Commit 1e0d21a6 authored by Jan Kadlec's avatar Jan Kadlec

Do not needlessly create NSEC3 hashes when signing DDNS.

- They are still created two times, but that's being resolved in the 'chain-fix' branch, stuff for 1.4.1
- zone finalization got new parameter - to differentiate whether one wants to link nodes to their nsec3 nodes or not
parent 3c895412
......@@ -1169,6 +1169,18 @@ static int zones_process_update_auth(knot_zone_t *zone,
zones_free_merged_changesets(chgsets, sec_chs);
return ret;
}
} else {
// Set NSEC3 nodes if no new signatures were created
ret = knot_zone_contents_adjust_nsec3_pointers(new_contents);
if (ret != KNOT_EOK) {
zones_store_changesets_rollback(transaction);
zones_free_merged_changesets(chgsets, sec_chs);
xfrin_rollback_update(zone->contents, &new_contents,
chgsets->changes);
knot_changesets_free(&chgsets);
free(msg);
return KNOT_ENOMEM;
}
}
dbg_zones_verb("%s: DNSSEC changes applied\n", msg);
......
......@@ -612,8 +612,8 @@ knot_zone_t *knot_zload_load(zloader_t *loader)
knot_node_t *first_nsec3_node = NULL;
knot_node_t *last_nsec3_node = NULL;
rrset_list_delete(&c->node_rrsigs);
int kret = knot_zone_contents_adjust(c->current_zone, &first_nsec3_node,
&last_nsec3_node, 0);
int kret = knot_zone_contents_adjust_full(c->current_zone, &first_nsec3_node,
&last_nsec3_node);
if (kret != KNOT_EOK) {
log_zone_error("Failed to finalize zone contents: %s\n",
knot_strerror(kret));
......
......@@ -3985,7 +3985,7 @@ int knot_ns_process_axfrin(knot_nameserver_t *nameserver, knot_ns_xfr_t *xfr)
knot_zone_serial(zone));
dbg_ns_verb("ns_process_axfrin: adjusting zone.\n");
int rc = knot_zone_contents_adjust(zone, NULL, NULL, 0);
int rc = knot_zone_contents_adjust_full(zone, NULL, NULL);
if (rc != KNOT_EOK) {
return rc;
}
......@@ -4198,7 +4198,7 @@ int knot_ns_process_update(const knot_packet_t *query,
// 3) Finalize zone
dbg_ns_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, chgs->changes);
ret = xfrin_finalize_updated_zone(contents_copy, chgs->changes, false);
if (ret != KNOT_EOK) {
dbg_ns("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -2610,7 +2610,7 @@ int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
/*----------------------------------------------------------------------------*/
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
knot_changes_t *changes)
knot_changes_t *changes, bool set_nsec3)
{
if (contents_copy == NULL || changes == NULL) {
return KNOT_EINVAL;
......@@ -2637,7 +2637,11 @@ int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
}
dbg_xfrin("Adjusting zone contents.\n");
ret = knot_zone_contents_adjust(contents_copy, NULL, NULL, 1);
if (set_nsec3) {
ret = knot_zone_contents_adjust_full(contents_copy, NULL, NULL);
} else {
ret = knot_zone_contents_adjust_pointers(contents_copy);
}
if (ret != KNOT_EOK) {
dbg_xfrin("Failed to finalize zone contents: %s\n",
knot_strerror(ret));
......@@ -2701,7 +2705,7 @@ int xfrin_apply_changesets(knot_zone_t *zone,
*/
dbg_xfrin_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, chsets->changes);
ret = xfrin_finalize_updated_zone(contents_copy, chsets->changes, true);
if (ret != KNOT_EOK) {
dbg_xfrin("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -188,7 +188,7 @@ int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
knot_zone_contents_t **new_contents);
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
knot_changes_t *changes);
knot_changes_t *changes, bool set_nsec3);
int xfrin_switch_zone(knot_zone_t *zone,
knot_zone_contents_t *new_contents,
......
......@@ -155,25 +155,10 @@ static int knot_zone_contents_nsec3_name(const knot_zone_contents_t *zone,
/*----------------------------------------------------------------------------*/
/*!
* \brief Adjust normal (non NSEC3) node.
*
* Set:
* - reusable DNAMEs in RDATA
* - pointer to node stored in owner dname
* - pointer to wildcard childs in parent nodes if applicable
* - flags (delegation point, non-authoritative)
* - pointer to previous node
*
* \param tnode Zone node to adjust.
* \param data Adjusting parameters (knot_zone_adjust_arg_t *).
*/
static int knot_zone_contents_adjust_normal_node(knot_node_t **tnode,
void *data)
static int adjust_pointers(knot_node_t **tnode, void *data)
{
assert(data != NULL);
assert(tnode != NULL);
knot_zone_adjust_arg_t *args = (knot_zone_adjust_arg_t *)data;
knot_node_t *node = *tnode;
......@@ -214,6 +199,15 @@ static int knot_zone_contents_adjust_normal_node(knot_node_t **tnode,
args->previous_node = node;
}
return KNOT_EOK;
}
static int adjust_nsec3_pointers(knot_node_t **tnode, void *data)
{
assert(data != NULL);
assert(tnode != NULL);
knot_zone_adjust_arg_t *args = (knot_zone_adjust_arg_t *)data;
knot_node_t *node = *tnode;
// Connect to NSEC3 node (only if NSEC3 tree is not empty)
knot_node_t *nsec3 = NULL;
knot_dname_t *nsec3_name = NULL;
......@@ -230,10 +224,36 @@ static int knot_zone_contents_adjust_normal_node(knot_node_t **tnode,
}
knot_dname_free(&nsec3_name);
return ret;
}
/*!
* \brief Adjust normal (non NSEC3) node.
*
* Set:
* - pointer to wildcard childs in parent nodes if applicable
* - flags (delegation point, non-authoritative)
* - pointer to previous node
* - parent pointers
*
* \param tnode Zone node to adjust.
* \param data Adjusting parameters (knot_zone_adjust_arg_t *).
*/
static int knot_zone_contents_adjust_normal_node(knot_node_t **tnode,
void *data)
{
assert(data != NULL);
assert(tnode != NULL && *tnode);
// Do cheap operations first
int ret = adjust_pointers(tnode, data);
if (ret != KNOT_EOK) {
return ret;
}
// Connect nodes to their NSEC3 nodes
return adjust_nsec3_pointers(tnode, data);
}
/*----------------------------------------------------------------------------*/
/*!
......@@ -1275,9 +1295,55 @@ static int knot_zone_contents_adjust_nodes(knot_zone_tree_t *nodes,
/*----------------------------------------------------------------------------*/
int knot_zone_contents_adjust(knot_zone_contents_t *zone,
knot_node_t **first_nsec3_node,
knot_node_t **last_nsec3_node, int dupl_check)
int knot_zone_contents_adjust_pointers(knot_zone_contents_t *contents)
{
// adjusting parameters
knot_zone_adjust_arg_t adjust_arg = { .first_node = NULL,
.previous_node = NULL,
.zone = contents };
int ret = knot_zone_contents_adjust_nodes(contents->nodes, &adjust_arg,
adjust_pointers);
if (ret != KNOT_EOK) {
return ret;
}
return knot_zone_contents_adjust_nsec3_pointers(contents);
}
/*----------------------------------------------------------------------------*/
int knot_zone_contents_adjust_nsec3_pointers(knot_zone_contents_t *contents)
{
if (contents->nsec3_nodes == NULL) {
return KNOT_EOK;
}
// adjusting parameters
knot_zone_adjust_arg_t adjust_arg = { .first_node = NULL,
.previous_node = NULL,
.zone = contents };
return knot_zone_contents_adjust_nodes(contents->nodes, &adjust_arg,
adjust_nsec3_pointers);
}
/*----------------------------------------------------------------------------*/
int knot_zone_contents_adjust_nsec3_tree(knot_zone_contents_t *contents)
{
if (contents->nsec3_nodes == NULL) {
return KNOT_EOK;
}
// adjusting parameters
knot_zone_adjust_arg_t adjust_arg = { .first_node = NULL,
.previous_node = NULL,
.zone = contents };
return knot_zone_contents_adjust_nodes(contents->nodes, &adjust_arg,
knot_zone_contents_adjust_nsec3_node);
}
/*----------------------------------------------------------------------------*/
int knot_zone_contents_adjust_full(knot_zone_contents_t *zone,
knot_node_t **first_nsec3_node,
knot_node_t **last_nsec3_node)
{
if (zone == NULL) {
return KNOT_EINVAL;
......@@ -1451,22 +1517,6 @@ int knot_zone_contents_nsec3_apply_inorder_reverse(knot_zone_contents_t *zone,
/*----------------------------------------------------------------------------*/
knot_zone_tree_t *knot_zone_contents_get_nodes(
knot_zone_contents_t *contents)
{
return contents->nodes;
}
/*----------------------------------------------------------------------------*/
knot_zone_tree_t *knot_zone_contents_get_nsec3_nodes(
knot_zone_contents_t *contents)
{
return contents->nsec3_nodes;
}
/*----------------------------------------------------------------------------*/
int knot_zone_contents_shallow_copy(const knot_zone_contents_t *from,
knot_zone_contents_t **to)
{
......
......@@ -328,19 +328,33 @@ knot_node_t *knot_zone_contents_get_apex(
const knot_zone_contents_t *contents);
/*!
* \brief Optimizes zone by replacing domain names in RDATA with references to
* domain names present in zone (as node owners).
* \brief Sets parent and previous pointers and node flags. (cheap operation)
*/
int knot_zone_contents_adjust_pointers(knot_zone_contents_t *contents);
/*!
* \brief Sets NSEC3 nodes for normal nodes. (costly operation)
*/
int knot_zone_contents_adjust_nsec3_pointers(knot_zone_contents_t *);
/*!
* \brief Sets parent and previous pointers and node flags. (cheap operation)
*/
int knot_zone_contents_adjust_nsec3_tree(knot_zone_contents_t *);
/*!
* \brief Sets parent and previous pointers, sets node flags and NSEC3 links.
* This has to be called before the zone can be served.
*
* \param first_nsec3_node First node in NSEC3 tree - needed in sem. checks.
* Will not be saved if set to NULL.
* \param last_nsec3_node Last node in NSEC3 tree - needed in sem. checks.
* Will not be saved if set to NULL.
* \param zone Zone to adjust domain names in.
*/
int knot_zone_contents_adjust(knot_zone_contents_t *contents,
knot_node_t **first_nsec3_node,
knot_node_t **last_nsec3_node, int dupl_check);
int knot_zone_contents_check_loops(knot_zone_contents_t *zone);
int knot_zone_contents_adjust_full(knot_zone_contents_t *contents,
knot_node_t **first_nsec3_node,
knot_node_t **last_nsec3_node);
/*!
* \brief Parses the NSEC3PARAM record stored in the zone.
......@@ -462,12 +476,6 @@ int knot_zone_contents_nsec3_apply_inorder_reverse(knot_zone_contents_t *zone,
knot_zone_contents_apply_cb_t function,
void *data);
knot_zone_tree_t *knot_zone_contents_get_nodes(
knot_zone_contents_t *contents);
knot_zone_tree_t *knot_zone_contents_get_nsec3_nodes(
knot_zone_contents_t *contents);
/*!
* \brief Creates a shallow copy of the zone (no stored data are copied).
*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment