Commit 8dcef6ca authored by Jan Kadlec's avatar Jan Kadlec

Removed chain fix code for both NSEC and NSEC3.

- A lot of bugs were uncovered with new tests and fixes got out of hand - the code was no longer readable (not that it was readable before)
- Totally unfeasible to fix before new zone API is done. I've fixed the code, but the result was too complex, unmaintable.
parent ef9d258f
This diff is collapsed.
......@@ -17,7 +17,6 @@
* \file nsec-chain.h
*
* \author Jan Vcelak <jan.vcelak@nic.cz> (chain creation)
* \author Jan Kadlec <jan.kadlec@nic.cz> (chain fix)
*
* \brief NSEC chain fix and creation.
*
......@@ -35,21 +34,6 @@
#include "knot/updates/changesets.h"
#include "libknot/dnssec/bitmap.h"
/*!
* \brief Parameters to be used when fixing NSEC(3) chain.
*/
typedef struct chain_fix_data {
const knot_zone_contents_t *zone; // Zone to fix
knot_changeset_t *out_ch; // Outgoing changes
const knot_dname_t *chain_start; // Possible new starting node
bool old_connected; // Marks old start connection
const knot_dname_t *last_used_dname; // Last dname used in chain
const knot_node_t *last_used_node; // Last covered node used in chain
knot_dname_t *next_dname; // Used to reconnect broken chain
const hattrie_t *sorted_changes; // Iterated trie
uint32_t ttl; // TTL for NSEC(3) records
} chain_fix_data_t;
/*!
* \brief Parameters to be used in connect_nsec_nodes callback.
*/
......@@ -64,18 +48,7 @@ typedef struct {
*/
enum {
NSEC_NODE_SKIP = 1,
NSEC_NODE_RESET = 2
};
/*!
* \brief Callback used when fixing NSEC chains.
*/
typedef int (*chain_iterate_fix_cb)(knot_dname_t *, knot_dname_t *,
knot_dname_t *, knot_dname_t *,
chain_fix_data_t *);
/*!
* \brief Callback used when finalizing NSEC chains.
*/
typedef int (*chain_finalize_cb)(chain_fix_data_t *);
/*!
* \brief Callback used when creating NSEC chains.
......@@ -116,25 +89,6 @@ int knot_nsec_chain_iterate_create(knot_zone_tree_t *nodes,
chain_iterate_create_cb callback,
nsec_chain_iterate_data_t *data);
/*!
* \brief Iterates sorted changeset and calls callback function - works for
* NSEC and NSEC3 chain.
*
* \note If the callback function returns anything other than KNOT_EOK, the
* iteration is terminated and the error code is propagated.
*
* \param nodes Tree to fix.
* \param callback Callback to call.
* \param finalize Finalization callback.
* \param data Data needed for fixing.
*
* \return KNOT_E*
*/
int knot_nsec_chain_iterate_fix(hattrie_t *nodes,
chain_iterate_fix_cb callback,
chain_finalize_cb finalize,
chain_fix_data_t *data);
/*!
* \brief Add entry for removed NSEC(3) and its RRSIG to the changeset.
*
......@@ -169,16 +123,4 @@ bool knot_nsec_only_nsec_and_rrsigs_in_node(const knot_node_t *n);
int knot_nsec_create_chain(const knot_zone_contents_t *zone, uint32_t ttl,
knot_changeset_t *changeset);
/*!
* \brief Fixes NSEC chain after DDNS/reload
*
* \param sorted_changes Sorted changes created by changeset sign function.
* \param fix_data Chain fix data.
*
* \return KNOT_E*
*/
int knot_nsec_fix_chain(hattrie_t *sorted_changes,
chain_fix_data_t *fix_data);
#endif // _KNOT_DNSSEC_NSEC_CHAIN_FIX_H_
This diff is collapsed.
......@@ -16,10 +16,9 @@
/*!
* \file nsec3-chain-fix.h
*
* \author Jan Kadlec <jan.kadlec@nic.cz> (chain fix)
* \author Jan Vcelak <jan.vcelak@nic.cz> (chain creation)
*
* \brief NSEC3 chain fix and creation.
* \brief NSEC3 chain creation.
*
* \addtogroup dnssec
* @{
......@@ -43,14 +42,4 @@
int knot_nsec3_create_chain(const knot_zone_contents_t *zone, uint32_t ttl,
knot_changeset_t *changeset);
/*!
* \brief Fixes NSEC3 chain after DDNS/reload.
*
* \param sorted_changes Sorted changes created by changeset sign function.
* \param fix_data Chain fix data.
*
* \return KNOT_E*
*/
int knot_nsec3_fix_chain(hattrie_t *sorted_changes, chain_fix_data_t *fix_data);
#endif // _KNOT_DNSSEC_NSEC3_CHAIN_FIX_H_
......@@ -182,10 +182,9 @@ int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
knot_changeset_t *out_ch,
knot_update_serial_t soa_up,
uint32_t *refresh_at,
uint32_t new_serial,
hattrie_t **sorted_changes)
uint32_t new_serial)
{
if (!refresh_at || !sorted_changes) {
if (!refresh_at) {
return KNOT_EINVAL;
}
......@@ -210,7 +209,7 @@ int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
}
// Sign added and removed RRSets in changeset
ret = knot_zone_sign_changeset(zone, in_ch, out_ch, sorted_changes,
ret = knot_zone_sign_changeset(zone, in_ch, out_ch,
&zone_keys, &policy);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to sign changeset (%s)\n", msgpref,
......@@ -220,13 +219,10 @@ int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
return ret;
}
assert(sorted_changes);
// Fix NSEC(3) chain
ret = knot_zone_fix_nsec_chain(zone,
*sorted_changes, out_ch,
&zone_keys, &policy);
// Create NSEC(3) chain
ret = knot_zone_create_nsec_chain(zone, out_ch, &zone_keys, &policy);
if (ret != KNOT_EOK) {
log_zone_error("%s Failed to fix NSEC(3) chain (%s)\n",
log_zone_error("%s Failed to create NSEC(3) chain (%s)\n",
msgpref, knot_strerror(ret));
knot_free_zone_keys(&zone_keys);
free(msgpref);
......
......@@ -75,7 +75,6 @@ int knot_dnssec_zone_sign_force(knot_zone_contents_t *zone, conf_zone_t *zone_co
* \param soa_up SOA serial update policy.
* \param refresh_at Signature refresh time of the new signatures.
* \param new_serial New SOA serial.
* \param sorted_changes Info about made changes, used for partial adjustment.
*
* \return Error code, KNOT_EOK if successful.
*/
......@@ -84,8 +83,7 @@ int knot_dnssec_sign_changeset(const knot_zone_contents_t *zone,
const knot_changeset_t *in_ch,
knot_changeset_t *out_ch,
knot_update_serial_t soa_up,
uint32_t *refresh_at, uint32_t new_serial,
hattrie_t **sorted_changes);
uint32_t *refresh_at, uint32_t new_serial);
#endif // _KNOT_DNSSEC_ZONE_EVENTS_H_
/*! @} */
......@@ -287,44 +287,3 @@ int knot_zone_create_nsec_chain(const knot_zone_contents_t *zone,
return knot_zone_sign_nsecs_in_changeset(zone_keys, policy, changeset);
}
/*!
* \brief Fix NSEC or NSEC3 chain in the zone.
*/
int knot_zone_fix_nsec_chain(const knot_zone_contents_t *zone,
hattrie_t *sorted_changes,
knot_changeset_t *out_ch,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy)
{
if (zone == NULL || sorted_changes == NULL || zone_keys == NULL ||
policy == NULL) {
return KNOT_EINVAL;
}
if (hattrie_weight(sorted_changes) == 0) {
// no changes, no fix
return KNOT_EOK;
}
// Prepare data for chain fixing functions
chain_fix_data_t fix_data = { .zone = zone,
.out_ch = out_ch,
.next_dname = NULL,
.chain_start = NULL,
.old_connected = false,
.last_used_dname = NULL,
.last_used_node = NULL};
get_zone_soa_min_ttl(zone, &fix_data.ttl);
int ret = KNOT_EOK;
if (knot_is_nsec3_enabled(zone)) {
ret = knot_nsec3_fix_chain(sorted_changes, &fix_data);
} else {
// Fix NSEC chain
ret = knot_nsec_fix_chain(sorted_changes, &fix_data);
}
dbg_dnssec_verb("NSEC(3) chain fixed (%s)\n", knot_strerror(ret));
return ret;
}
......@@ -85,25 +85,6 @@ int knot_zone_create_nsec_chain(const knot_zone_contents_t *zone,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
/*!
* \brief Fix NSEC or NSEC3 chain in the zone.
*
* \param zone Zone for which the NSEC(3) chain will be created.
* \param sorted_changes Sorted changes created by 'sign_changeset' function.
* This param is updated with normal node -> NSEC3 node
* links, to be used later when adjusting zone.
* \param out_ch Changeset into which the changes will be added.
* \param zone_keys Zone keys used for NSEC(3) creation.
* \param policy DNSSEC signing policy.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_fix_nsec_chain(const knot_zone_contents_t *zone,
hattrie_t *sorted_changes,
knot_changeset_t *out_ch,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
#endif // _KNOT_DNSSEC_ZONE_NSEC_H_
/*! @} */
......@@ -1204,6 +1204,12 @@ static int sign_changeset_wrap(knot_rrset_t *chg_rrset, void *data)
return KNOT_EOK;
}
/*!
* \brief Frees info node about update signing.
*
* \param val Node to free.
* \param d Unused.
*/
static int free_helper_trie_node(value_t *val, void *d)
{
UNUSED(d);
......@@ -1218,6 +1224,18 @@ static int free_helper_trie_node(value_t *val, void *d)
return KNOT_EOK;
}
/*!
* \brief Clears trie with info about update signing.
*
* \param t Trie to clear.
*/
static void knot_zone_clear_sorted_changes(hattrie_t *t)
{
if (t) {
hattrie_apply_rev(t, free_helper_trie_node, NULL);
}
}
/*- public API ---------------------------------------------------------------*/
/*!
......@@ -1369,12 +1387,10 @@ int knot_zone_sign_update_soa(const knot_rrset_t *soa,
int knot_zone_sign_changeset(const knot_zone_contents_t *zone,
const knot_changeset_t *in_ch,
knot_changeset_t *out_ch,
hattrie_t **sorted_changes,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy)
{
if (zone == NULL || in_ch == NULL || out_ch == NULL ||
sorted_changes == NULL) {
if (zone == NULL || in_ch == NULL || out_ch == NULL) {
return KNOT_EINVAL;
}
......@@ -1398,13 +1414,11 @@ int knot_zone_sign_changeset(const knot_zone_contents_t *zone,
ret = knot_changeset_apply((knot_changeset_t *)in_ch,
KNOT_CHANGESET_REMOVE,
sign_changeset_wrap, &args);
} else {
knot_zone_clear_sorted_changes(args.signed_tree);
hattrie_free(args.signed_tree);
args.signed_tree = NULL;
}
*sorted_changes = args.signed_tree;
knot_zone_clear_sorted_changes(args.signed_tree);
hattrie_free(args.signed_tree);
return ret;
}
......@@ -1492,9 +1506,3 @@ int knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
return KNOT_EOK;
}
void knot_zone_clear_sorted_changes(hattrie_t *t)
{
if (t) {
hattrie_apply_rev(t, free_helper_trie_node, NULL);
}
}
......@@ -99,7 +99,6 @@ bool knot_zone_sign_soa_expired(const knot_zone_contents_t *zone,
* \param zone New zone contents.
* \param in_ch Changeset created bvy DDNS or zone-diff
* \param out_ch New records will be added to this changeset.
* \param sorted_changes Sorted representation of changes.
* \param zone_keys Keys to use for signing.
* \param policy DNSSEC signing policy.
*
......@@ -108,7 +107,6 @@ bool knot_zone_sign_soa_expired(const knot_zone_contents_t *zone,
int knot_zone_sign_changeset(const knot_zone_contents_t *zone,
const knot_changeset_t *in_ch,
knot_changeset_t *out_ch,
hattrie_t **sorted_changes,
const knot_zone_keys_t *zone_keys,
const knot_dnssec_policy_t *policy);
......@@ -141,8 +139,6 @@ int knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
const knot_rrset_t *rrset,
hattrie_t *trie, bool *should_sign);
void knot_zone_clear_sorted_changes(hattrie_t *t);
#endif // _KNOT_DNSSEC_ZONE_SIGN_H_
/*! @} */
......@@ -230,8 +230,7 @@ int knot_ns_process_update(const knot_pkt_t *query,
// 3) Finalize zone
dbg_ns_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, false,
NULL);
ret = xfrin_finalize_updated_zone(contents_copy, false);
if (ret != KNOT_EOK) {
dbg_ns("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......@@ -348,8 +347,6 @@ static int zones_process_update_auth(zone_t *zone, knot_pkt_t *query,
// Apply changeset to zone created by DDNS processing
hattrie_t *sorted_changes = NULL;
if (zone->conf->dnssec_enable) {
/*!
* Check if the UPDATE changed DNSKEYs. If yes, resign the whole
......@@ -368,7 +365,7 @@ static int zones_process_update_auth(zone_t *zone, knot_pkt_t *query,
knot_changesets_get_last(chgsets),
sec_ch, KNOT_SOA_SERIAL_KEEP,
&refresh_at,
new_serial, &sorted_changes);
new_serial);
}
if (ret != KNOT_EOK) {
......@@ -403,10 +400,7 @@ static int zones_process_update_auth(zone_t *zone, knot_pkt_t *query,
ret = xfrin_apply_changesets_dnssec_ddns(old_contents,
new_contents,
sec_chs,
chgsets,
sorted_changes);
knot_zone_clear_sorted_changes(sorted_changes);
hattrie_free(sorted_changes);
chgsets);
if (ret != KNOT_EOK) {
log_zone_error("%s: Failed to sign incoming update (%s)"
"\n", msg, knot_strerror(ret));
......
......@@ -2027,7 +2027,7 @@ static int diff_after_load(zone_t *zone, zone_t *old_zone,
if (ret == KNOT_EOK) {
ret = xfrin_finalize_updated_zone(
zone->contents, true, NULL);
zone->contents, true);
}
if (ret != KNOT_EOK) {
......@@ -2115,7 +2115,7 @@ static int store_chgsets_after_load(zone_t *old_zone, zone_t *zone,
diff_chs);
if (ret == KNOT_EOK) {
ret = xfrin_finalize_updated_zone(
zone->contents, true, NULL);
zone->contents, true);
}
} else {
assert(old_zone != NULL);
......
......@@ -1506,42 +1506,6 @@ static int xfrin_remove_empty_nodes(knot_zone_contents_t *z)
/*----------------------------------------------------------------------------*/
static int adjust_nsec3_changes(knot_zone_contents_t *contents,
hattrie_t *changes)
{
if (contents->nsec3_nodes == NULL) {
return KNOT_EOK;
}
hattrie_iter_t *itt = hattrie_iter_begin(changes, false);
if (itt == NULL) {
return KNOT_ENOMEM;
}
while (!hattrie_iter_finished(itt)) {
signed_info_t *val = (signed_info_t *)(*hattrie_iter_val(itt));
const knot_dname_t *dname = val->dname;
assert(dname);
const knot_dname_t *hash = val->hashed_dname;
if (hash) {
knot_node_t *nsec3_node =
knot_zone_contents_get_nsec3_node(contents, hash);
if (nsec3_node) {
knot_node_t *normal_node =
knot_zone_contents_get_node(contents,
dname);
if (normal_node) {
normal_node->nsec3_node = nsec3_node;
}
}
}
hattrie_iter_next(itt);
}
hattrie_iter_free(itt);
return KNOT_EOK;
}
/*----------------------------------------------------------------------------*/
int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
knot_zone_contents_t **new_contents)
{
......@@ -1603,8 +1567,7 @@ int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
/*----------------------------------------------------------------------------*/
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
bool set_nsec3_names,
const hattrie_t *sorted_changes)
bool set_nsec3_names)
{
if (contents_copy == NULL) {
return KNOT_EINVAL;
......@@ -1632,14 +1595,8 @@ int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
dbg_xfrin("Adjusting zone contents.\n");
if (set_nsec3_names) {
if (sorted_changes) {
ret = knot_zone_contents_adjust_pointers(contents_copy);
ret = adjust_nsec3_changes(contents_copy,
(void *)sorted_changes);
} else {
ret = knot_zone_contents_adjust_full(contents_copy,
NULL, NULL);
}
ret = knot_zone_contents_adjust_full(contents_copy,
NULL, NULL);
} else {
ret = knot_zone_contents_adjust_pointers(contents_copy);
}
......@@ -1681,8 +1638,7 @@ int xfrin_apply_changesets_directly(knot_zone_contents_t *contents,
int xfrin_apply_changesets_dnssec_ddns(knot_zone_contents_t *z_old,
knot_zone_contents_t *z_new,
knot_changesets_t *sec_chsets,
knot_changesets_t *chsets,
const hattrie_t *sorted_changes)
knot_changesets_t *chsets)
{
if (z_old == NULL || z_new == NULL ||
sec_chsets == NULL || chsets == NULL) {
......@@ -1703,7 +1659,7 @@ int xfrin_apply_changesets_dnssec_ddns(knot_zone_contents_t *z_old,
}
const bool handle_nsec3 = true;
ret = xfrin_finalize_updated_zone(z_new, handle_nsec3, sorted_changes);
ret = xfrin_finalize_updated_zone(z_new, handle_nsec3);
if (ret != KNOT_EOK) {
dbg_xfrin("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......@@ -1766,7 +1722,7 @@ int xfrin_apply_changesets(zone_t *zone,
*/
dbg_xfrin_verb("Finalizing updated zone...\n");
ret = xfrin_finalize_updated_zone(contents_copy, true, NULL);
ret = xfrin_finalize_updated_zone(contents_copy, true);
if (ret != KNOT_EOK) {
dbg_xfrin("Failed to finalize updated zone: %s\n",
knot_strerror(ret));
......
......@@ -159,7 +159,6 @@ int xfrin_apply_changesets(zone_t *zone,
* \param z_new Post DDNS/reload zone.
* \param sec_chsets Changes with RRSIGs/NSEC(3)s.
* \param chsets DDNS/reload changes, for rollback.
* \param sorted_changes Used for node->nsec3 node mapping.
* \return KNOT_E*
*
* This function does not do shallow copy of the zone, as it is already created
......@@ -169,8 +168,7 @@ int xfrin_apply_changesets(zone_t *zone,
int xfrin_apply_changesets_dnssec_ddns(knot_zone_contents_t *z_old,
knot_zone_contents_t *z_new,
knot_changesets_t *sec_chsets,
knot_changesets_t *chsets,
const hattrie_t *sorted_changes);
knot_changesets_t *chsets);
/*!
* \brief Applies changesets directly to the zone, without copying it.
......@@ -196,13 +194,10 @@ int xfrin_prepare_zone_copy(knot_zone_contents_t *old_contents,
* \brief Sets pointers and NSEC3 nodes after signing/DDNS.
* \param contents_copy Contents to be updated.
* \param set_nsec3_names Set to true if NSEC3 hashes should be set.
* \param sorted_changes If this is non-NULL, it is used for normal node->NSEC3
* node mapping, no hashes are calculated.
* \return KNOT_E*
*/
int xfrin_finalize_updated_zone(knot_zone_contents_t *contents_copy,
bool set_nsec3_names,
const hattrie_t *sorted_changes);
bool set_nsec3_names);
int xfrin_switch_zone(zone_t *zone,
knot_zone_contents_t *new_contents,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment