"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "pdns/dbdnsseckeeper.cc" between
pdns-auth-4.1.13.tar.gz and pdns-auth-4.2.0.tar.gz

About: PowerDNS Authoritative Nameserver is a versatile nameserver which supports a large number of backends (that can either be plain zone files or be more dynamic in nature).

dbdnsseckeeper.cc  (pdns-auth-4.1.13):dbdnsseckeeper.cc  (pdns-auth-4.2.0)
skipping to change at line 86 skipping to change at line 86
getFromMeta(name, "PRESIGNED", meta); getFromMeta(name, "PRESIGNED", meta);
return meta=="1"; return meta=="1";
} }
bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, in t64_t& id, int bits, bool active) bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, in t64_t& id, int bits, bool active)
{ {
if(!bits) { if(!bits) {
if(algorithm <= 10) if(algorithm <= 10)
throw runtime_error("Creating an algorithm " +std::to_string(algorithm)+" ("+algorithm2name(algorithm)+") key requires the size (in bits) to be passed."); throw runtime_error("Creating an algorithm " +std::to_string(algorithm)+" ("+algorithm2name(algorithm)+") key requires the size (in bits) to be passed.");
else { else {
if(algorithm == 12 || algorithm == 13 || algorithm == 15) // GOST, ECDSAP2 56SHA256, ED25519 if(algorithm == DNSSECKeeper::ECCGOST || algorithm == DNSSECKeeper::ECDSA2 56 || algorithm == DNSSECKeeper::ED25519)
bits = 256; bits = 256;
else if(algorithm == 14) // ECDSAP384SHA384 else if(algorithm == DNSSECKeeper::ECDSA384)
bits = 384; bits = 384;
else if(algorithm == 16) // ED448 else if(algorithm == DNSSECKeeper::ED448)
bits = 456; bits = 456;
else { else {
throw runtime_error("Can not guess key size for algorithm "+std::to_stri ng(algorithm)); throw runtime_error("Can not guess key size for algorithm "+std::to_stri ng(algorithm));
} }
} }
} }
DNSSECPrivateKey dspk; DNSSECPrivateKey dspk;
shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm)); shared_ptr<DNSCryptoKeyEngine> dpk(DNSCryptoKeyEngine::make(algorithm));
try{ try{
dpk->create(bits); dpk->create(bits);
skipping to change at line 162 skipping to change at line 162
for(const DNSBackend::KeyData& kd : keys) { for(const DNSBackend::KeyData& kd : keys) {
if(kd.id != id) if(kd.id != id)
continue; continue;
DNSSECPrivateKey dpk; DNSSECPrivateKey dpk;
DNSKEYRecordContent dkrc; DNSKEYRecordContent dkrc;
dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCStr ing(dkrc, kd.content))); dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCStr ing(dkrc, kd.content)));
dpk.d_flags = kd.flags; dpk.d_flags = kd.flags;
dpk.d_algorithm = dkrc.d_algorithm; dpk.d_algorithm = dkrc.d_algorithm;
if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) { if(dpk.d_algorithm == DNSSECKeeper::RSASHA1 && getNSEC3PARAM(zname)) {
dpk.d_algorithm += 2; dpk.d_algorithm = DNSSECKeeper::RSASHA1NSEC3SHA1;
} }
return dpk; return dpk;
} }
throw runtime_error("Can't find a key with id "+std::to_string(id)+" for zone '"+zname.toString()+"'"); throw runtime_error("Can't find a key with id "+std::to_string(id)+" for zone '"+zname.toLogString()+"'");
} }
bool DNSSECKeeper::removeKey(const DNSName& zname, unsigned int id) bool DNSSECKeeper::removeKey(const DNSName& zname, unsigned int id)
{ {
clearCaches(zname); clearCaches(zname);
return d_keymetadb->removeDomainKey(zname, id); return d_keymetadb->removeDomainKey(zname, id);
} }
bool DNSSECKeeper::deactivateKey(const DNSName& zname, unsigned int id) bool DNSSECKeeper::deactivateKey(const DNSName& zname, unsigned int id)
{ {
skipping to change at line 221 skipping to change at line 221
value=*meta.begin(); value=*meta.begin();
if (ttl > 0) { if (ttl > 0) {
METACacheEntry nce; METACacheEntry nce;
nce.d_domain=zname; nce.d_domain=zname;
nce.d_ttd = now + ttl; nce.d_ttd = now + ttl;
nce.d_key= key; nce.d_key= key;
nce.d_value = value; nce.d_value = value;
{ {
WriteLock l(&s_metacachelock); WriteLock l(&s_metacachelock);
replacing_insert(s_metacache, nce); lruReplacingInsert(s_metacache, nce);
} }
} }
} }
void DNSSECKeeper::getSoaEdit(const DNSName& zname, std::string& value) void DNSSECKeeper::getSoaEdit(const DNSName& zname, std::string& value)
{ {
static const string soaEdit(::arg()["default-soa-edit"]); static const string soaEdit(::arg()["default-soa-edit"]);
static const string soaEditSigned(::arg()["default-soa-edit-signed"]); static const string soaEditSigned(::arg()["default-soa-edit-signed"]);
if (isPresigned(zname)) { if (isPresigned(zname)) {
skipping to change at line 274 skipping to change at line 274
getFromMeta(zname, "NSEC3PARAM", value); getFromMeta(zname, "NSEC3PARAM", value);
if(value.empty()) { // "no NSEC3" if(value.empty()) { // "no NSEC3"
return false; return false;
} }
static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) { if(ns3p) {
*ns3p = NSEC3PARAMRecordContent(value); *ns3p = NSEC3PARAMRecordContent(value);
if (ns3p->d_iterations > maxNSEC3Iterations) { if (ns3p->d_iterations > maxNSEC3Iterations) {
ns3p->d_iterations = maxNSEC3Iterations; ns3p->d_iterations = maxNSEC3Iterations;
L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is ab ove 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl; g_log<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' i s above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
} }
if (ns3p->d_algorithm != 1) { if (ns3p->d_algorithm != 1) {
L<<Logger::Error<<"Invalid hash algorithm for NSEC3: '"<<std::to_string(ns 3p->d_algorithm)<<"', setting to 1 for zone '"<<zname<<"'."<<endl; g_log<<Logger::Error<<"Invalid hash algorithm for NSEC3: '"<<std::to_strin g(ns3p->d_algorithm)<<"', setting to 1 for zone '"<<zname<<"'."<<endl;
ns3p->d_algorithm = 1; ns3p->d_algorithm = 1;
} }
} }
if(narrow) { if(narrow) {
getFromMeta(zname, "NSEC3NARROW", value); getFromMeta(zname, "NSEC3NARROW", value);
*narrow = (value=="1"); *narrow = (value=="1");
} }
return true; return true;
} }
skipping to change at line 318 skipping to change at line 318
ret = false; ret = false;
} }
return ret; return ret;
} }
bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordCon tent& ns3p, const bool& narrow) bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordCon tent& ns3p, const bool& narrow)
{ {
string error_msg = ""; string error_msg = "";
if (!checkNSEC3PARAM(ns3p, error_msg)) if (!checkNSEC3PARAM(ns3p, error_msg))
throw runtime_error("NSEC3PARAMs provided for zone '"+zname.toString()+"' ar e invalid: " + error_msg); throw runtime_error("NSEC3PARAMs provided for zone '"+zname.toLogString()+"' are invalid: " + error_msg);
clearCaches(zname); clearCaches(zname);
string descr = ns3p.getZoneRepresentation(); string descr = ns3p.getZoneRepresentation();
vector<string> meta; vector<string> meta;
meta.push_back(descr); meta.push_back(descr);
if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) { if (d_keymetadb->setDomainMetadata(zname, "NSEC3PARAM", meta)) {
meta.clear(); meta.clear();
if(narrow) if(narrow)
meta.push_back("1"); meta.push_back("1");
skipping to change at line 481 skipping to change at line 481
for(DNSBackend::KeyData& kd : dbkeyset) for(DNSBackend::KeyData& kd : dbkeyset)
{ {
DNSSECPrivateKey dpk; DNSSECPrivateKey dpk;
DNSKEYRecordContent dkrc; DNSKEYRecordContent dkrc;
dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCStr ing(dkrc, kd.content))); dpk.setKey(shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCStr ing(dkrc, kd.content)));
dpk.d_flags = kd.flags; dpk.d_flags = kd.flags;
dpk.d_algorithm = dkrc.d_algorithm; dpk.d_algorithm = dkrc.d_algorithm;
if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone)) { if(dpk.d_algorithm == DNSSECKeeper::RSASHA1 && getNSEC3PARAM(zone)) {
L<<Logger::Warning<<"Zone '"<<zone<<"' has NSEC3 semantics, but the "<< (k g_log<<Logger::Warning<<"Zone '"<<zone<<"' has NSEC3 semantics, but the "<
d.active ? "" : "in" ) <<"active key with id "<<kd.id<<" has 'Algorithm: 5'. Thi < (kd.active ? "" : "in" ) <<"active key with id "<<kd.id<<" has 'Algorithm: 5'.
s should be corrected to 'Algorithm: 7' in the database (or NSEC3 should be disa This should be corrected to 'Algorithm: 7' in the database (or NSEC3 should be
bled)."<<endl; disabled)."<<endl;
dpk.d_algorithm+=2; dpk.d_algorithm = DNSSECKeeper::RSASHA1NSEC3SHA1;
} }
KeyMetaData kmd; KeyMetaData kmd;
kmd.active = kd.active; kmd.active = kd.active;
kmd.hasSEPBit = (kd.flags == 257); kmd.hasSEPBit = (kd.flags == 257);
kmd.id = kd.id; kmd.id = kd.id;
if (find(algoHasSeparateKSK.begin(), algoHasSeparateKSK.end(), dpk.d_algorit hm) == algoHasSeparateKSK.end()) if (find(algoHasSeparateKSK.begin(), algoHasSeparateKSK.end(), dpk.d_algorit hm) == algoHasSeparateKSK.end())
kmd.keyType = CSK; kmd.keyType = CSK;
skipping to change at line 510 skipping to change at line 510
} }
sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID); sort(retkeyset.begin(), retkeyset.end(), keyCompareByKindAndID);
if (ttl > 0) { if (ttl > 0) {
KeyCacheEntry kce; KeyCacheEntry kce;
kce.d_domain=zone; kce.d_domain=zone;
kce.d_keys = retkeyset; kce.d_keys = retkeyset;
kce.d_ttd = now + ttl; kce.d_ttd = now + ttl;
{ {
WriteLock l(&s_keycachelock); WriteLock l(&s_keycachelock);
replacing_insert(s_keycache, kce); lruReplacingInsert(s_keycache, kce);
} }
} }
return retkeyset; return retkeyset;
} }
bool DNSSECKeeper::checkKeys(const DNSName& zone) bool DNSSECKeeper::checkKeys(const DNSName& zone, vector<string>* errorMessages)
{ {
vector<DNSBackend::KeyData> dbkeyset; vector<DNSBackend::KeyData> dbkeyset;
d_keymetadb->getDomainKeys(zone, dbkeyset); d_keymetadb->getDomainKeys(zone, dbkeyset);
bool retval = true;
for(const DNSBackend::KeyData &keydata : dbkeyset) { for(const DNSBackend::KeyData &keydata : dbkeyset) {
DNSKEYRecordContent dkrc; DNSKEYRecordContent dkrc;
shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkr c, keydata.content)); shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkr c, keydata.content));
if (!dke->checkKey()) { retval = dke->checkKey(errorMessages) && retval;
return false;
}
} }
return true; return retval;
} }
bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const D NSName& qname, bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const D NSName& qname,
const DNSName& wildcardname, const QType& qtype, const DNSName& wildcardname, const QType& qtype,
DNSResourceRecord::Place signPlace, vector<DNSZoneRecord>& rrsigs, uint3 2_t signTTL) DNSResourceRecord::Place signPlace, vector<DNSZoneRecord>& rrsigs, uint3 2_t signTTL)
{ {
// cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl; // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
SOAData sd; SOAData sd;
if(!db.getSOAUncached(signer, sd)) { if(!db.getSOAUncached(signer, sd)) {
DLOG(L<<"Could not get SOA for domain"<<endl); DLOG(g_log<<"Could not get SOA for domain"<<endl);
return false; return false;
} }
db.lookup(QType(QType::RRSIG), wildcardname.countLabels() ? wildcardname : qname, NULL, sd.domain_id); db.lookup(QType(QType::RRSIG), wildcardname.countLabels() ? wildcardname : qname, NULL, sd.domain_id);
DNSZoneRecord rr; DNSZoneRecord rr;
while(db.get(rr)) { while(db.get(rr)) {
auto rrsig = getRR<RRSIGRecordContent>(rr.dr); auto rrsig = getRR<RRSIGRecordContent>(rr.dr);
if(rrsig->d_type == qtype.getCode() && rrsig->d_signer==signer) { if(rrsig->d_type == qtype.getCode() && rrsig->d_signer==signer) {
if (wildcardname.countLabels()) if (wildcardname.countLabels())
rr.dr.d_name = qname; rr.dr.d_name = qname;
rr.dr.d_place = signPlace; rr.dr.d_place = signPlace;
skipping to change at line 571 skipping to change at line 570
d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed); d_keymetadb->getDomainMetadata(zone, "TSIG-ALLOW-AXFR", allowed);
for(const string& dbkey : allowed) { for(const string& dbkey : allowed) {
if(DNSName(dbkey)==keyname) if(DNSName(dbkey)==keyname)
return true; return true;
} }
return false; return false;
} }
bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const string& master, D NSName* keyname) bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const ComboAddress& mas ter, DNSName* keyname)
{ {
vector<string> keynames; vector<string> keynames;
d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames); d_keymetadb->getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
keyname->trimToLabels(0); keyname->trimToLabels(0);
// XXX FIXME this should check for a specific master! // XXX FIXME this should check for a specific master!
for(const string& dbkey : keynames) { for(const string& dbkey : keynames) {
*keyname=DNSName(dbkey); *keyname=DNSName(dbkey);
return true; return true;
} }
skipping to change at line 663 skipping to change at line 662
if(rr.qtype.getCode() == QType::NS && rr.qname != zone) if(rr.qtype.getCode() == QType::NS && rr.qname != zone)
nsset.insert(rr.qname); nsset.insert(rr.qname);
if(rr.qtype.getCode() == QType::DS) if(rr.qtype.getCode() == QType::DS)
dsnames.insert(rr.qname); dsnames.insert(rr.qname);
} }
else else
delnonterm.insert(rr.qname); delnonterm.insert(rr.qname);
} }
NSEC3PARAMRecordContent ns3pr; NSEC3PARAMRecordContent ns3pr;
bool narrow; bool securedZone = isSecuredZone(zone);
bool haveNSEC3 = getNSEC3PARAM(zone, &ns3pr, &narrow); bool haveNSEC3 = false, isOptOut = false, narrow = false;
bool isOptOut = (haveNSEC3 && ns3pr.d_flags);
if(securedZone) {
haveNSEC3 = getNSEC3PARAM(zone, &ns3pr, &narrow);
isOptOut = (haveNSEC3 && ns3pr.d_flags);
if(isSecuredZone(zone)) {
if(!haveNSEC3) { if(!haveNSEC3) {
infostream<<"Adding NSEC ordering information "; infostream<<"Adding NSEC ordering information ";
} }
else if(!narrow) { else if(!narrow) {
if(!isOptOut) { if(!isOptOut) {
infostream<<"Adding NSEC3 hashed ordering information for '"<<zone<<"'"; infostream<<"Adding NSEC3 hashed ordering information for '"<<zone<<"'";
} }
else { else {
infostream<<"Adding NSEC3 opt-out hashed ordering information for '"<<zon e<<"'"; infostream<<"Adding NSEC3 opt-out hashed ordering information for '"<<zo ne<<"'";
} }
} else { } else {
infostream<<"Erasing NSEC3 ordering since we are narrow, only setting 'aut h' fields"; infostream<<"Erasing NSEC3 ordering since we are narrow, only setting 'aut h' fields";
} }
} }
else { else {
infostream<<"Adding empty non-terminals for non-DNSSEC zone"; infostream<<"Adding empty non-terminals for non-DNSSEC zone";
} }
set<DNSName> nsec3set; set<DNSName> nsec3set;
skipping to change at line 745 skipping to change at line 746
if(haveNSEC3) // NSEC3 if(haveNSEC3) // NSEC3
{ {
if(nsec3set.count(qname)) { if(nsec3set.count(qname)) {
if(!narrow) if(!narrow)
ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname))); ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname)));
if(!realrr && !isOptOut) if(!realrr && !isOptOut)
auth=true; auth=true;
} }
} }
else if (realrr) // NSEC else if (realrr && securedZone) // NSEC
ordername=qname.makeRelative(zone); ordername=qname.makeRelative(zone);
sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth); sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth);
if(realrr) if(realrr)
{ {
if (dsnames.count(qname)) if (dsnames.count(qname))
sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true , QType::DS); sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true , QType::DS);
if (!auth || nsset.count(qname)) { if (!auth || nsset.count(qname)) {
ordername.clear(); ordername.clear();
skipping to change at line 771 skipping to change at line 772
if(doent) if(doent)
{ {
shorter=qname; shorter=qname;
while(shorter!=zone && shorter.chopOff()) while(shorter!=zone && shorter.chopOff())
{ {
if(!qnames.count(shorter)) if(!qnames.count(shorter))
{ {
if(!(maxent)) if(!(maxent))
{ {
L<<Logger::Warning<<"Zone '"<<zone<<"' has too many empty non term inals."<<endl; g_log<<Logger::Warning<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
insnonterm.clear(); insnonterm.clear();
delnonterm.clear(); delnonterm.clear();
doent=false; doent=false;
break; break;
} }
if (!delnonterm.count(shorter) && !nonterm.count(shorter)) if (!delnonterm.count(shorter) && !nonterm.count(shorter))
insnonterm.insert(shorter); insnonterm.insert(shorter);
else else
delnonterm.erase(shorter); delnonterm.erase(shorter);
 End of changes. 23 change blocks. 
32 lines changed or deleted 33 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)