Commit 297454e3 authored by Libor Peltan's avatar Libor Peltan

dnssec: incremental sign, avoid signing glue

also, on normal sign, remove possibly existing RRSIGs on NONAUTH nodes
parent a584e59b
......@@ -480,13 +480,10 @@ static int sign_node_rrsets(const zone_node_t *node,
int result = KNOT_EOK;
knot_rrset_t rrsigs = node_rrset(node, KNOT_RRTYPE_RRSIG);
for (int i = 0; i < node->rrset_count; i++) {
for (int i = 0; result == KNOT_EOK && i < node->rrset_count; i++) {
knot_rrset_t rrset = node_rrset_at(node, i);
if (rrset.type == KNOT_RRTYPE_RRSIG) {
continue;
}
if (!knot_zone_sign_rr_should_be_signed(node, &rrset)) {
result = remove_rrset_rrsigs(rrset.owner, rrset.type, &rrsigs, changeset);
continue;
}
......@@ -497,13 +494,12 @@ static int sign_node_rrsets(const zone_node_t *node,
result = resign_rrset(&rrset, &rrsigs, sign_ctx,
changeset, expires_at);
}
if (result != KNOT_EOK) {
return result;
}
}
return remove_standalone_rrsigs(node, &rrsigs, changeset);
if (result == KNOT_EOK) {
result = remove_standalone_rrsigs(node, &rrsigs, changeset);
}
return result;
}
/*!
......@@ -539,10 +535,6 @@ static int sign_node(zone_node_t **node, void *data)
return KNOT_EOK;
}
if ((*node)->flags & NODE_FLAGS_NONAUTH) {
return KNOT_EOK;
}
if (args->rrset_index++ % args->num_threads != args->thread_index) {
return KNOT_EOK;
}
......@@ -1134,8 +1126,7 @@ bool knot_zone_sign_rr_should_be_signed(const zone_node_t *node,
return false;
}
// We do not want to sign RRSIGs
if (rrset->type == KNOT_RRTYPE_RRSIG) {
if (rrset->type == KNOT_RRTYPE_RRSIG || (node->flags & NODE_FLAGS_NONAUTH)) {
return false;
}
......
......@@ -423,6 +423,18 @@ def do_normal_tests(master, zone, dnssec=False):
resp.check_record(section="authority", rtype="RRSIG")
verify(master, zone, dnssec)
# add AAAA to existing A glue
check_log("glue augmentation")
up = master.update(zone)
up.add("a.deleg.ddns.", 3600, "AAAA", "1::2")
up.send("NOERROR")
resp = master.dig("xy.deleg.ddns.", "A", dnssec=True)
resp.check_rr(section="authority", rname="deleg.ddns.", rtype="NS")
resp.check_rr(section="authority", rname="deleg.ddns.", rtype="RRSIG")
resp.check_rr(section="additional", rname="a.deleg.ddns.", rtype="AAAA")
resp.check_no_rr(section="additional", rname="a.deleg.ddns.", rtype="RRSIG")
verify(master, zone, dnssec)
def do_refusal_tests(master, zone, dnssec=False):
forbidden = [{'type':"RRSIG", 'data':"A 5 2 1800 20140331062706 20140317095503 132 nic.cz. rc7TwX4GnExDQBNDCdbgf0PS7zabtymSKQ0VhmbFJAcYZxN+yFF9PXAo SpsDVR5H0PIuUM4oqoe7gsKfqqpTdOuB9M6cN/Mni99u7XfKHkopDjYc qTJXKn3x2TER4WkGtG5uthuSEc9lseCr6XqAqkDnJlUa6pB2a3mEHwu/ Elk="},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment