Commit 32593220 authored by Jan Včelák's avatar Jan Včelák 🚀

Merge branch 'chain-fix' into 'master'

DNSSEC - NSEC/NSEC3 chain fix

NSEC/NSEC3 chain fix. Takes 9 seconds for testing zone (a big one), while `master` takes 4 minutes to fix it. 'Nuff said.
parents 39ab923b 3a943e5a
......@@ -297,3 +297,7 @@ tests/tap/macros.h
tests/wire.c
tests/zonedb.c
tests/ztree.c
src/libknot/dnssec/nsec-chain.c
src/libknot/dnssec/nsec3-chain.c
src/libknot/dnssec/nsec-chain.h
src/libknot/dnssec/nsec3-chain.h
......@@ -186,6 +186,10 @@ libknot_la_SOURCES = \
libknot/dnssec/zone-events.h \
libknot/dnssec/zone-keys.c \
libknot/dnssec/zone-keys.h \
libknot/dnssec/nsec-chain.c \
libknot/dnssec/nsec-chain.h \
libknot/dnssec/nsec3-chain.c \
libknot/dnssec/nsec3-chain.h \
libknot/dnssec/zone-nsec.c \
libknot/dnssec/zone-nsec.h \
libknot/dnssec/zone-sign.c \
......
......@@ -334,7 +334,7 @@ hattrie_t* hattrie_dup(const hattrie_t* T, value_t (*nval)(value_t))
return N;
}
size_t hattrie_weight (hattrie_t* T)
size_t hattrie_weight (const hattrie_t *T)
{
return T->m;
}
......
......@@ -36,10 +36,10 @@ extern "C" {
typedef struct hattrie_t_ hattrie_t;
hattrie_t* hattrie_create (void); //< Create an empty hat-trie.
void hattrie_free (hattrie_t*); //< Free all memory used by a trie.
void hattrie_clear (hattrie_t*); //< Remove all entries.
size_t hattrie_weight (hattrie_t*); //< Number of entries
hattrie_t* hattrie_create (void); //< Create an empty hat-trie.
void hattrie_free (hattrie_t*); //< Free all memory used by a trie.
void hattrie_clear (hattrie_t*); //< Remove all entries.
size_t hattrie_weight (const hattrie_t*); //< Number of entries
/** Create new trie with custom bucket size and memory management.
*/
......
......@@ -31,6 +31,7 @@
#include "libknot/dname.h"
#include "libknot/dnssec/random.h"
#include "libknot/dnssec/zone-events.h"
#include "libknot/dnssec/zone-sign.h"
#include "libknot/nameserver/chaos.h"
#include "libknot/rdata.h"
#include "libknot/tsig-op.h"
......@@ -373,7 +374,7 @@ static int zones_zonefile_sync_from_ev(knot_zone_t *zone, zonedata_t *zd)
}
/*!
* \brief Sync changes in zone to zonefile.
* \brief Sync chagnes in zone to zonefile.
*/
int zones_flush_ev(event_t *e)
{
......@@ -1028,6 +1029,8 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
fake_zone->data = zone->data;
new_contents->zone = fake_zone;
hattrie_t *sorted_changes = NULL;
if (zone_config->dnssec_enable) {
dbg_zones_verb("%s: Signing the UPDATE\n", msg);
/*!
......@@ -1042,11 +1045,11 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
&refresh_at, new_serial);
} else {
// Sign the created changeset
knot_zone_contents_load_nsec3param(new_contents);
ret = knot_dnssec_sign_changeset(fake_zone,
knot_changesets_get_last(chgsets),
sec_ch, KNOT_SOA_SERIAL_KEEP,
&refresh_at, new_serial);
knot_changesets_get_last(chgsets),
sec_ch, KNOT_SOA_SERIAL_KEEP,
&refresh_at,
new_serial, &sorted_changes);
}
if (ret != KNOT_EOK) {
......@@ -1081,24 +1084,22 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
}
bool new_signatures = !knot_changeset_is_empty(sec_ch);
knot_zone_contents_t *dnssec_contents = NULL;
// Apply DNSSEC changeset
if (new_signatures) {
// Set zone generation to old, else applying fails
knot_zone_contents_set_gen_old(new_contents);
ret = xfrin_apply_changesets(fake_zone, sec_chs,
&dnssec_contents);
ret = xfrin_apply_changesets_dnssec(old_contents,
new_contents,
sec_chs,
chgsets,
sorted_changes);
knot_zone_clear_sorted_changes(sorted_changes);
hattrie_free(sorted_changes);
if (ret != KNOT_EOK) {
log_zone_error("%s: Failed to sign incoming update %s\n",
msg, knot_strerror(ret));
new_contents->zone = zone;
zones_store_changesets_rollback(transaction);
zones_free_merged_changesets(chgsets, sec_chs);
free(fake_zone);
return ret;
}
assert(dnssec_contents);
dnssec_contents->zone = zone;
// Plan zone resign if needed
zonedata_t *zd = (zonedata_t *)zone->data;
......@@ -1107,10 +1108,19 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
if (ret != KNOT_EOK) {
log_zone_error("%s: Failed to replan zone sign %s\n",
msg, knot_strerror(ret));
new_contents->zone = zone;
zones_store_changesets_rollback(transaction);
zones_free_merged_changesets(chgsets, sec_chs);
free(fake_zone);
return ret;
}
} else {
// Set NSEC3 nodes if no new signatures were created (or auto DNSSEC is off)
ret = knot_zone_contents_adjust_nsec3_pointers(new_contents);
if (ret != KNOT_EOK) {
zones_store_changesets_rollback(transaction);
zones_free_merged_changesets(chgsets, sec_chs);
xfrin_rollback_update(zone->contents, &new_contents,
chgsets->changes);
free(msg);
return ret;
}
}
......@@ -1138,9 +1148,7 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
// Switch zone contents.
knot_zone_retain(zone); /* Retain pointer for safe RCU unlock. */
rcu_read_unlock(); /* Unlock for switch. */
ret = xfrin_switch_zone(zone,
dnssec_contents ? dnssec_contents : new_contents,
XFR_TYPE_UPDATE);
ret = xfrin_switch_zone(zone, new_contents, XFR_TYPE_UPDATE);
rcu_read_lock(); /* Relock */
knot_zone_release(zone);/* Release held pointer. */
if (ret != KNOT_EOK) {
......@@ -1160,9 +1168,6 @@ int zones_process_update_auth(knot_zone_t *zone, knot_pkt_t *query,
if (sec_chs) {
xfrin_cleanup_successful_update(sec_chs->changes);
}
if (new_signatures) {
xfrin_zone_contents_free(&new_contents);
}
// Free changesets, but not the data.
zones_free_merged_changesets(chgsets, sec_chs);
......
......@@ -532,7 +532,7 @@ static int rdata_nsec_to_type_array(const knot_rrset_t *rrset, size_t pos,
uint8_t *data = NULL;
uint16_t rr_bitmap_size = 0;
if (rrset->type == KNOT_RRTYPE_NSEC) {
knot_rdata_nsec_bitmap(rrset, pos, &data, &rr_bitmap_size);
knot_rdata_nsec_bitmap(rrset, &data, &rr_bitmap_size);
} else {
knot_rdata_nsec3_bitmap(rrset, pos, &data, &rr_bitmap_size);
}
......@@ -997,7 +997,7 @@ static int semantic_checks_dnssec(knot_zone_contents_t *zone,
if (nsec_rrset != NULL) {
const knot_dname_t *next_domain =
knot_rdata_nsec_next(nsec_rrset, 0);
knot_rdata_nsec_next(nsec_rrset);
assert(next_domain);
// Convert name to lowercase for trie lookup
knot_dname_t *lowercase = knot_dname_copy(next_domain);
......@@ -1180,7 +1180,7 @@ void log_cyclic_errors_in_zone(err_handler_t *handler,
}
const knot_dname_t *next_dname =
knot_rdata_nsec_next(nsec_rrset, 0);
knot_rdata_nsec_next(nsec_rrset);
assert(next_dname);
const knot_dname_t *apex_dname =
......
......@@ -201,7 +201,7 @@ int zone_dump_text(knot_zone_contents_t *zone, FILE *file)
}
// Dump NSEC3 chain if available.
if (is_nsec3_enabled(zone)) {
if (knot_is_nsec3_enabled(zone)) {
fprintf(file, ";; DNSSEC NSEC3 chain\n");
params.dump_rdata = true;
......
......@@ -626,8 +626,8 @@ knot_zone_t *knot_zload_load(zloader_t *loader)
knot_node_t *first_nsec3_node = NULL;
knot_node_t *last_nsec3_node = NULL;
rrset_list_delete(&c->node_rrsigs);
int kret = knot_zone_contents_adjust(c->current_zone, &first_nsec3_node,
&last_nsec3_node, 0);
int kret = knot_zone_contents_adjust_full(c->current_zone, &first_nsec3_node,
&last_nsec3_node);
if (kret != KNOT_EOK) {
log_zone_error("%s: Failed to finalize zone contents: %s\n",
loader->source, knot_strerror(kret));
......
......@@ -29,6 +29,7 @@
#include <stdint.h>
#include <string.h>
#include <limits.h>
#include "libknot/zone/node.h"
#include "libknot/rrset.h"
#include "common/descriptor.h"
......
This diff is collapsed.
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*!
* \file nsec-chain.h
*
* \author Jan Vcelak <jan.vcelak@nic.cz> (chain creation)
* \author Jan Kadlec <jan.kadlec@nic.cz> (chain fix)
*
* \brief NSEC chain fix and creation.
*
* \addtogroup dnssec
* @{
*/
#ifndef _KNOT_DNSSEC_NSEC_CHAIN_FIX_H_
#define _KNOT_DNSSEC_NSEC_CHAIN_FIX_H_
#include <stdbool.h>
#include <stdint.h>
#include "libknot/zone/zone-contents.h"
#include "libknot/updates/changesets.h"
/*!
* \brief Parameters to be used when fixing NSEC(3) chain.
*/
typedef struct chain_fix_data {
const knot_zone_contents_t *zone; // Zone to fix
knot_changeset_t *out_ch; // Outgoing changes
const knot_dname_t *chain_start; // Possible new starting node
bool old_connected; // Marks old start connection
const knot_dname_t *last_used_dname; // Last dname used in chain
const knot_node_t *last_used_node; // Last covered node used in chain
knot_dname_t *next_dname; // Used to reconnect broken chain
const hattrie_t *sorted_changes; // Iterated trie
uint32_t ttl; // TTL for NSEC(3) records
} chain_fix_data_t;
/*!
* \brief Parameters to be used in connect_nsec_nodes callback.
*/
typedef struct {
uint32_t ttl; // TTL for NSEC(3) records
knot_changeset_t *changeset; // Changeset for NSEC(3) changes
const knot_zone_contents_t *zone; // Updated zone
} nsec_chain_iterate_data_t;
/*!
* \brief Used to control changeset iteration functions.
*/
enum {
NSEC_NODE_SKIP = 1,
NSEC_NODE_RESET = 2
};
/*!
* \brief Callback used when fixing NSEC chains.
*/
typedef int (*chain_iterate_fix_cb)(knot_dname_t *, knot_dname_t *,
knot_dname_t *, knot_dname_t *,
chain_fix_data_t *);
/*!
* \brief Callback used when finalizing NSEC chains.
*/
typedef int (*chain_finalize_cb)(chain_fix_data_t *);
/*!
* \brief Callback used when creating NSEC chains.
*/
typedef int (*chain_iterate_create_cb)(knot_node_t *, knot_node_t *,
nsec_chain_iterate_data_t *);
/*!
* \brief Call a function for each piece of the chain formed by sorted nodes.
*
* \note If the callback function returns anything other than KNOT_EOK, the
* iteration is terminated and the error code is propagated.
*
* \param nodes Zone nodes.
* \param callback Callback function.
* \param data Custom data supplied to the callback function.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_nsec_chain_iterate_create(knot_zone_tree_t *nodes,
chain_iterate_create_cb callback,
nsec_chain_iterate_data_t *data);
/*!
* \brief Iterates sorted changeset and calls callback function - works for
* NSEC and NSEC3 chain.
*
* \note If the callback function returns anything other than KNOT_EOK, the
* iteration is terminated and the error code is propagated.
*
* \param nodes Tree to fix.
* \param callback Callback to call.
* \param finalize Finalization callback.
* \param data Data needed for fixing.
*
* \return KNOT_E*
*/
int knot_nsec_chain_iterate_fix(hattrie_t *nodes,
chain_iterate_fix_cb callback,
chain_finalize_cb finalize,
chain_fix_data_t *data);
/*!
* \brief Add entry for removed NSEC to the changeset.
*
* \param oldrr Old NSEC RR set to be removed (including RRSIG).
* \param changeset Changeset to add the old RR into.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_nsec_changeset_remove(const knot_rrset_t *oldrr,
knot_changeset_t *changeset);
/*!
* \brief Create new NSEC chain, add differences from current into a changeset.
*
* \param zone Zone.
* \param ttl TTL for created NSEC records.
* \param changeset Changeset the differences will be put into.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_nsec_create_chain(const knot_zone_contents_t *zone, uint32_t ttl,
knot_changeset_t *changeset);
/*!
* \brief Fixes NSEC chain after DDNS/reload
*
* \param sorted_changes Sorted changes created by changeset sign function.
* \param fix_data Chain fix data.
*
* \return KNOT_E*
*/
int knot_nsec_fix_chain(hattrie_t *sorted_changes,
chain_fix_data_t *fix_data);
#endif // _KNOT_DNSSEC_NSEC_CHAIN_FIX_H_
This diff is collapsed.
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*!
* \file nsec3-chain-fix.h
*
* \author Jan Kadlec <jan.kadlec@nic.cz> (chain fix)
* \author Jan Vcelak <jan.vcelak@nic.cz> (chain creation)
*
* \brief NSEC3 chain fix and creation.
*
* \addtogroup dnssec
* @{
*/
#ifndef _KNOT_DNSSEC_NSEC3_CHAIN_FIX_H_
#define _KNOT_DNSSEC_NSEC3_CHAIN_FIX_H_
#include "libknot/dnssec/zone-nsec.h"
#include "libknot/dnssec/nsec-chain.h"
/*!
* \brief Creates new NSEC3 chain, add differences from current into a changeset.
*
* \param zone Zone to be checked.
* \param ttl TTL for new records.
* \param changeset Changeset to store changes into.
*
* \return KNOT_E*
*/
int knot_nsec3_create_chain(const knot_zone_contents_t *zone, uint32_t ttl,
knot_changeset_t *changeset);
/*!
* \brief Fixes NSEC3 chain after DDNS/reload.
*
* \param sorted_changes Sorted changes created by changeset sign function.
* \param fix_data Chain fix data.
*
* \return KNOT_E*
*/
int knot_nsec3_fix_chain(hattrie_t *sorted_changes, chain_fix_data_t *fix_data);
#endif // _KNOT_DNSSEC_NSEC3_CHAIN_FIX_H_
......@@ -43,7 +43,7 @@ static int init_dnssec_structs(const knot_zone_t *zone,
assert(config);
// Read zone keys from disk
bool nsec3_enabled = is_nsec3_enabled(zone->contents);
bool nsec3_enabled = knot_is_nsec3_enabled(zone->contents);
int result = knot_load_zone_keys(config->dnssec_keydir,
zone->contents->apex->owner,
nsec3_enabled, zone_keys);
......@@ -191,9 +191,10 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
knot_changeset_t *out_ch,
knot_update_serial_t soa_up,
uint32_t *refresh_at,
uint32_t new_serial)
uint32_t new_serial,
hattrie_t **sorted_changes)
{
if (!refresh_at) {
if (!refresh_at || !sorted_changes) {
return KNOT_EINVAL;
}
......@@ -221,9 +222,22 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
return KNOT_ENOMEM;
}
// Sign added and removed RRSets in changeset
ret = knot_zone_sign_changeset(zone, in_ch, out_ch, sorted_changes,
&zone_keys, &policy);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to sign changeset (%s)\n", msgpref,
knot_strerror(ret));
knot_free_zone_keys(&zone_keys);
free(msgpref);
return ret;
}
assert(sorted_changes);
// Fix NSEC(3) chain
ret = knot_zone_create_nsec_chain(zone->contents,
out_ch, &zone_keys, &policy);
ret = knot_zone_fix_nsec_chain(zone->contents,
*sorted_changes, out_ch,
&zone_keys, &policy);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to fix NSEC(3) chain (%s)\n",
msgpref, knot_strerror(ret));
......@@ -232,10 +246,9 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
return ret;
}
// Sign added and removed RRSets in changeset
ret = knot_zone_sign_changeset(zone->contents,
in_ch, out_ch, &zone_keys,
&policy);
// Sign added NSEC(3)
ret = knot_zone_sign_nsecs_in_changeset(&zone_keys, &policy,
out_ch);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to sign changeset (%s)\n",
msgpref, knot_strerror(ret));
......
......@@ -62,12 +62,13 @@ int knot_dnssec_zone_sign_force(knot_zone_t *zone, knot_changeset_t *out_ch,
/*!
* \brief Sign changeset created by DDNS or zone-diff.
*
* \param zone Updated zone (AFTER DDNS has been applied to it).
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param soa_up SOA serial update policy.
* \param zone Updated zone (AFTER DDNS has been applied to it).
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param soa_up SOA serial update policy.
* \param refresh_at Signature refresh time of the new signatures.
* \param new_serial New SOA serial.
* \param sorted_changes Info about made changes, used for partial adjustment.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -75,8 +76,9 @@ int knot_dnssec_sign_changeset(const knot_zone_t *zone,
const knot_changeset_t *in_ch,
knot_changeset_t *out_ch,
knot_update_serial_t soa_up,
uint32_t *refresh_at,
uint32_t new_serial);
uint32_t *refresh_at, uint32_t new_serial,
hattrie_t **sorted_changes);
#endif // _KNOT_DNSSEC_ZONE_EVENTS_H_
/*! @} */
This diff is collapsed.
/* Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -14,7 +14,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*!
* \file zone-sign.h
* \file zone-nsec.h
*
* \author Jan Vcelak <jan.vcelak@nic.cz>
* \author Lubos Slovak <lubos.slovak@nic.cz>
......@@ -31,9 +31,10 @@
#include <stdbool.h>
#include "libknot/updates/changesets.h"
#include "libknot/zone/zone-contents.h"
#include "libknot/dnssec/policy.h"
#include "libknot/dnssec/zone-keys.h"
#include "libknot/zone/zone-contents.h"
#include "libknot/dnssec/nsec-bitmap.h"
/*!
* Check if NSEC3 is enabled for the given zone.
......@@ -42,20 +43,7 @@
*
* \return NSEC3 is enabled.
*/
bool is_nsec3_enabled(const knot_zone_contents_t *zone);
/*!
* \brief Create NSEC3 owner name from regular owner name.
*
* \param owner Node owner name.
* \param zone_apex Zone apex name.
* \param params Params for NSEC3 hashing function.
*
* \return NSEC3 owner name, NULL in case of error.
*/
knot_dname_t *create_nsec3_owner(const knot_dname_t *owner,
const knot_dname_t *zone_apex,
const knot_nsec3_params_t *params);
bool knot_is_nsec3_enabled(const knot_zone_contents_t *zone);
/*!
* \brief Create NSEC3 owner name from hash and zone apex.
......@@ -69,11 +57,26 @@ knot_dname_t *create_nsec3_owner(const knot_dname_t *owner,
knot_dname_t *knot_nsec3_hash_to_dname(const uint8_t *hash, size_t hash_size,
const knot_dname_t *zone_apex);
/*!
* \brief Create NSEC3 owner name from regular owner name.
*
* \param owner Node owner name.
* \param zone_apex Zone apex name.
* \param params Params for NSEC3 hashing function.
*
* \return NSEC3 owner name, NULL in case of error.
*/
knot_dname_t *knot_create_nsec3_owner(const knot_dname_t *owner,
const knot_dname_t *zone_apex,
const knot_nsec3_params_t *params);
/*!
* \brief Create NSEC or NSEC3 chain in the zone.
*
* \param zone Zone for which the NSEC(3) chain will be created.
* \param changeset Changeset into which the changes will be added.
* \param zone_keys Zone keys used for NSEC(3) creation.
* \param policy DNSSEC signing policy.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -82,6 +85,25 @@ int knot_zone_create_nsec_chain(const knot_zone_contents_t *zone,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
/*!
* \brief Fix NSEC or NSEC3 chain in the zone.
*
* \param zone Zone for which the NSEC(3) chain will be created.
* \param sorted_changes Sorted changes created by 'sign_changeset' function.
* This param is updated with normal node -> NSEC3 node
* links, to be used later when adjusting zone.
* \param out_ch Changeset into which the changes will be added.
* \param zone_keys Zone keys used for NSEC(3) creation.
* \param policy DNSSEC signing policy.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_fix_nsec_chain(const knot_zone_contents_t *zone,
hattrie_t *sorted_changes,
knot_changeset_t *out_ch,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
#endif // _KNOT_DNSSEC_ZONE_NSEC_H_
/*! @} */
This diff is collapsed.
......@@ -30,10 +30,22 @@
#define _KNOT_DNSSEC_ZONE_SIGN_H_
#include "libknot/updates/changesets.h"
#include "libknot/zone/zone.h"
#include "libknot/zone/zone-contents.h"
#include "libknot/dnssec/zone-keys.h"
#include "libknot/dnssec/policy.h"
typedef struct type_node {
node_t n;
uint16_t type;
} type_node_t;
typedef struct signed_info {
knot_dname_t *dname;
knot_dname_t *hashed_dname;
list_t *type_list;
} signed_info_t;
/*!
* \brief Update zone signatures and store performed changes in changeset.
*
......@@ -84,17 +96,19 @@ bool knot_zone_sign_soa_expired(const knot_zone_contents_t *zone,
/*!
* \brief Sign changeset created by DDNS or zone-diff.
*
* \param zone Contents of the updated zone (AFTER zone is switched).
* \param zone Updated zone (with *new* contents).
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param sorted_changes Sorted representation of changes.
* \param zone_keys Keys to use for signing.
* \param policy DNSSEC signing policy.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_sign_changeset(const knot_zone_contents_t *zone,
int knot_zone_sign_changeset(const knot_zone_t *zone,
const knot_changeset_t *in_ch,
knot_changeset_t *out_ch,
hattrie_t **sorted_changes,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
......@@ -116,15 +130,18 @@ int knot_zone_sign_nsecs_in_changeset(const knot_zone_keys_t *zone_keys,
* true for all types that should be signed, do not use this as an
* universal function, it is implementation specific.
*
* \param node Node containing the RRSet.
* \param rrset RRSet we are checking for.
* \param table Optional hash table with already signed RRs.
* \param node Node containing the RRSet.
* \param rrset RRSet we are checking for.
* \param table Optional hat trie with already signed RRs.
* \param should_sign Set to true if RR should be signed, false otherwise.
*
* \return True if RR should be signed, false otherwise.
* \return KNOT_E*
*/
bool knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
const knot_rrset_t *rrset,
hattrie_t *table);
int knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
const knot_rrset_t *rrset,
hattrie_t *trie, bool *should_sign);
void knot_zone_clear_sorted_changes(hattrie_t *t);
#endif // _KNOT_DNSSEC_ZONE_SIGN_H_
......
......@@ -176,7 +176,7 @@ int knot_ns_process_axfrin(knot_nameserver_t *nameserver, knot_ns_xfr_t *xfr)
knot_zone_serial(zone));
dbg_ns_verb("ns_process_axfrin: adjusting zone.\n");
int rc = knot_zone_contents_adjust(zone, NULL, NULL, 0);
int rc = knot_zone_contents_adjust_full(zone, NULL, NULL);
if (rc != KNOT_EOK) {
return rc;
}
......@@ -388,7 +388,8 @@ int knot_ns_process_update(const knot_pkt_t *query,
// 3) Finalize zone
dbg_ns_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, chgs->changes);
ret = xfrin_finalize_updated_zone(contents_copy, false,
NULL);
if (ret != KNOT_EOK) {
dbg_ns("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -299,28 +299,20 @@ void knot_rdata_dnskey_key(const knot_rrset_t *rrset, size_t pos, uint8_t **key,
}
static inline
const knot_dname_t *knot_rdata_nsec_next(const knot_rrset_t *rrset, size_t pos)
const knot_dname_t *knot_rdata_nsec_next(const knot_rrset_t *rrset)
{
if (rrset == NULL || rrset->rdata_count <= pos) {
return NULL;
}
return rrset_rdata_pointer(rrset, pos);
return rrset_rdata_pointer(rrset, 0);
}
static inline
void knot_rdata_nsec_bitmap(const knot_rrset_t *rrset, size_t rr_pos,
void knot_rdata_nsec_bitmap(const knot_rrset_t *rrset,
uint8_t **bitmap, uint16_t *size)
{
if (rrset == NULL || rr_pos >= rrset->rdata_count) {
return;
}
uint8_t *rdata = knot_rrset_get_rdata(rrset, rr_pos);