Merge branch 'nsec3_optim_proof_no_wildc' into 'master'

NSEC3 optimization

See merge request !906

src/knot/nameserver/nsec_proofs.c

@@ -356,19 +356,6 @@ static int put_wildcard_answer(const zone_node_t *wildcard,
 	return ret;
 }
 
-/*!
- * \brief Create a wildcard child of a name as a local variable.
- *
- * \param out     Name of the output wariable.
- * \param parent  Parent of the wildcard.
- */
-#define CREATE_WILDCARD(out, parent) \
-	int size = knot_dname_size(parent); \
-	if (size < 0 || size > KNOT_DNAME_MAXLEN - 2) return KNOT_EINVAL; \
-	uint8_t out[2 + size]; \
-	memcpy(out, "\x01""*", 2); \
-	memcpy(out + 2, parent, size);
-
 /*!
  * \brief Put NSECs for NXDOMAIN error into the response.
  *
@@ -407,7 +394,14 @@ static int put_nsec_nxdomain(const zone_contents_t *zone,
 
 	// NOTE: closest may be empty non-terminal and thus not authoritative.
 
-	CREATE_WILDCARD(wildcard, closest->owner)
+	size_t size = knot_dname_size(closest->owner);
+	if (size > KNOT_DNAME_MAXLEN - 2) {
+		return KNOT_EINVAL;
+	}
+	assert(size > 0);
+	uint8_t wildcard[2 + size];
+	memcpy(wildcard, "\x01""*", 2);
+	memcpy(wildcard + 2, closest->owner, size);
 
 	return put_covering_nsec(zone, wildcard, qdata, resp);
 }
@@ -446,9 +440,11 @@ static int put_nsec3_nxdomain(const knot_dname_t *qname,
 
 	// NSEC3 covering the (nonexistent) wildcard at the closest encloser.
 
-	CREATE_WILDCARD(wildcard, cpe->owner)
+	if (cpe->nsec3_wildcard_prev == NULL) {
+		return KNOT_ERROR;
+	}
 
-	return put_covering_nsec3(zone, wildcard, qdata, resp);
+	return put_nsec3_from_node(cpe->nsec3_wildcard_prev, qdata, resp);
 }
 
 /*!

src/knot/zone/contents.c

@@ -236,13 +236,30 @@ static int adjust_nsec3_pointers(zone_node_t **tnode, void *data)
 
 	zone_adjust_arg_t *args = (zone_adjust_arg_t *)data;
 	zone_node_t *node = *tnode;
+	const zone_node_t *ignored;
 
 	// Connect to NSEC3 node (only if NSEC3 tree is not empty)
+	node->nsec3_wildcard_prev = NULL;
 	uint8_t nsec3_name[KNOT_DNAME_MAXLEN];
 	int ret = create_nsec3_name(nsec3_name, sizeof(nsec3_name), args->zone,
 	                            node->owner);
 	if (ret == KNOT_EOK) {
 		node->nsec3_node = zone_tree_get(args->zone->nsec3_nodes, nsec3_name);
+
+		// Connect to NSEC3 node proving nonexistence of wildcard.
+		size_t wildcard_size = knot_dname_size(node->owner) + 2;
+		if (wildcard_size <= KNOT_DNAME_MAXLEN) {
+			assert(wildcard_size > 2);
+			knot_dname_t wildcard[wildcard_size];
+			memcpy(wildcard, "\x01""*", 2);
+			memcpy(wildcard + 2, node->owner, wildcard_size - 2);
+			ret = zone_contents_find_nsec3_for_name(args->zone, wildcard, &ignored,
+			                                        (const zone_node_t **)&node->nsec3_wildcard_prev);
+			if (ret == ZONE_NAME_FOUND) {
+				node->nsec3_wildcard_prev = NULL;
+				ret = KNOT_EOK;
+			}
+		}
 	} else if (ret == KNOT_ENSEC3PAR) {
 		node->nsec3_node = NULL;
 		ret = KNOT_EOK;
@@ -998,13 +1015,15 @@ static int contents_adjust(zone_contents_t *contents, bool normal)
 	contents->size = 0;
 	contents->dnssec = node_rrtype_is_signed(contents->apex, KNOT_RRTYPE_SOA);
 
-	ret = adjust_nodes(contents->nodes, &arg,
-	                   normal ? adjust_normal_node : adjust_pointers);
+	// NSEC3 nodes must be adjusted first, because we already need the NSEC3 chain
+	// to be closed before we adjust NSEC3 pointers in adjust_normal_node
+	ret = adjust_nodes(contents->nsec3_nodes, &arg, adjust_nsec3_node);
 	if (ret != KNOT_EOK) {
 		return ret;
 	}
 
-	ret = adjust_nodes(contents->nsec3_nodes, &arg, adjust_nsec3_node);
+	ret = adjust_nodes(contents->nodes, &arg,
+	                   normal ? adjust_normal_node : adjust_pointers);
 	if (ret != KNOT_EOK) {
 		return ret;
 	}

src/knot/zone/node.h

@@ -40,6 +40,7 @@ typedef struct zone_node {
 	 */
 	struct zone_node *prev;
 	struct zone_node *nsec3_node; /*! NSEC3 node corresponding to this node. */
+	struct zone_node *nsec3_wildcard_prev; /*! NSEC3 node for proof of wildcard non-existence. */
 	uint32_t children; /*!< Count of children nodes in DNS hierarchy. */
 	uint16_t rrset_count; /*!< Number of RRSets stored in the node. */
 	uint8_t flags; /*!< \ref node_flags enum. */

tests/knot/semantic_check_data/cdnskey.cds

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=

tests/knot/semantic_check_data/cdnskey.invalid

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=

tests/knot/semantic_check_data/cdnskey.invalid.param

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=

tests/knot/semantic_check_data/cdnskey.nocdnskey

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=

tests/knot/semantic_check_data/cdnskey.nocds

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=

tests/knot/semantic_check_data/cdnskey.nodnskey

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=
 example.com.        	3600	CDNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=

tests/knot/semantic_check_data/cdnskey.two

@@ -2,7 +2,6 @@
 example.com.        	3600	SOA	dns2.example.com. hostmaster.example.com. 2010135808 10800 3600 1209600 7200
 example.com.        	3600	NS	dns2.example.com.
 example.com.        	3600	MX	10 mail.example.com.
-example.com.        	0	NSEC3PARAM	1 0 250 662455DF6C5AB542
 example.com.        	3600	DNSKEY	256 3 8 AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVwYkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEeCUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
 example.com.        	3600	DNSKEY	257 3 8 AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYToARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5WmnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Tax7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCNbGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4NodQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQEHYAd/AP8YgaovS8N1fJyh0=
 example.com.        	3600	DNSKEY	257 3 8 AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKfjqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU80AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbmLIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpMCLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRndpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n/4lgdSiBtvByLCXoWEYIGRs=