[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r4115 - trunk/OpenDNSSEC/signer/src/signer

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Oct 15 09:14:19 CEST 2010


Author: matthijs
Date: 2010-10-15 09:14:19 +0200 (Fri, 15 Oct 2010)
New Revision: 4115

Modified:
   trunk/OpenDNSSEC/signer/src/signer/domain.c
   trunk/OpenDNSSEC/signer/src/signer/domain.h
   trunk/OpenDNSSEC/signer/src/signer/rrset.c
   trunk/OpenDNSSEC/signer/src/signer/rrset.h
   trunk/OpenDNSSEC/signer/src/signer/zone.c
   trunk/OpenDNSSEC/signer/src/signer/zonedata.c
Log:
more distinct glue. does not allow for:

foo.se. IN NS ns1.foo.se.
foo.se. IN NS ns2.foo.se.

ns1.foo.se. IN A 1.2.3.4
ns2.foo.se. IN A 1.2.3.5
www.foo.se. IN A 1.2.3.6

(www.foo.se. is marked as occluded, non-glue)



Modified: trunk/OpenDNSSEC/signer/src/signer/domain.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.c	2010-10-15 07:14:19 UTC (rev 4115)
@@ -300,6 +300,31 @@
 
 
 /**
+ * Examine domain NS RRset and verify its RDATA.
+ *
+ */
+int
+domain_examine_ns_rdata(domain_type* domain, ldns_rdf* nsdname)
+{
+    rrset_type* rrset = NULL;
+
+    se_log_assert(domain);
+    if (!nsdname) {
+       return 1;
+    }
+
+    rrset = domain_lookup_rrset(domain, LDNS_RR_TYPE_NS);
+    if (rrset && rrset_count_RR(rrset) > 0) {
+        /* NS RRset exists after update */
+        if (rrset_examine_ns_rdata(rrset, nsdname) == 0) {
+            return 0;
+        }
+    }
+    return 1;
+}
+
+
+/**
  * Examine domain and verify if there is no other data next to a RRset.
  *
  */

Modified: trunk/OpenDNSSEC/signer/src/signer/domain.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/domain.h	2010-10-15 07:14:19 UTC (rev 4115)
@@ -134,22 +134,30 @@
  */
 int domain_count_rrset(domain_type* domain);
 
-
 /**
  * Examine domain and verify if data exists.
  * \param[in] domain domain
  * \param[in] rrtype RRtype look for a specific RRset
  * \param[in] skip_glue skip glue records
- * \retun 0 if data is alone, 1 otherwise
+ * \retun int 0 if data is alone, 1 otherwise
  *
  */
 int domain_examine_data_exists(domain_type* domain, ldns_rr_type rrtype,
     int skip_glue);
 
 /**
+ * Examine domain NS RRset and verify its RDATA.
+ * \param[in] domain domain
+ * \param[in] nsdname domain name that should match one of the NS RDATA
+ * \return int 0 if nsdname exists as NS RDATA, 1 otherwise
+ *
+ */
+int domain_examine_ns_rdata(domain_type* domain, ldns_rdf* nsdname);
+
+/**
  * Examine domain and verify if it is a valid zonecut (or no NS RRs).
  * \param[in] domain domain
- * \retun 0 if the RRset is a valid zonecut (or no zonecut), 1 otherwise
+ * \retun int 0 if the RRset is a valid zonecut (or no zonecut), 1 otherwise
  *
  */
 int domain_examine_valid_zonecut(domain_type* domain);
@@ -158,7 +166,7 @@
  * Examine domain and verify if there is no other data next to a RRset.
  * \param[in] domain domain
  * \param[in] rrtype RRtype
- * \retun 0 if the RRset is alone, 1 otherwise
+ * \retun int 0 if the RRset is alone, 1 otherwise
  *
  */
 int domain_examine_rrset_is_alone(domain_type* domain, ldns_rr_type rrtype);
@@ -167,7 +175,7 @@
  * Examine domain and verify if the RRset is a singleton.
  * \param[in] domain domain
  * \param[in] rrtype RRtype
- * \retun 0 if the RRset is a singleton, 1 otherwise
+ * \retun int 0 if the RRset is a singleton, 1 otherwise
  *
  */
 int domain_examine_rrset_is_singleton(domain_type* domain, ldns_rr_type rrtype);

Modified: trunk/OpenDNSSEC/signer/src/signer/rrset.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/rrset.c	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/rrset.c	2010-10-15 07:14:19 UTC (rev 4115)
@@ -125,6 +125,54 @@
 
 
 /**
+ * Examine NS RRs and verify its RDATA.
+ *
+ */
+static int
+rrs_examine_ns_rdata(ldns_dnssec_rrs* rrs, ldns_rdf* nsdname)
+{
+    ldns_dnssec_rrs* walk = NULL;
+
+    if (!rrs || !nsdname) {
+        return 1;
+    }
+    walk = rrs;
+    while (walk) {
+        if (walk->rr &&
+            ldns_dname_compare(ldns_rr_rdf(walk->rr, 0), nsdname) == 0) {
+            return 0;
+        }
+        walk = walk->next;
+    }
+    return 1;
+}
+
+
+/**
+ * Examine NS RRset and verify its RDATA.
+ *
+ */
+int
+rrset_examine_ns_rdata(rrset_type* rrset, ldns_rdf* nsdname)
+{
+    if (!rrset || !nsdname || rrset->rr_type != LDNS_RR_TYPE_NS) {
+        return 1;
+    }
+
+    if (rrs_examine_ns_rdata(rrset->add, nsdname) == 0) {
+        return 0;
+    }
+    if (rrs_examine_ns_rdata(rrset->del, nsdname) == 0) {
+        return 1;
+    }
+    if (rrs_examine_ns_rdata(rrset->rrs, nsdname) == 0) {
+        return 0;
+    }
+    return 1;
+}
+
+
+/**
  * Log RR.
  *
  */

Modified: trunk/OpenDNSSEC/signer/src/signer/rrset.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/rrset.h	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/rrset.h	2010-10-15 07:14:19 UTC (rev 4115)
@@ -60,7 +60,7 @@
 /**
  * Create new RRset.
  * \param[in] rrtype RRtype
- * \return new RRset
+ * \return rrset_type* new RRset
  *
  */
 rrset_type* rrset_create(ldns_rr_type rrtype);
@@ -68,7 +68,7 @@
 /**
  * Create new RRset from RR.
  * \param[in] rr RR
- * \return new RRset
+ * \return rrset_type* new RRset
  *
  */
 rrset_type* rrset_create_frm_rr(ldns_rr* rr);
@@ -77,11 +77,19 @@
  * Update RRset with pending changes.
  * \param[in] rrset RRset
  * \param[in] serial version to update to
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_update(rrset_type* rrset, uint32_t serial);
 
+/**
+ * Examine NS RRset and verify its RDATA.
+ * \param[in] rrset NS RRset
+ * \param[in] nsdname domain name that should match NS RDATA
+ * \return int 0 if nsdame exists as NS RDATA, 1 otherwise
+ *
+ */
+int rrset_examine_ns_rdata(rrset_type* rrset, ldns_rdf* nsdname);
 
 /**
  * Cancel update.
@@ -94,7 +102,7 @@
  * Add RR to RRset.
  * \param[in] rrset RRset
  * \param[in] rr RR
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_add_rr(rrset_type* rrset, ldns_rr* rr);
@@ -103,7 +111,7 @@
  * Delete RR from RRset.
  * \param[in] rrset RRset
  * \param[in] rr RR
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_del_rr(rrset_type* rrset, ldns_rr* rr);
@@ -112,7 +120,7 @@
  * Recover RR from backup.
  * \param[in] rrset RRset
  * \param[in] rr RR
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_recover_rr_from_backup(rrset_type* rrset, ldns_rr* rr);
@@ -123,7 +131,7 @@
  * \param[in] rrsig RRSIG
  * \param[in] locator key locator
  * \param[in] flags key flags
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_recover_rrsig_from_backup(rrset_type* rrset, ldns_rr* rrsig,
@@ -137,7 +145,7 @@
  * \param[in] sc sign configuration
  * \param[in] signtime time when the zone is signd
  * \param[out] stats update statistics
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_sign(hsm_ctx_t* ctx, rrset_type* rrset, ldns_rdf* owner,
@@ -146,7 +154,7 @@
 /**
  * Delete all RRs from RRset.
  * \param[in] rrset RRset
- * \return 0 on success, 1 on error
+ * \return int 0 on success, 1 on error
  *
  */
 int rrset_del_rrs(rrset_type* rrset);
@@ -154,7 +162,7 @@
 /**
  * Return the number of RRs in RRset.
  * \param[in] rrset RRset
- * \return number of RRs
+ * \return int number of RRs
  *
  */
 int rrset_count_rr(rrset_type* rrset);
@@ -162,7 +170,7 @@
 /**
  * Return the number of pending added RRs in RRset.
  * \param[in] rrset RRset
- * \return number of pending added RRs
+ * \return int number of pending added RRs
  *
  */
 int rrset_count_add(rrset_type* rrset);
@@ -170,7 +178,7 @@
 /**
  * Return the number of pending deleted RRs in RRset.
  * \param[in] rrset RRset
- * \return number of pending deleted RRs
+ * \return int number of pending deleted RRs
  *
  */
 int rrset_count_del(rrset_type* rrset);
@@ -178,7 +186,7 @@
 /**
  * Return the number of RRs in RRset after an update.
  * \param[in] rrset RRset
- * \return number of RRs after an update
+ * \return int number of RRs after an update
  *
  */
 int rrset_count_RR(rrset_type* rrset);

Modified: trunk/OpenDNSSEC/signer/src/signer/zone.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-10-15 07:14:19 UTC (rev 4115)
@@ -428,6 +428,7 @@
     se_log_assert(zone->zonedata);
 
     /* examine zone data */
+    se_log_debug("examine zone %s update");
     error = zonedata_examine(zone->zonedata, zone->dname,
         zone->inbound_adapter->type==ADAPTER_FILE);
     if (error) {

Modified: trunk/OpenDNSSEC/signer/src/signer/zonedata.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-10-15 06:33:54 UTC (rev 4114)
+++ trunk/OpenDNSSEC/signer/src/signer/zonedata.c	2010-10-15 07:14:19 UTC (rev 4115)
@@ -1006,8 +1006,8 @@
                 se_free((void*)str_parent);
                 return 1;
             } else if (domain_examine_data_exists(parent_domain,
-                LDNS_RR_TYPE_NS, 0) == 0 && domain_examine_data_exists(domain,
-                0, 1) == 0) {
+                LDNS_RR_TYPE_NS, 0) == 0 &&
+                domain_examine_data_exists(domain, 0, 1) == 0) {
                 /* data (non-glue) below NS */
                 str_name = ldns_rdf2str(domain->name);
                 str_parent = ldns_rdf2str(parent_domain->name);
@@ -1016,6 +1016,18 @@
                 se_free((void*)str_name);
                 se_free((void*)str_parent);
                 return 1;
+            } else if (domain_examine_data_exists(parent_domain,
+                LDNS_RR_TYPE_NS, 0) == 0 &&
+                domain_examine_data_exists(domain, 0, 0) == 0 &&
+                domain_examine_ns_rdata(parent_domain, domain->name) != 0) {
+                /* glue data not signalled by NS RDATA */
+                str_name = ldns_rdf2str(domain->name);
+                str_parent = ldns_rdf2str(parent_domain->name);
+                se_log_error("occluded data at %s (below %s NS)",
+                    str_name, str_parent);
+                se_free((void*)str_name);
+                se_free((void*)str_parent);
+                return 1;
             }
         }
 




More information about the Opendnssec-commits mailing list