From 77a00c141f6734938a32d34a8018a70ba93e7807 Mon Sep 17 00:00:00 2001
From: Jan Kadlec <jan.kadlec@nic.cz>
Date: Thu, 5 Dec 2013 15:41:50 +0100
Subject: [PATCH] DNSSEC/chain fix - do not fix NSEC for non-auth nodes.
---
src/libknot/dnssec/zone-nsec.c | 17 ++++++++++++-----
src/libknot/dnssec/zone-sign.c | 3 ++-
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/src/libknot/dnssec/zone-nsec.c b/src/libknot/dnssec/zone-nsec.c
index 1454ed6992..5a02c0a3b1 100644
--- a/src/libknot/dnssec/zone-nsec.c
+++ b/src/libknot/dnssec/zone-nsec.c
@@ -1016,6 +1016,10 @@ static int update_nsec(const knot_node_t *from, const knot_node_t *to,
bool is_apex)
{
assert(from && to && out_ch);
+ if (knot_node_is_non_auth(from) || knot_node_is_non_auth(to)) {
+ printf("FIX TODO do not call this function with non auth nodes\n");
+ return KNOT_EOK;
+ }
const knot_rrset_t *nsec_rrset = knot_node_rrset(from,
KNOT_RRTYPE_NSEC);
// Create new NSEC
@@ -1038,6 +1042,7 @@ static int update_nsec(const knot_node_t *from, const knot_node_t *to,
dbg_dnssec_detail("Creating new NSEC for %s\n",
knot_dname_to_str(new_nsec->owner));
// Drop old
+ printf("FIX removing1 %s\n", knot_dname_to_str(nsec_rrset->owner));
int ret = changeset_remove_nsec(nsec_rrset,
out_ch);
if (ret != KNOT_EOK) {
@@ -1066,6 +1071,7 @@ static int update_nsec(const knot_node_t *from, const knot_node_t *to,
}
} else {
// Drop old, no longer needed
+ printf("FIX removing2 %s\n", knot_dname_to_str(nsec_rrset->owner));
int ret = changeset_remove_nsec(nsec_rrset,
out_ch);
if (ret != KNOT_EOK) {
@@ -1142,14 +1148,14 @@ static int fix_nsec_chain(knot_dname_t *a, knot_dname_t *b, void *d)
bool dname_equal =
a ? knot_dname_is_equal(prev_zone_node->owner, a) : false;
if (dname_equal && !node_deleted) {
- printf("FIX v changesetu: %s %s\n", knot_dname_to_str(a),
+ printf("FIX OP: changeset: %s %s\n", knot_dname_to_str(a),
knot_dname_to_str(b));
return update_nsec(a_node, b_node, fix_data->out_ch, 3600,
prev_zone_node == fix_data->zone->apex);
} else {
if (fix_data->next_dname &&
!knot_dname_is_equal(fix_data->next_dname, b) && !node_deleted) {
- printf("FIX next %s next = %s\n", a ? knot_dname_to_str(a) : knot_dname_to_str(b), knot_dname_to_str(fix_data->next_dname));
+ printf("FIX OP: next %s next = %s\n", a ? knot_dname_to_str(a) : knot_dname_to_str(b), knot_dname_to_str(fix_data->next_dname));
int ret = update_nsec(a ? a_node : b_node,
knot_zone_contents_find_node(fix_data->zone,
fix_data->next_dname),
@@ -1165,10 +1171,11 @@ static int fix_nsec_chain(knot_dname_t *a, knot_dname_t *b, void *d)
fix_data->next_dname = knot_rdata_nsec_next(nsec_rrset);
printf("FIX next_dname storing %s\n", knot_dname_to_str(fix_data->next_dname));
// Fix NSEC
- printf("FIX zona %s %s\n",
+ const knot_node_t *next_node = node_deleted ? knot_zone_contents_find_node(fix_data->zone, knot_rdata_nsec_next(old_nsec)) : b_node;
+ printf("FIX OP: zone %s %s\n",
knot_dname_to_str(prev_zone_node->owner),
- knot_dname_to_str(b));
- return update_nsec(prev_zone_node, node_deleted ? knot_zone_contents_find_node(fix_data->zone, knot_rdata_nsec_next(old_nsec)) : b_node, fix_data->out_ch,
+ knot_dname_to_str(next_node->owner));
+ return update_nsec(prev_zone_node, next_node, fix_data->out_ch,
3600, prev_zone_node == fix_data->zone->apex);
}
diff --git a/src/libknot/dnssec/zone-sign.c b/src/libknot/dnssec/zone-sign.c
index 7470b3216a..6bb778fe87 100644
--- a/src/libknot/dnssec/zone-sign.c
+++ b/src/libknot/dnssec/zone-sign.c
@@ -1081,7 +1081,8 @@ static int sign_changeset_wrap(knot_rrset_t *chg_rrset, void *data)
} else {
/*!
* RRSet dropped from zone using update, or should not
- * be signed, but it could create a new node
+ * be signed, but it could create a new node, so we
+ * have to mark the change.
*/
rr_already_signed(chg_rrset, args->signed_tree);
}
--
GitLab