[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r3721 - in trunk/OpenDNSSEC/signer/src: signer util

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Aug 11 09:57:00 CEST 2010


Author: matthijs
Date: 2010-08-11 09:57:00 +0200 (Wed, 11 Aug 2010)
New Revision: 3721

Modified:
   trunk/OpenDNSSEC/signer/src/signer/domain.c
   trunk/OpenDNSSEC/signer/src/signer/domain.h
   trunk/OpenDNSSEC/signer/src/signer/rrset.c
   trunk/OpenDNSSEC/signer/src/signer/rrset.h
   trunk/OpenDNSSEC/signer/src/signer/zonedata.c
   trunk/OpenDNSSEC/signer/src/signer/zonedata.h
   trunk/OpenDNSSEC/signer/src/util/util.c
   trunk/OpenDNSSEC/signer/src/util/util.h
Log:
fix bug with getting two SOA RRs in signed zone:
- rr comparison is different for SOA (because of serial)
- pivotal: http://www.pivotaltracker.com/story/show/4577304

improve serial arethmetic:
- don't update serial twice on ods-signer sign <zone>
- keep track of internal serial
 


Modified: trunk/OpenDNSSEC/signer/src/signer/domain.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-08-11 07:57:00 UTC (rev 3721)
@@ -71,11 +71,10 @@
     domain->nsec3 = NULL;
     domain->rrsets = ldns_rbtree_create(rrset_compare);
     domain->domain_status = DOMAIN_STATUS_NONE;
-    domain->inbound_serial = 0;
+    domain->internal_serial = 0;
     domain->outbound_serial = 0;
     /* nsec */
     domain->nsec_rrset = NULL;
-    domain->nsec_serial = 0;
     domain->nsec_bitmap_changed = 0;
     domain->nsec_nxt_changed = 0;
     return domain;
@@ -226,7 +225,7 @@
     se_log_assert(domain);
     se_log_assert(domain->rrsets);
 
-    if (DNS_SERIAL_GT(serial, domain->inbound_serial)) {
+    if (DNS_SERIAL_GT(serial, domain->internal_serial)) {
         if (domain->rrsets->root != LDNS_RBTREE_NULL) {
             node = ldns_rbtree_first(domain->rrsets);
         }
@@ -258,7 +257,7 @@
                 rrset = domain_del_rrset(domain, rrset);
             }
         }
-        domain->inbound_serial = serial;
+        domain->internal_serial = serial;
     }
     return 0;
 }
@@ -346,7 +345,7 @@
     se_log_assert(to->name);
     se_log_assert(stats);
 
-    if (DNS_SERIAL_GT(domain->inbound_serial, domain->outbound_serial)) {
+    if (DNS_SERIAL_GT(domain->internal_serial, domain->outbound_serial)) {
         /* create types bitmap */
         if (!domain->nsec_rrset || domain->nsec_bitmap_changed) {
             domain_nsecify_create_bitmap(domain, types, &types_count);
@@ -409,9 +408,9 @@
                 domain->nsec_bitmap_changed = 0;
             }
         }
-        domain->outbound_serial = domain->inbound_serial;
+        domain->outbound_serial = domain->internal_serial;
     }
-    domain->nsec_rrset->inbound_serial = domain->inbound_serial;
+    domain->nsec_rrset->internal_serial = domain->internal_serial;
     return 0;
 }
 
@@ -445,7 +444,7 @@
     se_log_assert(stats);
 
     orig_domain = domain->nsec3; /* use the back reference */
-    if (DNS_SERIAL_GT(orig_domain->inbound_serial,
+    if (DNS_SERIAL_GT(orig_domain->internal_serial,
         orig_domain->outbound_serial))
     {
         /* create types bitmap */
@@ -552,9 +551,9 @@
             }
             orig_domain->nsec_nxt_changed = 0;
         }
-        orig_domain->outbound_serial = orig_domain->inbound_serial;
+        orig_domain->outbound_serial = orig_domain->internal_serial;
     }
-    domain->nsec_rrset->inbound_serial = orig_domain->inbound_serial;
+    domain->nsec_rrset->internal_serial = orig_domain->internal_serial;
     return 0;
 }
 

Modified: trunk/OpenDNSSEC/signer/src/signer/domain.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-08-11 07:57:00 UTC (rev 3721)
@@ -72,9 +72,8 @@
     ldns_rbtree_t* rrsets;
     rrset_type* nsec_rrset;
     int domain_status;
-    uint32_t inbound_serial;
+    uint32_t internal_serial;
     uint32_t outbound_serial;
-    uint32_t nsec_serial;
     uint8_t nsec_bitmap_changed;
     uint8_t nsec_nxt_changed;
 };

Modified: trunk/OpenDNSSEC/signer/src/signer/rrset.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/rrset.c	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/rrset.c	2010-08-11 07:57:00 UTC (rev 3721)
@@ -54,7 +54,7 @@
     rrset->rr_type = rrtype;
     rrset->rr_count = 0;
     rrset->rrsig_count = 0;
-    rrset->inbound_serial = 0;
+    rrset->internal_serial = 0;
     rrset->outbound_serial = 0;
     rrset->rrs = ldns_dnssec_rrs_new();
     rrset->add = NULL;
@@ -77,7 +77,7 @@
     rrset->rr_type = ldns_rr_get_type(rr);
     rrset->rr_count = 1;
     rrset->rrsig_count = 0;
-    rrset->inbound_serial = 0;
+    rrset->internal_serial = 0;
     rrset->outbound_serial = 0;
     rrset->rrs = ldns_dnssec_rrs_new();
     rrset->rrs->rr = rr;
@@ -204,7 +204,8 @@
 
     rrs = rrset->rrs;
     while (rrs) {
-        if (ldns_rr_compare(rrs->rr, rr) == 0) {
+        if (util_soa_compare(rrs->rr, rr) == 0 ||
+            ldns_rr_compare(rrs->rr, rr) == 0) {
             /* this is it */
             if (prev_rrs) {
                 prev_rrs->next = rrs->next;
@@ -213,12 +214,12 @@
             }
             ldns_rr_free(rrs->rr);
             se_free((void*)rrs);
+            rrset_log_rr(rr, "-RR", 5);
             return 1;
         }
         prev_rrs = rrs;
         rrs = rrs->next;
     }
-    rrset_log_rr(rr, "-RR", 2);
     return 0;
 }
 
@@ -237,7 +238,7 @@
     se_log_assert(rrset);
     se_log_assert(serial);
 
-    if (DNS_SERIAL_GT(serial, rrset->inbound_serial)) {
+    if (DNS_SERIAL_GT(serial, rrset->internal_serial)) {
         /* compare del and add */
         if (rrset_compare_rrs(rrset->del, rrset->add) != 0) {
             rrset->drop_signatures = 1;
@@ -266,7 +267,7 @@
         rrset->add = NULL;
         rrset->rr_count = rrset->rr_count + addcount;
         rrset->rr_count = rrset->rr_count - delcount;
-        rrset->inbound_serial = serial;
+        rrset->internal_serial = serial;
     }
     return 0;
 }

Modified: trunk/OpenDNSSEC/signer/src/signer/rrset.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/rrset.h	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/rrset.h	2010-08-11 07:57:00 UTC (rev 3721)
@@ -46,7 +46,7 @@
     ldns_rr_type rr_type;
     uint32_t rr_count;
     uint32_t rrsig_count;
-    uint32_t inbound_serial;
+    uint32_t internal_serial;
     uint32_t outbound_serial;
     ldns_dnssec_rrs* rrs;
     ldns_dnssec_rrs* add;

Modified: trunk/OpenDNSSEC/signer/src/signer/zonedata.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-08-11 07:57:00 UTC (rev 3721)
@@ -68,6 +68,7 @@
     zd->initialized = 0;
     zd->nsec3_domains = NULL;
     zd->inbound_serial = 0;
+    zd->internal_serial = 0;
     zd->outbound_serial = 0;
     zd->default_ttl = 3600; /* configure --default-ttl option? */
     return zd;
@@ -390,13 +391,13 @@
             parent_domain->domain_status =
                 (ent2unsigned_deleg?DOMAIN_STATUS_ENT_NS:
                                     DOMAIN_STATUS_ENT_AUTH);
-            parent_domain->inbound_serial = domain->inbound_serial;
+            parent_domain->internal_serial = domain->internal_serial;
             domain->parent = parent_domain;
             /* continue with the parent domain */
             domain = parent_domain;
         } else {
             ldns_rdf_deep_free(parent_rdf);
-            parent_domain->inbound_serial = domain->inbound_serial;
+            parent_domain->internal_serial = domain->internal_serial;
             domain->parent = parent_domain;
             if (domain_count_rrset(parent_domain) <= 0) {
                 parent_domain->domain_status =
@@ -680,7 +681,7 @@
     se_log_assert(zd);
     se_log_assert(sc);
 
-    prev = zd->outbound_serial;
+    prev = zd->internal_serial;
     if (se_strcmp(sc->soa_serial, "unixtime") == 0) {
         soa = se_max(zd->inbound_serial, (uint32_t) time_now());
         if (!DNS_SERIAL_GT(soa, prev)) {
@@ -688,7 +689,12 @@
         }
         update = soa - prev;
     } else if (strncmp(sc->soa_serial, "counter", 7) == 0) {
-        soa = se_max(zd->inbound_serial, zd->outbound_serial);
+        soa = se_max(zd->inbound_serial, prev);
+        if (!zd->initialized) {
+            zd->internal_serial = soa + 1;
+            zd->initialized = 1;
+            return 0;
+        }
         if (!DNS_SERIAL_GT(soa, prev)) {
             soa = prev + 1;
         }
@@ -703,7 +709,7 @@
     } else if (strncmp(sc->soa_serial, "keep", 4) == 0) {
         soa = zd->inbound_serial;
         if (!zd->initialized) {
-            zd->outbound_serial = soa;
+            zd->internal_serial = soa;
             zd->initialized = 1;
             return 0;
         }
@@ -721,7 +727,7 @@
     }
 
     if (!zd->initialized) {
-        zd->outbound_serial = soa;
+        zd->internal_serial = soa;
         zd->initialized = 1;
         return 0;
     }
@@ -730,7 +736,7 @@
     if (update > 0x7FFFFFFF) {
         update = 0x7FFFFFFF;
     }
-    zd->outbound_serial = (prev + update); /* automatically does % 2^32 */
+    zd->internal_serial = (prev + update); /* automatically does % 2^32 */
     return 0;
 }
 
@@ -753,7 +759,10 @@
     se_log_assert(zd);
     se_log_assert(zd->domains);
 
-    error = zonedata_update_serial(zd, sc);
+    if (!DNS_SERIAL_GT(zd->internal_serial, zd->outbound_serial)) {
+        error = zonedata_update_serial(zd, sc);
+    }
+    zd->outbound_serial = zd->internal_serial;
     if (error || !zd->outbound_serial) {
         se_log_error("unable to update zonedata: failed to update serial");
         return 1;
@@ -799,7 +808,7 @@
     se_log_assert(zd->domains);
 
     error = zonedata_update_serial(zd, sc);
-    if (error || !zd->outbound_serial) {
+    if (error || !zd->internal_serial) {
         se_log_error("unable to update zonedata: failed to update serial");
         return 1;
     }
@@ -809,9 +818,9 @@
     }
     while (node && node != LDNS_RBTREE_NULL) {
         domain = (domain_type*) node->data;
-        if (domain_update(domain, zd->outbound_serial) != 0) {
+        if (domain_update(domain, zd->internal_serial) != 0) {
             se_log_error("unable to update zonedata to serial %u: failed "
-                "to update domain", zd->outbound_serial);
+                "to update domain", zd->internal_serial);
             return 1;
         }
         node = ldns_rbtree_next(node);

Modified: trunk/OpenDNSSEC/signer/src/signer/zonedata.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zonedata.h	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/signer/zonedata.h	2010-08-11 07:57:00 UTC (rev 3721)
@@ -52,6 +52,7 @@
     int initialized;
     uint32_t default_ttl; /* fallback ttl */
     uint32_t inbound_serial; /* last seen inbound soa serial */
+    uint32_t internal_serial; /* latest internal soa serial */
     uint32_t outbound_serial; /* last written outbound soa serial */
 };
 

Modified: trunk/OpenDNSSEC/signer/src/util/util.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/util/util.c	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/util/util.c	2010-08-11 07:57:00 UTC (rev 3721)
@@ -57,6 +57,66 @@
 
 
 /**
+ * Compare SOA RDATAs.
+ *
+ */
+int
+util_soa_compare_rdata(ldns_rr* rr1, ldns_rr* rr2)
+{
+    size_t i = 0;
+    size_t rdata_count = SE_SOA_RDATA_MINIMUM;
+
+    for (i = 0; i <= rdata_count; i++) {
+        if (i != SE_SOA_RDATA_SERIAL &&
+            ldns_rdf_compare(ldns_rr_rdf(rr1, i), ldns_rr_rdf(rr2, i)) != 0) {
+                return 1;
+        }
+    }
+    return 0;
+}
+
+
+/**
+ * Compare SOA RRs.
+ *
+ */
+int
+util_soa_compare(ldns_rr* rr1, ldns_rr* rr2)
+{
+    size_t rr1_len = 0;
+    size_t rr2_len = 0;
+    size_t offset = 0;
+
+    se_log_assert(rr1);
+    se_log_assert(rr2);
+
+    rr1_len = ldns_rr_uncompressed_size(rr1);
+    rr2_len = ldns_rr_uncompressed_size(rr2);
+    if (ldns_dname_compare(ldns_rr_owner(rr1), ldns_rr_owner(rr2)) != 0) {
+        return 1;
+    }
+    if (ldns_rr_get_class(rr1) != ldns_rr_get_class(rr2)) {
+        return 1;
+    }
+    if (ldns_rr_get_type(rr1) != LDNS_RR_TYPE_SOA) {
+        return 1;
+    }
+    if (ldns_rr_get_type(rr1) != ldns_rr_get_type(rr2)) {
+        return 1;
+    }
+    if (offset > rr1_len || offset > rr2_len) {
+        if (rr1_len == rr2_len) {
+            return util_soa_compare_rdata(rr1, rr2);
+        }
+        return 1;
+    }
+
+    return util_soa_compare_rdata(rr1, rr2);
+}
+
+
+
+/**
  * Compare RRs only on RDATA.
  *
  */

Modified: trunk/OpenDNSSEC/signer/src/util/util.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/util/util.h	2010-08-11 07:10:50 UTC (rev 3720)
+++ trunk/OpenDNSSEC/signer/src/util/util.h	2010-08-11 07:57:00 UTC (rev 3721)
@@ -60,6 +60,15 @@
 int util_is_dnssec_rr(ldns_rr* rr);
 
 /**
+ * Compare RRs, ignore SOA SERIAL.
+ * \param[in] rr1 RR
+ * \param[in] rr2 another RR
+ * \return int 0 if equal SOA RRs, 1 otherwise
+ *
+ */
+int util_soa_compare(ldns_rr* rr1, ldns_rr* rr2);
+
+/**
  * Compare RRs only on RDATA.
  * \param[in] rr1 RR
  * \param[in] rr2 another RR




More information about the Opendnssec-commits mailing list