Commit 3238ed1f authored by Jan Kadlec's avatar Jan Kadlec

Initial partial NSEC3 adjustment commit.

parent 4ae1fb67
......@@ -31,6 +31,7 @@
#include "libknot/dname.h"
#include "libknot/dnssec/random.h"
#include "libknot/dnssec/zone-events.h"
#include "libknot/dnssec/zone-sign.h"
#include "libknot/nameserver/chaos.h"
#include "libknot/packet/response.h"
#include "libknot/rdata.h"
......@@ -1181,6 +1182,7 @@ static int zones_process_update_auth(knot_zone_t *zone,
fake_zone->contents = new_contents;
fake_zone->data = zone->data;
new_contents->zone = fake_zone;
hattrie_t *sorted_changes = NULL;
if (zone_config->dnssec_enable) {
dbg_zones_verb("%s: Signing the UPDATE\n", msg);
......@@ -1204,7 +1206,7 @@ static int zones_process_update_auth(knot_zone_t *zone,
knot_changesets_get_last(chgsets),
sec_ch, KNOT_SOA_SERIAL_KEEP,
&used_lifetime, &used_refresh,
new_serial);
new_serial, &sorted_changes);
expires_at = used_lifetime - used_refresh;
}
......@@ -1247,7 +1249,10 @@ static int zones_process_update_auth(knot_zone_t *zone,
// Set zone generation to old, else applying fails
knot_zone_contents_set_gen_old(new_contents);
ret = xfrin_apply_changesets(fake_zone, sec_chs,
&dnssec_contents, false);
&dnssec_contents, false,
sorted_changes);
knot_zone_clear_sorted_changes(sorted_changes);
hattrie_free(sorted_changes);
if (ret != KNOT_EOK) {
log_zone_error("%s: Failed to sign incoming update %s\n",
msg, knot_strerror(ret));
......@@ -2594,7 +2599,7 @@ int zones_store_and_apply_chgsets(knot_changesets_t *chs,
}
/* Now, try to apply the changesets to the zone. */
apply_ret = xfrin_apply_changesets(zone, chs, new_contents, true);
apply_ret = xfrin_apply_changesets(zone, chs, new_contents, true, NULL);
if (apply_ret != KNOT_EOK) {
log_zone_error("%s Failed to apply changesets.\n", msgpref);
......@@ -3049,7 +3054,8 @@ int zones_journal_apply(knot_zone_t *zone)
chsets->count, zd->conf->name);
knot_zone_contents_t *contents = NULL;
int apply_ret = xfrin_apply_changesets(zone, chsets,
&contents, true);
&contents, true,
NULL);
if (apply_ret != KNOT_EOK) {
log_server_error("Failed to apply changesets to"
" '%s' - Apply failed: %s\n",
......@@ -3205,7 +3211,8 @@ int zones_do_diff_and_sign(const conf_zone_t *z, knot_zone_t *zone,
/* Apply DNSSEC changeset. */
if (new_signatures) {
ret = xfrin_apply_changesets(zone, sec_chs,
&new_contents, true);
&new_contents, true,
NULL);
if (ret != KNOT_EOK) {
zones_store_changesets_rollback(transaction);
zones_free_merged_changesets(diff_chs, sec_chs);
......
......@@ -216,7 +216,8 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
knot_update_serial_t soa_up,
uint32_t *used_lifetime,
uint32_t *used_refresh,
uint32_t new_serial)
uint32_t new_serial,
hattrie_t **sorted_changes)
{
if (!used_lifetime || !used_refresh) {
return KNOT_EINVAL;
......@@ -250,8 +251,7 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
}
// Sign added and removed RRSets in changeset
hattrie_t *sorted_changes = NULL;
ret = knot_zone_sign_changeset(zone, in_ch, out_ch, &sorted_changes,
ret = knot_zone_sign_changeset(zone, in_ch, out_ch, sorted_changes,
&zone_keys, &policy);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to sign changeset (%s)\n", msgpref,
......@@ -264,8 +264,6 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
// Fix NSEC(3) chain
ret = knot_zone_fix_chain(zone->contents,
sorted_changes, out_ch, &zone_keys, &policy);
knot_zone_clear_sorted_changes(sorted_changes);
hattrie_free(sorted_changes);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to fix NSEC(3) chain (%s)\n",
msgpref, knot_strerror(ret));
......
......@@ -62,12 +62,13 @@ int knot_dnssec_zone_sign_force(knot_zone_t *zone, knot_changeset_t *out_ch,
/*!
* \brief Sign changeset created by DDNS or zone-diff.
*
* \param zone Updated zone (AFTER DDNS has been applied to it).
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param soa_up SOA serial update policy.
* \param used_lifetime Pointer to sig lifetime used to sign the changeset.
* \param used_refresh Pointer to refresh period used to sign the changeset.
* \param zone Updated zone (AFTER DDNS has been applied to it).
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param soa_up SOA serial update policy.
* \param used_lifetime Pointer to sig lifetime used to sign the changeset.
* \param used_refresh Pointer to refresh period used to sign the changeset.
* \param sorted_changes Info about made changes, used for partial adjustment.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -76,7 +77,8 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
knot_changeset_t *out_ch,
knot_update_serial_t soa_up,
uint32_t *used_lifetime,
uint32_t *used_refresh, uint32_t new_serial);
uint32_t *used_refresh, uint32_t new_serial,
hattrie_t **sorted_changes);
#endif // _KNOT_DNSSEC_ZONE_EVENTS_H_
/*! @} */
......@@ -4208,7 +4208,8 @@ int knot_ns_process_update(const knot_packet_t *query,
// 3) Finalize zone
dbg_ns_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, chgs->changes, false);
ret = xfrin_finalize_updated_zone(contents_copy, chgs->changes, false,
NULL);
if (ret != KNOT_EOK) {
dbg_ns("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -2568,7 +2568,8 @@ int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
/*----------------------------------------------------------------------------*/
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
knot_changes_t *changes, bool set_nsec3)
knot_changes_t *changes, bool set_nsec3,
const hattrie_t *sorted_changes)
{
if (contents_copy == NULL || changes == NULL) {
return KNOT_EINVAL;
......@@ -2596,7 +2597,14 @@ int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
dbg_xfrin("Adjusting zone contents.\n");
if (set_nsec3) {
ret = knot_zone_contents_adjust_full(contents_copy, NULL, NULL);
if (sorted_changes) {
ret = knot_zone_contents_adjust_pointers(contents_copy);
ret = knot_zone_contents_adjust_nsec3_changes(contents_copy,
(void *)sorted_changes);
} else {
ret = knot_zone_contents_adjust_full(contents_copy,
NULL, NULL);
}
} else {
ret = knot_zone_contents_adjust_pointers(contents_copy);
}
......@@ -2616,7 +2624,7 @@ int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
int xfrin_apply_changesets(knot_zone_t *zone,
knot_changesets_t *chsets,
knot_zone_contents_t **new_contents,
bool full_adjust)
bool full_adjust, const hattrie_t *sorted_changes)
{
if (zone == NULL || chsets == NULL || EMPTY_LIST(chsets->sets)
|| new_contents == NULL) {
......@@ -2664,7 +2672,8 @@ int xfrin_apply_changesets(knot_zone_t *zone,
*/
dbg_xfrin_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, chsets->changes, true);
ret = xfrin_finalize_updated_zone(contents_copy, chsets->changes,
full_adjust, sorted_changes);
if (ret != KNOT_EOK) {
dbg_xfrin("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -182,13 +182,15 @@ int xfrin_apply_changesets_to_zone(knot_zone_t *zone,
int xfrin_apply_changesets(knot_zone_t *zone,
knot_changesets_t *chsets,
knot_zone_contents_t **new_contents, bool full_adjust);
knot_zone_contents_t **new_contents,
bool full_adjust, const hattrie_t *sorted_changes);
int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
knot_zone_contents_t **new_contents);
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
knot_changes_t *changes, bool set_nsec3);
knot_changes_t *changes, bool set_nsec3,
const hattrie_t *sorted_changes);
int xfrin_switch_zone(knot_zone_t *zone,
knot_zone_contents_t *new_contents,
......
......@@ -24,6 +24,7 @@
#include "common/descriptor.h"
#include "common/hattrie/hat-trie.h"
#include "libknot/dnssec/zone-nsec.h"
#include "libknot/dnssec/zone-sign.h"
#include "libknot/zone/zone-tree.h"
#include "libknot/util/wire.h"
#include "libknot/consts.h"
......@@ -1323,6 +1324,40 @@ int knot_zone_contents_adjust_nsec3_pointers(knot_zone_contents_t *contents)
adjust_nsec3_pointers);
}
int knot_zone_contents_adjust_nsec3_changes(knot_zone_contents_t *contents,
void *data)
{
if (contents->nsec3_nodes == NULL) {
return KNOT_EOK;
}
hattrie_iter_t *itt = hattrie_iter_begin((hattrie_t *)data,
false);
if (itt == NULL) {
return KNOT_ENOMEM;
}
while (!hattrie_iter_finished(itt)) {
signed_info_t *val = (signed_info_t *)(*hattrie_iter_val(itt));
const knot_dname_t *dname = val->dname;
assert(dname);
const knot_dname_t *hash = val->hashed_dname;
if (hash) {
knot_node_t *nsec3_node =
knot_zone_contents_get_nsec3_node(contents, hash);
if (nsec3_node) {
knot_node_t *normal_node =
knot_zone_contents_get_node(contents,
dname);
if (normal_node) {
normal_node->nsec3_node = nsec3_node;
}
}
}
}
hattrie_iter_free(itt);
return KNOT_EOK;
}
/*----------------------------------------------------------------------------*/
int knot_zone_contents_adjust_nsec3_tree(knot_zone_contents_t *contents)
......
......@@ -337,6 +337,9 @@ int knot_zone_contents_adjust_pointers(knot_zone_contents_t *contents);
*/
int knot_zone_contents_adjust_nsec3_pointers(knot_zone_contents_t *);
int knot_zone_contents_adjust_nsec3_changes(knot_zone_contents_t *contents,
void *data);
/*!
* \brief Sets parent and previous pointers and node flags. (cheap operation)
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment