dnssec: nsec/nsec3: fixed guessing type bitmap for zone apex

author: Libor Peltan <libor.peltan@nic.cz> 2017-06-19 14:10:27 +0200
committer: Libor Peltan <libor.peltan@nic.cz> 2017-06-19 14:10:27 +0200
commit: 9da01402f0a89347727fed435301c3394bbc4ec2 (patch)
tree: 096c70f15a927ab04eef4131e94ba22b70a80dc0
parent: dnssec: removed superfluous sgn_nsecs (diff)
download: knot-9da01402f0a89347727fed435301c3394bbc4ec2.tar.xz
knot-9da01402f0a89347727fed435301c3394bbc4ec2.zip
5 files changed, 35 insertions, 10 deletions
diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index 1f533c261..31ff7c795 100644
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -31,11 +31,12 @@
  * \param from       Node that should contain the new RRSet.
  * \param to         Node that should be pointed to from 'from'.
  * \param ttl        Record TTL (SOA's minimum TTL).
+ * \param apex_cds   Hint to guess apex node type bitmap: false=just DNSKEY, true=DNSKEY,CDS,CDNSKEY.
  *
  * \return Error code, KNOT_EOK if successful.
  */
 static int create_nsec_rrset(knot_rrset_t *rrset, const zone_node_t *from,
-                             const zone_node_t *to, uint32_t ttl)
+                             const zone_node_t *to, uint32_t ttl, bool apex_cds)
 {
 	assert(from);
 	assert(to);
@@ -52,6 +53,10 @@ static int create_nsec_rrset(knot_rrset_t *rrset, const zone_node_t *from,
 	dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_RRSIG);
 	if (node_rrtype_exists(from, KNOT_RRTYPE_SOA)) {
 		dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_DNSKEY);
+		if (apex_cds) {
+			dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_CDS);
+			dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_CDNSKEY);
+		}
 	}
 
 	// Create RDATA
@@ -109,7 +114,7 @@ static int connect_nsec_nodes(zone_node_t *a, zone_node_t *b,
 
 	// create new NSEC
 	knot_rrset_t new_nsec;
-	ret = create_nsec_rrset(&new_nsec, a, b, data->ttl);
+	ret = create_nsec_rrset(&new_nsec, a, b, data->ttl, data->cds_in_apex);
 	if (ret != KNOT_EOK) {
 		return ret;
 	}
@@ -280,13 +285,13 @@ bool knot_nsec_empty_nsec_and_rrsigs_in_node(const zone_node_t *n)
  * \brief Create new NSEC chain, add differences from current into a changeset.
  */
 int knot_nsec_create_chain(const zone_contents_t *zone, uint32_t ttl,
-                           changeset_t *changeset)
+                           bool cds_in_apex, changeset_t *changeset)
 {
 	assert(zone);
 	assert(zone->nodes);
 	assert(changeset);
 
-	nsec_chain_iterate_data_t data = { ttl, changeset, zone };
+	nsec_chain_iterate_data_t data = { ttl, cds_in_apex, changeset, zone };
 
 	return knot_nsec_chain_iterate_create(zone->nodes,
 	                                      connect_nsec_nodes, &data);
diff --git a/src/knot/dnssec/nsec-chain.h b/src/knot/dnssec/nsec-chain.h
index 89694e8c4..ec023dad7 100644
--- a/src/knot/dnssec/nsec-chain.h
+++ b/src/knot/dnssec/nsec-chain.h
@@ -39,6 +39,7 @@
  */
 typedef struct {
 	uint32_t ttl;			// TTL for NSEC(3) records
+	bool cds_in_apex;		// Marks presence of CDS&CDNSKEY records in apex.
 	changeset_t *changeset;		// Changeset for NSEC(3) changes
 	const zone_contents_t *zone;	// Updated zone
 } nsec_chain_iterate_data_t;
@@ -125,9 +126,10 @@ bool knot_nsec_empty_nsec_and_rrsigs_in_node(const zone_node_t *n);
  *
  * \param zone       Zone.
  * \param ttl        TTL for created NSEC records.
+ * \param cds_in_apexHint to guess apex node type bitmap: false=just DNSKEY, true=DNSKEY,CDS,CDNSKEY.
  * \param changeset  Changeset the differences will be put into.
  *
  * \return Error code, KNOT_EOK if successful.
  */
-int knot_nsec_create_chain(const zone_contents_t *zone, uint32_t ttl,
+int knot_nsec_create_chain(const zone_contents_t *zone, uint32_t ttl, bool cds_in_apex,
                            changeset_t *changeset);
diff --git a/src/knot/dnssec/nsec3-chain.c b/src/knot/dnssec/nsec3-chain.c
index 69b214767..b3641645d 100644
--- a/src/knot/dnssec/nsec3-chain.c
+++ b/src/knot/dnssec/nsec3-chain.c
@@ -307,13 +307,15 @@ static zone_node_t *create_nsec3_node(knot_dname_t *owner,
  * \param apex       Zone apex node.
  * \param params     NSEC3 hash function parameters.
  * \param ttl        TTL of the new NSEC3 node.
+ * \param apex_cds   Hint to guess apex node type bitmap: false=just DNSKEY, true=DNSKEY,CDS,CDNSKEY.
  *
  * \return Error code, KNOT_EOK if successful.
  */
 static zone_node_t *create_nsec3_node_for_node(zone_node_t *node,
                                                zone_node_t *apex,
                                                const dnssec_nsec3_params_t *params,
-                                               uint32_t ttl)
+                                               uint32_t ttl,
+                                               bool apex_cds)
 {
 	assert(node);
 	assert(apex);
@@ -337,6 +339,10 @@ static zone_node_t *create_nsec3_node_for_node(zone_node_t *node,
 	if (node == apex) {
 		dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_DNSKEY);
 		dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_NSEC3PARAM);
+		if (apex_cds) {
+			dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_CDS);
+			dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_CDNSKEY);
+		}
 	}
 
 	zone_node_t *nsec3_node;
@@ -410,7 +416,9 @@ static int connect_nsec3_nodes(zone_node_t *a, zone_node_t *b,
  * \brief Create NSEC3 node for each regular node in the zone.
  *
  * \param zone         Zone.
+ * \param params       NSEC3 params.
  * \param ttl          TTL for the created NSEC records.
+ * \param cds_in_apex  Hint to guess apex node type bitmap: false=just DNSKEY, true=DNSKEY,CDS,CDNSKEY.
  * \param nsec3_nodes  Tree whereto new NSEC3 nodes will be added.
  * \param chgset       Changeset used for possible NSEC removals
  *
@@ -419,6 +427,7 @@ static int connect_nsec3_nodes(zone_node_t *a, zone_node_t *b,
 static int create_nsec3_nodes(const zone_contents_t *zone,
                               const dnssec_nsec3_params_t *params,
                               uint32_t ttl,
+                              bool cds_in_apex,
                               zone_tree_t *nsec3_nodes,
                               changeset_t *chgset)
 {
@@ -450,7 +459,7 @@ static int create_nsec3_nodes(const zone_contents_t *zone,
 
 		zone_node_t *nsec3_node;
 		nsec3_node = create_nsec3_node_for_node(node, zone->apex,
-		                                        params, ttl);
+							params, ttl, cds_in_apex);
 		if (!nsec3_node) {
 			result = KNOT_ENOMEM;
 			break;
@@ -550,6 +559,7 @@ static int nsec3_reset(zone_node_t **node_p, void *data)
 int knot_nsec3_create_chain(const zone_contents_t *zone,
                             const dnssec_nsec3_params_t *params,
                             uint32_t ttl,
+                            bool cds_in_apex,
                             changeset_t *changeset)
 {
 	assert(zone);
@@ -577,7 +587,7 @@ int knot_nsec3_create_chain(const zone_contents_t *zone,
 		return result;
 	}
 
-	result = create_nsec3_nodes(zone, params, ttl, nsec3_nodes, changeset);
+	result = create_nsec3_nodes(zone, params, ttl, cds_in_apex, nsec3_nodes, changeset);
 	if (result != KNOT_EOK) {
 		free_nsec3_tree(nsec3_nodes);
 		return result;
diff --git a/src/knot/dnssec/nsec3-chain.h b/src/knot/dnssec/nsec3-chain.h
index e1293ef44..ba0b11a5f 100644
--- a/src/knot/dnssec/nsec3-chain.h
+++ b/src/knot/dnssec/nsec3-chain.h
@@ -27,6 +27,7 @@
  * \param zone       Zone to be checked.
  * \param params     NSEC3 parameters.
  * \param ttl        TTL for new records.
+ * \param cds_in_apexHint to guess apex node type bitmap: false=just DNSKEY, true=DNSKEY,CDS,CDNSKEY.
  * \param changeset  Changeset to store changes into.
  *
  * \return KNOT_E*
@@ -34,4 +35,5 @@
 int knot_nsec3_create_chain(const zone_contents_t *zone,
                             const dnssec_nsec3_params_t *params,
                             uint32_t ttl,
+                            bool cds_in_apex,
                             changeset_t *changeset);
diff --git a/src/knot/dnssec/zone-nsec.c b/src/knot/dnssec/zone-nsec.c
index 426385a01..03155b915 100644
--- a/src/knot/dnssec/zone-nsec.c
+++ b/src/knot/dnssec/zone-nsec.c
@@ -22,6 +22,7 @@
 #include "libknot/rrtype/soa.h"
 #include "knot/dnssec/nsec-chain.h"
 #include "knot/dnssec/nsec3-chain.h"
+#include "knot/dnssec/key-events.h"
 #include "knot/dnssec/rrset-sign.h"
 #include "knot/dnssec/zone-nsec.h"
 #include "knot/dnssec/zone-sign.h"
@@ -380,13 +381,18 @@ int knot_zone_create_nsec_chain(const zone_contents_t *zone,
 		return ret;
 	}
 
+	// beware this is a hack: we need to guess correct apex type bitmap
+	// but it can change during zone signing.
+	bool apex_has_cds = zone_has_key_sbm(ctx);
+
 	if (ctx->policy->nsec3_enabled) {
-		int ret = knot_nsec3_create_chain(zone, &params, nsec_ttl, changeset);
+		int ret = knot_nsec3_create_chain(zone, &params, nsec_ttl,
+						  apex_has_cds, changeset);
 		if (ret != KNOT_EOK) {
 			return ret;
 		}
 	} else {
-		int ret = knot_nsec_create_chain(zone, nsec_ttl, changeset);
+		int ret = knot_nsec_create_chain(zone, nsec_ttl, apex_has_cds, changeset);
 		if (ret != KNOT_EOK) {
 			return ret;
 		}
author	Libor Peltan <libor.peltan@nic.cz>	2017-06-19 14:10:27 +0200
committer	Libor Peltan <libor.peltan@nic.cz>	2017-06-19 14:10:27 +0200
commit	9da01402f0a89347727fed435301c3394bbc4ec2 (patch)
tree	096c70f15a927ab04eef4131e94ba22b70a80dc0
parent	dnssec: removed superfluous sgn_nsecs (diff)
download	knot-9da01402f0a89347727fed435301c3394bbc4ec2.tar.xz knot-9da01402f0a89347727fed435301c3394bbc4ec2.zip