From 3a764efd5899360cd359e6b90460978e573b3cc1 Mon Sep 17 00:00:00 2001 From: d-wibowo Date: Fri, 28 Jun 2024 15:01:20 +0700 Subject: [PATCH] auth: provide dns packet when doing lookup for presigned signatures --- pdns/dbdnsseckeeper.cc | 4 ++-- pdns/dnssecinfra.hh | 3 ++- pdns/dnsseckeeper.hh | 4 ++-- pdns/dnssecsigner.cc | 10 +++++----- pdns/packethandler.cc | 2 +- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 717b00bda2f6..c1be9d3a828b 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -630,7 +630,7 @@ bool DNSSECKeeper::checkKeys(const DNSName& zone, std::optional& rrs, uint32_t signTTL) +void DNSSECKeeper::getPreRRSIGs(UeberBackend& db, vector& rrs, uint32_t signTTL, DNSPacket* p) { if(rrs.empty()) { return; @@ -640,7 +640,7 @@ void DNSSECKeeper::getPreRRSIGs(UeberBackend& db, vector& rrs, ui DNSZoneRecord dzr; - db.lookup(QType(QType::RRSIG), !rr.wildcardname.empty() ? rr.wildcardname : rr.dr.d_name, rr.domain_id); + db.lookup(QType(QType::RRSIG), !rr.wildcardname.empty() ? rr.wildcardname : rr.dr.d_name, rr.domain_id, p); while(db.get(dzr)) { auto rrsig = getRR(dzr.dr); if (rrsig->d_type == rr.dr.d_type) { diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 9614ee1373d0..fc3c9eb939ff 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -21,6 +21,7 @@ */ #pragma once #include "dnsrecords.hh" +#include "dnspacket.hh" #include #include @@ -291,7 +292,7 @@ string hashQNameWithSalt(const std::string& salt, unsigned int iterations, const void incrementHash(std::string& raw); void decrementHash(std::string& raw); -void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set& authMap, vector& rrs); +void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set& authMap, vector& rrs, DNSPacket* p=nullptr); void addTSIG(DNSPacketWriter& pw, TSIGRecordContent& trc, const DNSName& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly); bool validateTSIG(const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0); diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh index 50e81bbb1522..04727305ee74 100644 --- a/pdns/dnsseckeeper.hh +++ b/pdns/dnsseckeeper.hh @@ -31,6 +31,7 @@ #include #include "dnssecinfra.hh" #include "dnsrecords.hh" +#include "dnspacket.hh" #include "ueberbackend.hh" #include "lock.hh" @@ -208,7 +209,7 @@ public: bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg); bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false); bool unsetNSEC3PARAM(const DNSName& zname); - void getPreRRSIGs(UeberBackend& db, vector& rrs, uint32_t signTTL); + void getPreRRSIGs(UeberBackend& db, vector& rrs, uint32_t signTTL, DNSPacket* p=nullptr); bool isPresigned(const DNSName& zname, bool useCache=true); bool setPresigned(const DNSName& zname); bool unsetPresigned(const DNSName& zname); @@ -303,7 +304,6 @@ private: static size_t s_maxEntries; }; -class DNSPacket; uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq); // for SOA-EDIT uint32_t calculateEditSOA(uint32_t old_serial, DNSSECKeeper& dk, const DNSName& zonename); diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc index e7fd007ffc05..36ce97e67444 100644 --- a/pdns/dnssecsigner.cc +++ b/pdns/dnssecsigner.cc @@ -145,7 +145,7 @@ static int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSN // this is the entrypoint from DNSPacket static void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& signer, const DNSName& signQName, const DNSName& wildcardname, uint16_t signQType, uint32_t signTTL, DNSResourceRecord::Place signPlace, - sortedRecords_t& toSign, vector& outsigned, uint32_t origTTL) + sortedRecords_t& toSign, vector& outsigned, uint32_t origTTL, DNSPacket* p) { //cerr<<"Asked to sign '"< rrcs; if(dk.isPresigned(signer)) { //cerr<<"Doing presignatures"<& authSet, const DNSName& name, return false; } -void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const set& authSet, vector& rrs) +void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const set& authSet, vector& rrs, DNSPacket* p) { stable_sort(rrs.begin(), rrs.end(), rrsigncomp); @@ -222,7 +222,7 @@ void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const set& authSet, for(auto pos = rrs.cbegin(); pos != rrs.cend(); ++pos) { if(pos != rrs.cbegin() && (signQType != pos->dr.d_type || signQName != pos->dr.d_name)) { if (getBestAuthFromSet(authSet, authQName, signer)) - addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL); + addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL, p); } signedRecords.push_back(*pos); signQName = pos->dr.d_name.makeLowerCase(); @@ -248,6 +248,6 @@ void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const set& authSet, } } if (getBestAuthFromSet(authSet, authQName, signer)) - addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL); + addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL, p); rrs.swap(signedRecords); } diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 5c4a97e34aa9..087834afed65 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1817,7 +1817,7 @@ std::unique_ptr PacketHandler::doQuestion(DNSPacket& p) } } if(doSigs) - addRRSigs(d_dk, B, authSet, r->getRRS()); + addRRSigs(d_dk, B, authSet, r->getRRS(), &p); if(PC.enabled() && !noCache && p.couldBeCached()) PC.insert(p, *r, r->getMinTTL()); // in the packet cache