Commit 3ac1725a authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'no_nsec_flag' into 'master'

nsec: removed no longer needed flag

See merge request !960
parents 0fa0955e 772e1f32
......@@ -132,8 +132,6 @@ static int connect_nsec_nodes(zone_node_t *a, zone_node_t *b,
return KNOT_EOK;
}
// Mark the node so that we do not sign this NSEC
a->flags |= NODE_FLAGS_REMOVED_NSEC;
ret = knot_nsec_changeset_remove(a, data->changeset);
if (ret != KNOT_EOK) {
knot_rdataset_clear(&new_nsec.rrs, NULL);
......
......@@ -511,9 +511,6 @@ static int create_nsec3_nodes(const zone_contents_t *zone,
if (result != KNOT_EOK) {
break;
}
if (node_rrtype_exists(node, KNOT_RRTYPE_NSEC)) {
node->flags |= NODE_FLAGS_REMOVED_NSEC;
}
if (node->flags & NODE_FLAGS_NONAUTH || node->flags & NODE_FLAGS_EMPTY) {
trie_it_next(it);
continue;
......
......@@ -178,7 +178,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
goto done;
}
result = knot_zone_create_nsec_chain(update, &keyset, &ctx, false);
result = knot_zone_create_nsec_chain(update, &keyset, &ctx);
if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to create NSEC%s chain (%s)",
ctx.policy->nsec3_enabled ? "3" : "",
......@@ -262,7 +262,7 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch
goto done;
}
result = knot_zone_fix_nsec_chain(update, &keyset, &ctx, true);
result = knot_zone_fix_nsec_chain(update, &keyset, &ctx);
if (result != KNOT_EOK) {
log_zone_error(zone_name, "DNSSEC, failed to fix NSEC%s chain (%s)",
ctx.policy->nsec3_enabled ? "3" : "",
......
......@@ -58,58 +58,6 @@ static int delete_nsec3_chain(const zone_contents_t *zone, changeset_t *changese
return ret;
}
/*!
* \brief Finds a node with the same owner as the given NSEC3 RRSet and marks it
* as 'removed'.
*
* \param rrset RRSet whose owner will be sought in the zone tree. non-NSEC3
* RRSets are ignored.
* \param nsec3tree NSEC3 tree to search for the node in.
*/
static int mark_nsec3(knot_rrset_t *rrset, zone_tree_t *nsec3_tree)
{
assert(rrset);
assert(nsec3_tree);
if (rrset->type == KNOT_RRTYPE_NSEC3) {
zone_node_t *node = zone_tree_get(nsec3_tree, rrset->owner);
if (node != NULL) {
node->flags |= NODE_FLAGS_REMOVED_NSEC;
}
}
return KNOT_EOK;
}
/*!
* \brief Marks all NSEC3 nodes in zone from which RRSets are to be removed.
*
* For each NSEC3 RRSet in the changeset finds its node and marks it with the
* 'removed' flag.
*/
static int mark_removed_nsec3(const zone_contents_t *zone, changeset_t *ch)
{
if (zone_tree_is_empty(zone->nsec3_nodes)) {
return KNOT_EOK;
}
changeset_iter_t itt;
changeset_iter_rem(&itt, ch);
knot_rrset_t rr = changeset_iter_next(&itt);
while (!knot_rrset_empty(&rr)) {
int ret = mark_nsec3(&rr, zone->nsec3_nodes);
if (ret != KNOT_EOK) {
changeset_iter_clear(&itt);
return ret;
}
rr = changeset_iter_next(&itt);
}
changeset_iter_clear(&itt);
return KNOT_EOK;
}
int knot_nsec3_hash_to_dname(uint8_t *out, size_t out_size, const uint8_t *hash,
size_t hash_size, const knot_dname_t *zone_apex)
......@@ -329,8 +277,7 @@ static dnssec_nsec3_params_t nsec3param_init(const knot_kasp_policy_t *policy,
int knot_zone_create_nsec_chain(zone_update_t *update,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *ctx,
bool sign_nsec_chain)
const kdnssec_ctx_t *ctx)
{
if (update == NULL || ctx == NULL) {
return KNOT_EINVAL;
......@@ -358,29 +305,11 @@ int knot_zone_create_nsec_chain(zone_update_t *update,
if (ctx->policy->nsec3_enabled) {
ret = knot_nsec3_create_chain(update->new_cont, &params, nsec_ttl,
ctx->policy->nsec3_opt_out, &ch);
if (ret != KNOT_EOK) {
goto cleanup;
}
} else {
ret = knot_nsec_create_chain(update->new_cont, nsec_ttl, &ch);
if (ret != KNOT_EOK) {
goto cleanup;
if (ret == KNOT_EOK) {
ret = delete_nsec3_chain(update->new_cont, &ch);
}
ret = delete_nsec3_chain(update->new_cont, &ch);
if (ret != KNOT_EOK) {
goto cleanup;
}
// Mark removed NSEC3 nodes, so that they are not signed later.
ret = mark_removed_nsec3(update->new_cont, &ch);
if (ret != KNOT_EOK) {
goto cleanup;
}
}
if (sign_nsec_chain) {
ret = knot_zone_sign_nsecs_in_changeset(zone_keys, ctx, &ch);
}
if (ret == KNOT_EOK) {
......@@ -395,8 +324,7 @@ cleanup:
int knot_zone_fix_nsec_chain(zone_update_t *update,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *ctx,
bool sign_nsec_chain)
const kdnssec_ctx_t *ctx)
{
if (update == NULL || ctx == NULL) {
return KNOT_EINVAL;
......@@ -446,10 +374,7 @@ int knot_zone_fix_nsec_chain(zone_update_t *update,
goto cleanup;
}
if (sign_nsec_chain) {
ret = knot_zone_sign_nsecs_in_changeset(zone_keys, ctx, &ch);
}
ret = knot_zone_sign_nsecs_in_changeset(zone_keys, ctx, &ch);
if (ret == KNOT_EOK) {
// Disable strict changeset application momentarily for the NSEC chain fix.
// This is important for NSEC3, since some nodes are removed from contents
......
......@@ -70,26 +70,22 @@ int knot_create_nsec3_owner(uint8_t *out, size_t out_size,
* \param update Zone Update with current zone contents and to be updated with NSEC chain.
* \param zone_keys Zone keys used for NSEC(3) creation.
* \param ctx Signing context.
* \param sign_nsec_chain If true, the created NSEC(3) chain is signed at the end.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_create_nsec_chain(zone_update_t *update,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *ctx,
bool sign_nsec_chain);
const kdnssec_ctx_t *ctx);
/*!
* \brief Fix NSEC or NSEC3 chain after zone was updated.
* \brief Fix NSEC or NSEC3 chain after zone was updated, and sign the changed NSECs.
*
* \param update Zone Update with the update and to be update with NSEC chain.
* \param zone_keys Zone keys used for NSEC(3) creation.
* \param ctx Signing context.
* \param sign_nsec_chain If true, the created NSEC(3) chain is signed at the end.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_fix_nsec_chain(zone_update_t *update,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *ctx,
bool sign_nsec_chain);
const kdnssec_ctx_t *ctx);
......@@ -548,7 +548,6 @@ static int sign_node(zone_node_t **node, void *data)
int result = sign_node_rrsets(*node, args->zone_keys, args->dnssec_ctx,
args->changeset, &args->expires_at);
(*node)->flags &= ~NODE_FLAGS_REMOVED_NSEC;
return result;
}
......@@ -1178,12 +1177,6 @@ bool knot_zone_sign_rr_should_be_signed(const zone_node_t *node,
}
}
// These RRs have their signatures stored in changeset already
if ((node->flags & NODE_FLAGS_REMOVED_NSEC) &&
(rrset->type == KNOT_RRTYPE_NSEC || rrset->type == KNOT_RRTYPE_NSEC3)) {
return false;
}
return true;
}
......
......@@ -23,9 +23,6 @@
int adjust_cb_flags(zone_node_t *node, const zone_contents_t *zone)
{
// clear Removed NSEC flag so that no relicts remain
node->flags &= ~NODE_FLAGS_REMOVED_NSEC;
// check if this node is not a wildcard child of its parent
if (knot_dname_is_wildcard(node->owner)) {
assert(node->parent != NULL);
......
......@@ -75,8 +75,6 @@ enum node_flags {
NODE_FLAGS_DELEG = 1 << 0,
/*! \brief Node is not authoritative (i.e. below a zone cut). */
NODE_FLAGS_NONAUTH = 1 << 1,
/*! \brief NSEC/NSEC3 was removed from this node. */
NODE_FLAGS_REMOVED_NSEC = 1 << 2,
/*! \brief Node is empty and will be deleted after update. */
NODE_FLAGS_EMPTY = 1 << 3,
/*! \brief Node has a wildcard child. */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment