[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r4076 - trunk/OpenDNSSEC/signer/src/signer

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Oct 11 16:11:40 CEST 2010


Author: matthijs
Date: 2010-10-11 16:11:39 +0200 (Mon, 11 Oct 2010)
New Revision: 4076

Modified:
   trunk/OpenDNSSEC/signer/src/signer/domain.c
   trunk/OpenDNSSEC/signer/src/signer/domain.h
   trunk/OpenDNSSEC/signer/src/signer/zone.c
   trunk/OpenDNSSEC/signer/src/signer/zonedata.c
   trunk/OpenDNSSEC/signer/src/signer/zonedata.h
Log:
fix for check occluded data below DNAME/ below or at NS



Modified: trunk/OpenDNSSEC/signer/src/signer/domain.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-10-11 12:20:13 UTC (rev 4075)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-10-11 14:11:39 UTC (rev 4076)
@@ -263,6 +263,43 @@
 
 
 /**
+ * Examine domain and verify if data exists.
+ *
+ */
+int
+domain_examine_data_exists(domain_type* domain, ldns_rr_type rrtype,
+    int skip_glue)
+{
+    ldns_rbnode_t* node = LDNS_RBTREE_NULL;
+    rrset_type* rrset = NULL;
+
+    se_log_assert(domain);
+
+    if (domain->rrsets->root != LDNS_RBTREE_NULL) {
+        node = ldns_rbtree_first(domain->rrsets);
+    }
+    while (node && node != LDNS_RBTREE_NULL) {
+        rrset = (rrset_type*) node->data;
+        if (rrset_count_RR(rrset) > 0) {
+            if (rrtype) {
+                /* looking for a specific RRset */
+                if (rrset->rr_type == rrtype) {
+                    return 0;
+                }
+            } else if (!skip_glue ||
+                (rrset->rr_type != LDNS_RR_TYPE_A &&
+                 rrset->rr_type != LDNS_RR_TYPE_AAAA)) {
+                /* not glue or not skipping glue */
+                return 0;
+            }
+        }
+        node = ldns_rbtree_next(node);
+    }
+    return 1;
+}
+
+
+/**
  * Examine domain and verify if there is no other data next to a RRset.
  *
  */
@@ -306,6 +343,41 @@
 
 
 /**
+ * Examine domain and verify if there is no occluded data next to a delegation.
+ *
+ */
+int
+domain_examine_valid_zonecut(domain_type* domain)
+{
+    ldns_rbnode_t* node = LDNS_RBTREE_NULL;
+    rrset_type* rrset = NULL;
+
+    se_log_assert(domain);
+
+    rrset = domain_lookup_rrset(domain, LDNS_RR_TYPE_NS);
+    if (rrset && rrset_count_RR(rrset) > 0) {
+        /* make sure all other RRsets become empty (except DS, glue) */
+        if (domain->rrsets->root != LDNS_RBTREE_NULL) {
+            node = ldns_rbtree_first(domain->rrsets);
+        }
+        while (node && node != LDNS_RBTREE_NULL) {
+            rrset = (rrset_type*) node->data;
+            if (rrset->rr_type != LDNS_RR_TYPE_DS &&
+                rrset->rr_type != LDNS_RR_TYPE_NS &&
+                rrset->rr_type != LDNS_RR_TYPE_A &&
+                rrset->rr_type != LDNS_RR_TYPE_AAAA &&
+                rrset_count_RR(rrset) > 0) {
+                /* found occluded data next to delegation */
+                return 1;
+            }
+            node = ldns_rbtree_next(node);
+        }
+    }
+    return 0;
+}
+
+
+/**
  * Examine domain and verify if the RRset is a singleton.
  *
  */
@@ -335,59 +407,6 @@
 
 
 /**
- * Examine domain and verify if it is occluded.
- *
- */
-int
-domain_examine_is_occluded(domain_type* domain, ldns_rr_type rrtype)
-{
-    domain_type* parent = NULL;
-    ldns_rbnode_t* node = LDNS_RBTREE_NULL;
-    rrset_type* rrset = NULL;
-    int possible_occluded = 0;
-    char *str_name = NULL;
-    char *str_type = NULL;
-
-    se_log_assert(domain);
-
-    /* make sure all other RRsets become empty */
-    if (domain->rrsets->root != LDNS_RBTREE_NULL) {
-        node = ldns_rbtree_first(domain->rrsets);
-    }
-    while (node && node != LDNS_RBTREE_NULL) {
-        rrset = (rrset_type*) node->data;
-        if (rrset_count_RR(rrset) > 0) {
-            /* domain will have data */
-            if (rrtype != LDNS_RR_TYPE_NS ||
-                (rrset->rr_type != LDNS_RR_TYPE_A &&
-                 rrset->rr_type != LDNS_RR_TYPE_AAAA)) {
-                possible_occluded = 1;
-                break;
-            }
-        }
-        node = ldns_rbtree_next(node);
-    }
-
-    if (possible_occluded) {
-        parent = domain->parent;
-        while (parent && parent->domain_status != DOMAIN_STATUS_APEX) {
-            if (domain_lookup_rrset(parent, rrtype)) {
-                str_name = ldns_rdf2str(parent->name);
-                str_type = ldns_rr_type2str(rrtype);
-                se_log_error("data%s below %s %s",
-                    rrtype==LDNS_RR_TYPE_NS?" (non-glue)":"",
-                    str_name, str_type);
-                se_free((void*)str_name);
-                se_free((void*)str_type);
-                return 1;
-            }
-            parent = parent->parent;
-        }
-    }
-    return 0;
-}
-
-/**
  * Update domain with pending changes.
  *
  */

Modified: trunk/OpenDNSSEC/signer/src/signer/domain.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-10-11 12:20:13 UTC (rev 4075)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-10-11 14:11:39 UTC (rev 4076)
@@ -134,7 +134,27 @@
  */
 int domain_count_rrset(domain_type* domain);
 
+
 /**
+ * Examine domain and verify if data exists.
+ * \param[in] domain domain
+ * \param[in] rrtype RRtype look for a specific RRset
+ * \param[in] skip_glue skip glue records
+ * \retun 0 if data is alone, 1 otherwise
+ *
+ */
+int domain_examine_data_exists(domain_type* domain, ldns_rr_type rrtype,
+    int skip_glue);
+
+/**
+ * Examine domain and verify if it is a valid zonecut (or no NS RRs).
+ * \param[in] domain domain
+ * \retun 0 if the RRset is a valid zonecut (or no zonecut), 1 otherwise
+ *
+ */
+int domain_examine_valid_zonecut(domain_type* domain);
+
+/**
  * Examine domain and verify if there is no other data next to a RRset.
  * \param[in] domain domain
  * \param[in] rrtype RRtype
@@ -153,15 +173,6 @@
 int domain_examine_rrset_is_singleton(domain_type* domain, ldns_rr_type rrtype);
 
 /**
- * Examine domain and verify that it is not occluded.
- * \param[in] domain domain
- * \param[in] rrtype RRtype DNAME or NS
- * \retun 0 if the domain contains occluded data, other than glue, 1 otherwise
- *
- */
-int domain_examine_is_occluded(domain_type* domain, ldns_rr_type rrtype);
-
-/**
  * Update domain with pending changes.
  * \param[in] domain domain
  * \param[in] serial version to update to

Modified: trunk/OpenDNSSEC/signer/src/signer/zone.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-10-11 12:20:13 UTC (rev 4075)
+++ trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-10-11 14:11:39 UTC (rev 4076)
@@ -429,7 +429,7 @@
     se_log_assert(zone->zonedata);
 
     /* examine zone data */
-    error = zonedata_examine(zone->zonedata,
+    error = zonedata_examine(zone->zonedata, zone->dname,
         zone->inbound_adapter->type==ADAPTER_FILE);
     if (error) {
         se_log_error("update zone %s failed: zone data contains errors",

Modified: trunk/OpenDNSSEC/signer/src/signer/zonedata.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-10-11 12:20:13 UTC (rev 4075)
+++ trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-10-11 14:11:39 UTC (rev 4076)
@@ -955,11 +955,88 @@
 
 
 /**
+ * Examine domain for occluded data.
+ *
+ */
+static int
+zonedata_examine_domain_is_occluded(zonedata_type* zd, domain_type* domain,
+    ldns_rdf* apex)
+{
+    ldns_rdf* parent_rdf = NULL;
+    ldns_rdf* next_rdf = NULL;
+    domain_type* parent_domain = NULL;
+    char* str_name = NULL;
+    char* str_parent = NULL;
+
+    se_log_assert(apex);
+    se_log_assert(domain);
+    se_log_assert(domain->name);
+    se_log_assert(zd);
+    se_log_assert(zd->domains);
+
+    if (ldns_dname_compare(domain->name, apex) == 0) {
+        return 0;
+    }
+
+    if (domain_examine_valid_zonecut(domain) != 0) {
+        str_name = ldns_rdf2str(domain->name);
+        se_log_error("occluded (non-glue non-DS) data at %s NS", str_name);
+        se_free((void*)str_name);
+        return 1;
+    }
+
+    parent_rdf = ldns_dname_left_chop(domain->name);
+    while (parent_rdf && ldns_dname_is_subdomain(parent_rdf, apex) &&
+           ldns_dname_compare(parent_rdf, apex) != 0) {
+
+        str_name = ldns_rdf2str(parent_rdf);
+
+        parent_domain = zonedata_lookup_domain(zd, parent_rdf);
+        next_rdf = ldns_dname_left_chop(parent_rdf);
+        ldns_rdf_deep_free(parent_rdf);
+
+        if (parent_domain) {
+            /* check for DNAME or NS */
+            if (domain_examine_data_exists(parent_domain, LDNS_RR_TYPE_DNAME,
+                0) == 0 && domain_examine_data_exists(domain, 0, 1) == 0) {
+                /* data below DNAME */
+                str_name = ldns_rdf2str(domain->name);
+                str_parent = ldns_rdf2str(parent_domain->name);
+                se_log_error("occluded data at %s (below %s DNAME)", str_name,
+                    str_parent);
+                se_free((void*)str_name);
+                se_free((void*)str_parent);
+                return 1;
+            } else if (domain_examine_data_exists(parent_domain,
+                LDNS_RR_TYPE_NS, 0) == 0 && domain_examine_data_exists(domain,
+                0, 1) == 0) {
+                /* data (non-glue) below NS */
+                str_name = ldns_rdf2str(domain->name);
+                str_parent = ldns_rdf2str(parent_domain->name);
+                se_log_error("occluded (non-glue) data at %s (below %s NS)",
+                    str_name, str_parent);
+                se_free((void*)str_name);
+                se_free((void*)str_parent);
+                return 1;
+            }
+        }
+
+        parent_rdf = next_rdf;
+    }
+
+    if (parent_rdf) {
+        ldns_rdf_deep_free(parent_rdf);
+    }
+    return 0;
+}
+
+
+/**
  * Examine zone data.
  *
  */
 int
-zonedata_examine(zonedata_type* zd, int is_file)
+zonedata_examine(zonedata_type* zd, ldns_rdf* apex, int is_file)
 {
     int error = 0;
     int result = 0;
@@ -974,29 +1051,30 @@
     }
     while (node && node != LDNS_RBTREE_NULL) {
         domain = (domain_type*) node->data;
-        result =
+        error =
         /* Thou shall not have other data next to CNAME */
         domain_examine_rrset_is_alone(domain, LDNS_RR_TYPE_CNAME) ||
         /* Thou shall have at most one CNAME per name */
         domain_examine_rrset_is_singleton(domain, LDNS_RR_TYPE_CNAME) ||
         /* Thou shall have at most one DNAME per name */
         domain_examine_rrset_is_singleton(domain, LDNS_RR_TYPE_DNAME);
+        if (error) {
+            result = error;
+        }
 
-        if (!result && is_file) {
-            result =
-            /* Thou shall not have data below DNAME in your zone file */
-            domain_examine_is_occluded(domain, LDNS_RR_TYPE_DNAME) ||
-            /* Thou shall not have non-glue data below NS in your zone file */
-            domain_examine_is_occluded(domain, LDNS_RR_TYPE_NS);
+        if (is_file) {
+            error =
+            /* Thou shall not have occluded data in your zone file */
+            zonedata_examine_domain_is_occluded(zd, domain, apex);
+            if (error) {
+                result = error;
+            }
         }
 
-        if (result) {
-            error = result;
-        }
         node = ldns_rbtree_next(node);
     }
 
-    return error;
+    return result;
 }
 
 

Modified: trunk/OpenDNSSEC/signer/src/signer/zonedata.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zonedata.h	2010-10-11 12:20:13 UTC (rev 4075)
+++ trunk/OpenDNSSEC/signer/src/signer/zonedata.h	2010-10-11 14:11:39 UTC (rev 4076)
@@ -145,12 +145,13 @@
 /**
  * Add empty non-terminals to zone data.
  * \param[in] zd zone data
+ * \param[in] apex apex domain name
  * \param[in] is_file if the inbound adapter is a zone file
  *                    (if so, additional checking is required)
  * \return int 0 if no error examined, 1 otherwise
  *
  */
-int zonedata_examine(zonedata_type* zd, int is_file);
+int zonedata_examine(zonedata_type* zd, ldns_rdf* apex, int is_file);
 
 /**
  * Update zone data with pending changes.




More information about the Opendnssec-commits mailing list