }

+  if (previous) {
+    fromBase32Hex(lcqname);
+    decrementHash(lcqname);
+    toBase32Hex(lcqname);
+  }
   snprintf(output, sizeof(output)-1, d_beforeOrderQuery.c_str(), sqlEscape(lcqname).c_str(), id);
   d_db->doQuery(output);
   while(d_db->getRow(row)) {
diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.hh pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh
--- pdns-3.1/pdns/backends/gsql/gsqlbackend.hh	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh	2012-07-03 09:31:15.000000000 +0200
@@ -40,7 +40,7 @@
   void getUpdatedMasters(vector<DomainInfo> *updatedDomains);
   bool getDomainInfo(const string &domain, DomainInfo &di);
   void setNotified(uint32_t domain_id, uint32_t serial);
-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after);
   bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth);
   virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth);
   virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type);
diff -ur pdns-3.1/pdns/dnsbackend.cc pdns-3.1.new/pdns/dnsbackend.cc
--- pdns-3.1/pdns/dnsbackend.cc	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/dnsbackend.cc	2012-07-03 10:52:31.000000000 +0200
@@ -249,14 +249,14 @@
   return true;
 }

-bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after)
+bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after)
 {
   string lcqname=toLower(qname);
   lcqname=makeRelative(qname, zonename);

   lcqname=labelReverse(lcqname);
   string dnc;
-  bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, dnc, before, after);
+  bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, previous, dnc, before, after);

   before=dotConcat(labelReverse(before), zonename);
   after=dotConcat(labelReverse(after), zonename);
diff -ur pdns-3.1/pdns/dnsbackend.hh pdns-3.1.new/pdns/dnsbackend.hh
--- pdns-3.1/pdns/dnsbackend.hh	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/dnsbackend.hh	2012-07-03 10:52:19.000000000 +0200
@@ -117,14 +117,14 @@

   virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; }

-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previos, std::string& unhashed, std::string& before, std::string& after)
   {
     std::cerr<<"Default beforeAndAfterAbsolute called!"<<std::endl;
     abort();
     return false;
   }

-  bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after);
+  bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after);

   virtual bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth)
   {
diff -ur pdns-3.1/pdns/misc.cc pdns-3.1.new/pdns/misc.cc
--- pdns-3.1/pdns/misc.cc	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/misc.cc	2012-07-03 10:04:13.000000000 +0200
@@ -531,6 +531,37 @@
   return ret;
 }

+void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
+{
+  if(raw.empty())
+    return;
+
+  for(string::size_type pos=raw.size(); pos; ) {
+    --pos;
+    unsigned char c = (unsigned char)raw[pos];
+    ++c;
+    raw[pos] = (char) c;
+    if(c)
+      break;
+  }
+}
+
+void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
+{
+  if(raw.empty())
+    return;
+
+  for(string::size_type pos=raw.size(); pos; ) {
+    --pos;
+    unsigned char c = (unsigned char)raw[pos];
+    --c;
+    raw[pos] = (char) c;
+    if(c != 0xff)
+      break;
+  }
+}
+
+
 // shuffle, maintaining some semblance of order
 void shuffle(vector<DNSResourceRecord>& rrs)
 {
diff -ur pdns-3.1/pdns/misc.hh pdns-3.1.new/pdns/misc.hh
--- pdns-3.1/pdns/misc.hh	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/misc.hh	2012-07-03 10:07:39.000000000 +0200
@@ -286,7 +286,11 @@
   throw runtime_error(why+": "+strerror(errno));
 }

+
+
 string makeHexDump(const string& str);
+void incrementHash(std::string& raw);
+void decrementHash(std::string& raw);
 void shuffle(vector<DNSResourceRecord>& rrs);

 void normalizeTV(struct timeval& tv);
diff -ur pdns-3.1/pdns/packethandler.cc pdns-3.1.new/pdns/packethandler.cc
--- pdns-3.1/pdns/packethandler.cc	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/packethandler.cc	2012-07-03 11:55:52.000000000 +0200
@@ -537,14 +537,14 @@
    mode 2 = ANY or direct NSEC request  -> an NSEC that starts with 'target'
    mode 3 = a covering NSEC in the authority section (like 1, except for first)
 */
-void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
+void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const string& wildcard, int mode)
 {
   NSEC3PARAMRecordContent ns3rc;
   // cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": ";
   bool narrow;
   if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow))  {
     // cerr<<"Present, narrow="<<narrow<<endl;
-    addNSEC3(p, r, target, auth, ns3rc, narrow, mode);
+    addNSEC3(p, r, target, auth, wildcard, ns3rc, narrow, mode);
   }
   else {
     // cerr<<"Not present"<<endl;
@@ -552,38 +552,7 @@
   }
 }

-static void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
-{
-  if(raw.empty())
-    return;
-
-  for(string::size_type pos=raw.size(); pos; ) {
-    --pos;
-    unsigned char c = (unsigned char)raw[pos];
-    ++c;
-    raw[pos] = (char) c;
-    if(c)
-      break;
-  }
-}
-
-static void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
-{
-  if(raw.empty())
-    return;
-
-  for(string::size_type pos=raw.size(); pos; ) {
-    --pos;
-    unsigned char c = (unsigned char)raw[pos];
-    --c;
-    raw[pos] = (char) c;
-    if(c != 0xff)
-      break;
-  }
-}
-
-
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after)
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, const bool decrement, string& unhashed, string& before, string& after)
 {
   bool ret;
   if(narrow) { // nsec3-narrow
@@ -595,7 +564,7 @@
     incrementHash(after);
   }
   else {
-    ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), unhashed, before, after);
+    ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), decrement, unhashed, before, after);
     before=fromBase32Hex(before);
     after=fromBase32Hex(after);
   }
@@ -603,9 +572,9 @@
   return ret;
 }

-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const string& wildcard, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  string hashed;
+  string closest, next, hashed;

   SOAData sd;
   sd.db = (DNSBackend*)-1;
@@ -617,26 +586,49 @@
   string unhashed, before,after;

   // now add the closest encloser
-  unhashed=auth;
+  if (mode == 3) {
+    closest=wildcard;
+    chopOffDotted(closest);
+    unhashed=closest;
+  }
+  else {
+    unhashed=auth;
+  }
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);

   getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
-  DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
+  DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
   emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);

-  // now add the main nsec3
-  unhashed = p->qdomain;
+  // now add the main nsec3 or next closer name
+  if (mode == 3) {
+    next=p->qdomain;
+    do {
+      unhashed=next;
+    }
+    while( chopOff( next ) && !pdns_iequals(next, closest));
+  }
+  else {
+    unhashed=p->qdomain;
+  }
+
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+
   getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
-  DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
+  DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
   emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);

   // now add the *
-  unhashed=dotConcat("*", auth);
+  if (mode == 3) {
+    unhashed=wildcard;
+  }
+  else {
+    unhashed=dotConcat("*", auth);
+  }
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);

   getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, true, unhashed, before, after);
-  DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
+  DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
   emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
 }

@@ -659,7 +651,7 @@

   string before,after;
   //cerr<<"Calling getBeforeandAfter!"<<endl;
-  sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
+  sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, target, before, after);
   // cerr<<"Done calling, before='"<<before<<"', after='"<<after<<"'"<<endl;

   // this stuff is wrong (but it appears to work)
@@ -671,7 +663,7 @@
     emitNSEC(before, after, target, sd, r, mode);

     // this one does wildcard denial, if applicable
-    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
+    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, auth, before, after);
     emitNSEC(before, after, auth, sd, r, mode);
   }

@@ -894,7 +886,7 @@
   else {
     // now get the NSEC too (since we must sign it!)
     string before,after;
-    sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after);
+    sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, false, p->qdomain, before, after);

     nrc.d_next=after;

@@ -939,7 +931,7 @@
   r->addRecord(rr);

   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
-    addNSECX(p, r, target, sd.qname, 1);
+    addNSECX(p, r, target, sd.qname, "", 1);

   r->setRcode(RCode::NXDomain);
   S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName());
@@ -958,7 +950,7 @@
   r->addRecord(rr);

   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
-    addNSECX(p, r, target, sd.qname, 0);
+    addNSECX(p, r, target, sd.qname, "", 0);

   S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
 }
@@ -994,7 +986,7 @@
   r->setA(false);

   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
-    addNSECX(p, r, rrset.begin()->qname, sd.qname, 0);
+    addNSECX(p, r, rrset.begin()->qname, sd.qname, "", 0);

   return true;
 }
@@ -1008,7 +1000,7 @@
   if(!d_dk.isSecuredZone(sd.qname))
     return;

-  addNSECX(p, r, target, sd.qname, 2);
+  addNSECX(p, r, target, sd.qname, "", 2);
   if(pdns_iequals(sd.qname, p->qdomain)) {
     DNSSECKeeper::keyset_t zskset = d_dk.getKeys(p->qdomain);
     DNSResourceRecord rr;
@@ -1052,7 +1044,7 @@
     }
   }
   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname)) {
-    addNSECX(p, r, p->qdomain, sd.qname, 3);
+    addNSECX(p, r, p->qdomain, sd.qname, rrset.begin()->qname, 3);
   }
   return true;
 }
diff -ur pdns-3.1/pdns/packethandler.hh pdns-3.1.new/pdns/packethandler.hh
--- pdns-3.1/pdns/packethandler.hh	2012-05-04 12:13:23.000000000 +0200
+++ pdns-3.1.new/pdns/packethandler.hh	2012-06-30 22:47:20.000000000 +0200
@@ -98,9 +98,9 @@
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd);
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
-  void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
+  void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const std::string& wildcard, int mode);
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
-  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
+  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const std::string& wildcard, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const SOAData& sd, DNSPacket *r, int mode);
   void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
	diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.cc pdns-3.1.new/pdns/backends/bind/bindbackend2.cc
	--- pdns-3.1/pdns/backends/bind/bindbackend2.cc 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.cc 2012-07-03 10:43:25.000000000 +0200
	@@ -890,7 +890,7 @@
	return true;
	}

	-bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
	+bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after)
	{
	shared_ptr<State> state = s_state;
	BB2DomainInfo& bbd = state->id_zone_map[id];
	diff -ur pdns-3.1/pdns/backends/bind/bindbackend2.hh pdns-3.1.new/pdns/backends/bind/bindbackend2.hh
	--- pdns-3.1/pdns/backends/bind/bindbackend2.hh 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/backends/bind/bindbackend2.hh 2012-07-03 10:28:47.000000000 +0200
	@@ -132,7 +132,7 @@
	bool getDomainInfo(const string &domain, DomainInfo &di);
	time_t getCtime(const string &fname);
	// DNSSEC
	- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
	+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after);
	void lookup(const QType &, const string &qdomain, DNSPacket *p=0, int zoneId=-1);
	bool list(const string &target, int id);
	bool get(DNSResourceRecord &);
	diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.cc pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc
	--- pdns-3.1/pdns/backends/gsql/gsqlbackend.cc 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.cc 2012-07-03 12:05:06.000000000 +0200
	@@ -34,6 +34,7 @@
	#include "pdns/ahuexception.hh"
	#include "pdns/logger.hh"
	#include "pdns/arguments.hh"
	+#include "pdns/base32.hh"
	#include <boost/algorithm/string.hpp>
	#include <sstream>
	#include <boost/foreach.hpp>
	@@ -337,7 +338,7 @@
	return true;
	}

	-bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
	+bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after)
	{
	if(!d_dnssecQueries)
	return false;
	@@ -365,6 +366,11 @@
	}
	}

	+ if (previous) {
	+ fromBase32Hex(lcqname);
	+ decrementHash(lcqname);
	+ toBase32Hex(lcqname);
	+ }
	snprintf(output, sizeof(output)-1, d_beforeOrderQuery.c_str(), sqlEscape(lcqname).c_str(), id);
	d_db->doQuery(output);
	while(d_db->getRow(row)) {
	diff -ur pdns-3.1/pdns/backends/gsql/gsqlbackend.hh pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh
	--- pdns-3.1/pdns/backends/gsql/gsqlbackend.hh 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/backends/gsql/gsqlbackend.hh 2012-07-03 09:31:15.000000000 +0200
	@@ -40,7 +40,7 @@
	void getUpdatedMasters(vector<DomainInfo> *updatedDomains);
	bool getDomainInfo(const string &domain, DomainInfo &di);
	void setNotified(uint32_t domain_id, uint32_t serial);
	- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
	+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previous, std::string& unhashed, std::string& before, std::string& after);
	bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth);
	virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth);
	virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type);
	diff -ur pdns-3.1/pdns/dnsbackend.cc pdns-3.1.new/pdns/dnsbackend.cc
	--- pdns-3.1/pdns/dnsbackend.cc 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/dnsbackend.cc 2012-07-03 10:52:31.000000000 +0200
	@@ -249,14 +249,14 @@
	return true;
	}

	-bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after)
	+bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after)
	{
	string lcqname=toLower(qname);
	lcqname=makeRelative(qname, zonename);

	lcqname=labelReverse(lcqname);
	string dnc;
	- bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, dnc, before, after);
	+ bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, previous, dnc, before, after);

	before=dotConcat(labelReverse(before), zonename);
	after=dotConcat(labelReverse(after), zonename);
	diff -ur pdns-3.1/pdns/dnsbackend.hh pdns-3.1.new/pdns/dnsbackend.hh
	--- pdns-3.1/pdns/dnsbackend.hh 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/dnsbackend.hh 2012-07-03 10:52:19.000000000 +0200
	@@ -117,14 +117,14 @@

	virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; }

	- virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
	+ virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, bool previos, std::string& unhashed, std::string& before, std::string& after)
	{
	std::cerr<<"Default beforeAndAfterAbsolute called!"<<std::endl;
	abort();
	return false;
	}

	- bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, const std::string& qname, std::string& before, std::string& after);
	+ bool getBeforeAndAfterNames(uint32_t id, const std::string& zonename, bool previous, const std::string& qname, std::string& before, std::string& after);

	virtual bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth)
	{
	diff -ur pdns-3.1/pdns/misc.cc pdns-3.1.new/pdns/misc.cc
	--- pdns-3.1/pdns/misc.cc 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/misc.cc 2012-07-03 10:04:13.000000000 +0200
	@@ -531,6 +531,37 @@
	return ret;
	}

	+void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
	+{
	+ if(raw.empty())
	+ return;
	+
	+ for(string::size_type pos=raw.size(); pos; ) {
	+ --pos;
	+ unsigned char c = (unsigned char)raw[pos];
	+ ++c;
	+ raw[pos] = (char) c;
	+ if(c)
	+ break;
	+ }
	+}
	+
	+void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
	+{
	+ if(raw.empty())
	+ return;
	+
	+ for(string::size_type pos=raw.size(); pos; ) {
	+ --pos;
	+ unsigned char c = (unsigned char)raw[pos];
	+ --c;
	+ raw[pos] = (char) c;
	+ if(c != 0xff)
	+ break;
	+ }
	+}
	+
	+
	// shuffle, maintaining some semblance of order
	void shuffle(vector<DNSResourceRecord>& rrs)
	{
	diff -ur pdns-3.1/pdns/misc.hh pdns-3.1.new/pdns/misc.hh
	--- pdns-3.1/pdns/misc.hh 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/misc.hh 2012-07-03 10:07:39.000000000 +0200
	@@ -286,7 +286,11 @@
	throw runtime_error(why+": "+strerror(errno));
	}

	+
	+
	string makeHexDump(const string& str);
	+void incrementHash(std::string& raw);
	+void decrementHash(std::string& raw);
	void shuffle(vector<DNSResourceRecord>& rrs);

	void normalizeTV(struct timeval& tv);
	diff -ur pdns-3.1/pdns/packethandler.cc pdns-3.1.new/pdns/packethandler.cc
	--- pdns-3.1/pdns/packethandler.cc 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/packethandler.cc 2012-07-03 11:55:52.000000000 +0200
	@@ -537,14 +537,14 @@
	mode 2 = ANY or direct NSEC request -> an NSEC that starts with 'target'
	mode 3 = a covering NSEC in the authority section (like 1, except for first)
	*/
	-void PacketHandler::addNSECX(DNSPacket p, DNSPacket r, const string& target, const string& auth, int mode)
	+void PacketHandler::addNSECX(DNSPacket p, DNSPacket r, const string& target, const string& auth, const string& wildcard, int mode)
	{
	NSEC3PARAMRecordContent ns3rc;
	// cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"\|"<<p->qtype.getName()<<": ";
	bool narrow;
	if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow)) {
	// cerr<<"Present, narrow="<<narrow<<endl;
	- addNSEC3(p, r, target, auth, ns3rc, narrow, mode);
	+ addNSEC3(p, r, target, auth, wildcard, ns3rc, narrow, mode);
	}
	else {
	// cerr<<"Not present"<<endl;
	@@ -552,38 +552,7 @@
	}
	}

	-static void incrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
	-{
	- if(raw.empty())
	- return;
	-
	- for(string::size_type pos=raw.size(); pos; ) {
	- --pos;
	- unsigned char c = (unsigned char)raw[pos];
	- ++c;
	- raw[pos] = (char) c;
	- if(c)
	- break;
	- }
	-}
	-
	-static void decrementHash(std::string& raw) // I wonder if this is correct, cmouse? ;-)
	-{
	- if(raw.empty())
	- return;
	-
	- for(string::size_type pos=raw.size(); pos; ) {
	- --pos;
	- unsigned char c = (unsigned char)raw[pos];
	- --c;
	- raw[pos] = (char) c;
	- if(c != 0xff)
	- break;
	- }
	-}
	-
	-
	-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after)
	+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, const bool decrement, string& unhashed, string& before, string& after)
	{
	bool ret;
	if(narrow) { // nsec3-narrow
	@@ -595,7 +564,7 @@
	incrementHash(after);
	}
	else {
	- ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), unhashed, before, after);
	+ ret=db->getBeforeAndAfterNamesAbsolute(id, toLower(toBase32Hex(hashed)), decrement, unhashed, before, after);
	before=fromBase32Hex(before);
	after=fromBase32Hex(after);
	}
	@@ -603,9 +572,9 @@
	return ret;
	}

	-void PacketHandler::addNSEC3(DNSPacket p, DNSPacket r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
	+void PacketHandler::addNSEC3(DNSPacket p, DNSPacket r, const string& target, const string& auth, const string& wildcard, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
	{
	- string hashed;
	+ string closest, next, hashed;

	SOAData sd;
	sd.db = (DNSBackend*)-1;
	@@ -617,26 +586,49 @@
	string unhashed, before,after;

	// now add the closest encloser
	- unhashed=auth;
	+ if (mode == 3) {
	+ closest=wildcard;
	+ chopOffDotted(closest);
	+ unhashed=closest;
	+ }
	+ else {
	+ unhashed=auth;
	+ }
	hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);

	getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
	- DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	+ DLOG(L<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);

	- // now add the main nsec3
	- unhashed = p->qdomain;
	+ // now add the main nsec3 or next closer name
	+ if (mode == 3) {
	+ next=p->qdomain;
	+ do {
	+ unhashed=next;
	+ }
	+ while( chopOff( next ) && !pdns_iequals(next, closest));
	+ }
	+ else {
	+ unhashed=p->qdomain;
	+ }
	+
	hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
	+
	getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, true, unhashed, before, after);
	- DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	+ DLOG(L<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);

	// now add the *
	- unhashed=dotConcat("*", auth);
	+ if (mode == 3) {
	+ unhashed=wildcard;
	+ }
	+ else {
	+ unhashed=dotConcat("*", auth);
	+ }
	hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);

	getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, true, unhashed, before, after);
	- DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	+ DLOG(L<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', hashed: '"<<toBase32Hex(hashed)<<"', unhashed: '"<<unhashed<<"'"<<endl);
	emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
	}

	@@ -659,7 +651,7 @@

	string before,after;
	//cerr<<"Calling getBeforeandAfter!"<<endl;
	- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
	+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, target, before, after);
	// cerr<<"Done calling, before='"<<before<<"', after='"<<after<<"'"<<endl;

	// this stuff is wrong (but it appears to work)
	@@ -671,7 +663,7 @@
	emitNSEC(before, after, target, sd, r, mode);

	// this one does wildcard denial, if applicable
	- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
	+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, false, auth, before, after);
	emitNSEC(before, after, auth, sd, r, mode);
	}

	@@ -894,7 +886,7 @@
	else {
	// now get the NSEC too (since we must sign it!)
	string before,after;
	- sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after);
	+ sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, false, p->qdomain, before, after);

	nrc.d_next=after;

	@@ -939,7 +931,7 @@
	r->addRecord(rr);

	if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
	- addNSECX(p, r, target, sd.qname, 1);
	+ addNSECX(p, r, target, sd.qname, "", 1);

	r->setRcode(RCode::NXDomain);
	S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName());
	@@ -958,7 +950,7 @@
	r->addRecord(rr);

	if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
	- addNSECX(p, r, target, sd.qname, 0);
	+ addNSECX(p, r, target, sd.qname, "", 0);

	S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
	}
	@@ -994,7 +986,7 @@
	r->setA(false);

	if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
	- addNSECX(p, r, rrset.begin()->qname, sd.qname, 0);
	+ addNSECX(p, r, rrset.begin()->qname, sd.qname, "", 0);

	return true;
	}
	@@ -1008,7 +1000,7 @@
	if(!d_dk.isSecuredZone(sd.qname))
	return;

	- addNSECX(p, r, target, sd.qname, 2);
	+ addNSECX(p, r, target, sd.qname, "", 2);
	if(pdns_iequals(sd.qname, p->qdomain)) {
	DNSSECKeeper::keyset_t zskset = d_dk.getKeys(p->qdomain);
	DNSResourceRecord rr;
	@@ -1052,7 +1044,7 @@
	}
	}
	if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname)) {
	- addNSECX(p, r, p->qdomain, sd.qname, 3);
	+ addNSECX(p, r, p->qdomain, sd.qname, rrset.begin()->qname, 3);
	}
	return true;
	}
	diff -ur pdns-3.1/pdns/packethandler.hh pdns-3.1.new/pdns/packethandler.hh
	--- pdns-3.1/pdns/packethandler.hh 2012-05-04 12:13:23.000000000 +0200
	+++ pdns-3.1.new/pdns/packethandler.hh 2012-06-30 22:47:20.000000000 +0200
	@@ -98,9 +98,9 @@
	bool getTLDAuth(DNSPacket p, SOAData sd, const string &target, int *zoneId);
	int doAdditionalProcessingAndDropAA(DNSPacket p, DNSPacket r, const SOAData& sd);
	bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
	- void addNSECX(DNSPacket p, DNSPacket r, const string &target, const std::string& auth, int mode);
	+ void addNSECX(DNSPacket p, DNSPacket r, const string &target, const std::string& auth, const std::string& wildcard, int mode);
	void addNSEC(DNSPacket p, DNSPacket r, const string &target, const std::string& auth, int mode);
	- void addNSEC3(DNSPacket p, DNSPacket r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
	+ void addNSEC3(DNSPacket p, DNSPacket r, const string &target, const std::string& auth, const std::string& wildcard, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
	void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const SOAData& sd, DNSPacket *r, int mode);
	void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);