Changeset 1926

Timestamp:

01/28/11 12:09:22 (2 years ago)

Author:

ahu

Message:

Jan-Piet Mens discovered that we did not correctly fill out the 'auth' field on incoming zonetransfers for non-secured zones, even though
this is necessary for *all* zones.

Files:

• trunk/pdns/pdns/slavecommunicator.cc (modified) (3 diffs)

trunk/pdns/pdns/slavecommunicator.cc

@@ -82 +82 @@
       dnssecZone=true;
       haveNSEC3=dk.getNSEC3PARAM(domain, &ns3pr, &narrow);
-      string hashed;
+    } 
+   
+    if(dnssecZone) {
       if(!haveNSEC3) 
-        cerr<<"Adding NSEC ordering information"<<endl;
-      else if(!narrow)
-        cerr<<"Adding NSEC3 hashed ordering information for '"<<domain<<"'"<<endl;
-      else 
-        cerr<<"Erasing NSEC3 ordering since we are narrow, only setting 'auth' fields"<<endl;
-    }
+                                L<<Logger::Info<<"Adding NSEC ordering information"<<endl;
+                        else if(!narrow)
+        L<<Logger::Info<<"Adding NSEC3 hashed ordering information for '"<<domain<<"'"<<endl;
+                        else 
+        L<<Logger::Info<<"Erasing NSEC3 ordering since we are narrow, only setting 'auth' fields"<<endl;
+                }    
 
     if(!B->getDomainInfo(domain, di) || !di.backend) {
@@ -111 +113 @@
           continue;
         }
-        if(dnssecZone) {
-          if(i->qtype.getCode() == QType::NS && !pdns_iequals(i->qname, domain)) 
-            nsset.insert(i->qname);
-          qnames.insert(i->qname);
-        }  
+        
+        if(i->qtype.getCode() == QType::NS && !pdns_iequals(i->qname, domain)) 
+          nsset.insert(i->qname);
+        qnames.insert(i->qname);
+          
         i->domain_id=domain_id;
         if(i->qtype.getCode()>=1024)
@@ -123 +125 @@
       }
     }
-    if(dnssecZone) {
-      string hashed;
-      BOOST_FOREACH(const string& qname, qnames)
-      {
-        string shorter(qname);
-        bool auth=true;
-        do {
-          if(nsset.count(shorter)) {  
-            auth=false;
-            break;
-          }
-        }while(chopOff(shorter));
+    
+    string hashed;
+    BOOST_FOREACH(const string& qname, qnames)
+    {
+      string shorter(qname);
+      bool auth=true;
+      do {
+        if(nsset.count(shorter)) {  
+          auth=false;
+          break;
+        }
+      }while(chopOff(shorter));
       
-        if(!haveNSEC3) // NSEC
-          di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
-        else {
-          if(!narrow) {
-            hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
-            cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl;
-          }
-          di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth);
+      if(dnssecZone && !haveNSEC3) // NSEC
+        di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
+      else {
+        if(dnssecZone && !narrow) { 
+          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
         }
+        di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); // this should always be done
       }
     }
-    
+        
     di.backend->commitTransaction();
     di.backend->setFresh(domain_id);