Hi
In our webhosting automation software we are integrating against PowerDNS.
One of our clients had a need to be able to provision per zone TSIG keys
used when type='SLAVE' for outbound AXFR requests.
The current code doesn't really support this. Even though you can specify
TSIG key per domain in domainmetadata, the referenced key-name is then
used to fetch from a global list of keys (tsigkeys).
This means that two zones can't have the same keyname but different TSIG
secret.
The attached patch solves this without breaking existing database-schema by
adding the following logic:
If keyname contains :, like "somelocalname:remotename" then use everything
after the : for keyname in signatures with the remote server (remotename in
example).
Hope it is ok for inclusion, if not, comments etc would be greatly appreciated.
Thanks in advance.
Best regards,
Jimmy
Index: pdns/dnsbackend.hh
===================================================================
--- pdns/dnsbackend.hh (revision 2279)
+++ pdns/dnsbackend.hh (working copy)
@@ -127,7 +127,7 @@
virtual bool activateDomainKey(const string& name, unsigned int id) { return false; }
virtual bool deactivateDomainKey(const string& name, unsigned int id) { return false; }
- virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; }
+ virtual bool getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content) { return false; }
//! returns true if master ip is master for domain name.
virtual bool isMaster(const string &name, const string &ip)
Index: pdns/ueberbackend.hh
===================================================================
--- pdns/ueberbackend.hh (revision 2279)
+++ pdns/ueberbackend.hh (working copy)
@@ -132,7 +132,7 @@
bool activateDomainKey(const string& name, unsigned int id);
bool deactivateDomainKey(const string& name, unsigned int id);
- bool getTSIGKey(const string& name, string* algorithm, string* content);
+ bool getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content);
void alsoNotifies(const string &domain, set<string> *ips);
void rediscover(string* status=0);
Index: pdns/ueberbackend.cc
===================================================================
--- pdns/ueberbackend.cc (revision 2279)
+++ pdns/ueberbackend.cc (working copy)
@@ -165,10 +165,10 @@
}
-bool UeberBackend::getTSIGKey(const string& name, string* algorithm, string* content)
+bool UeberBackend::getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content)
{
BOOST_FOREACH(DNSBackend* db, backends) {
- if(db->getTSIGKey(name, algorithm, content))
+ if(db->getTSIGKey(name, remote_name, algorithm, content))
return true;
}
return false;
Index: pdns/tcpreceiver.cc
===================================================================
--- pdns/tcpreceiver.cc (revision 2279)
+++ pdns/tcpreceiver.cc (working copy)
@@ -547,9 +547,10 @@
q->getTSIGDetails(&trc, &tsigkeyname, 0);
if(!tsigkeyname.empty()) {
- string tsig64, algorithm;
+ string tsig64, algorithm, remote_keyname;
Lock l(&s_plock);
- s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64);
+ s_P->getBackend()->getTSIGKey(tsigkeyname, &remote_keyname, &algorithm, &tsig64);
+ tsigkeyname = remote_keyname;
B64Decode(tsig64, tsigsecret);
}
Index: pdns/lua-pdns-recursor.cc
===================================================================
--- pdns/lua-pdns-recursor.cc (revision 2279)
+++ pdns/lua-pdns-recursor.cc (working copy)
@@ -1,6 +1,6 @@
#include "lua-pdns-recursor.hh"
-#if !defined(PDNS_ENABLE_LUA) && !defined(LIBDIR)
+#if !defined(PDNS_ENABLE_LUA) || !defined(LIBDIR)
// stub implementation
Index: pdns/slavecommunicator.cc
===================================================================
--- pdns/slavecommunicator.cc (revision 2279)
+++ pdns/slavecommunicator.cc (working copy)
@@ -108,11 +108,14 @@
ComboAddress raddr(remote, 53);
- string tsigkeyname, tsigalgorithm, tsigsecret;
+ string tsigkeyname, tsigremote_keyname, tsigalgorithm, tsigsecret;
if(dk.getTSIGForAccess(domain, remote, &tsigkeyname)) {
string tsigsecret64;
- B->getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64);
+ size_t remote_keyname_start;
+
+ B->getTSIGKey(tsigkeyname, &tsigremote_keyname, &tsigalgorithm, &tsigsecret64);
+ tsigkeyname = tsigremote_keyname;
B64Decode(tsigsecret64, tsigsecret);
}
@@ -347,8 +350,9 @@
dni.dnssecOk = dk.isPresigned(di.zone);
if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) {
- string secret64;
- B->getTSIGKey(dni.tsigkeyname, &dni.tsigalgname, &secret64);
+ string secret64, remote_keyname;
+ B->getTSIGKey(dni.tsigkeyname, &remote_keyname, &dni.tsigalgname, &secret64);
+ dni.tsigkeyname = remote_keyname;
B64Decode(secret64, dni.tsigsecret);
}
sdomains.push_back(dni);
Index: pdns/dnspacket.cc
===================================================================
--- pdns/dnspacket.cc (revision 2279)
+++ pdns/dnspacket.cc (working copy)
@@ -561,9 +561,9 @@
return false;
}
- string secret64;
+ string secret64, remote_keyname;
- if(!B->getTSIGKey(*keyname, &trc->d_algoName, &secret64)) {
+ if(!B->getTSIGKey(*keyname, &remote_keyname, &trc->d_algoName, &secret64)) {
L<<Logger::Error<<"Packet for domain '"<<q->qdomain<<"' denied: can't find TSIG key with name '"<<*keyname<<"' and algorithm '"<<trc->d_algoName<<"'"<<endl;
return false;
}
Index: pdns/backends/gsql/gsqlbackend.cc
===================================================================
--- pdns/backends/gsql/gsqlbackend.cc (revision 2279)
+++ pdns/backends/gsql/gsqlbackend.cc (working copy)
@@ -420,8 +420,17 @@
return true;
}
-bool GSQLBackend::getTSIGKey(const string& name, string* algorithm, string* content)
+bool GSQLBackend::getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content)
{
+ size_t remote_keyname_start;
+
+ remote_keyname_start = name.find_first_of(':');
+ if (remote_keyname_start != string::npos && remote_keyname_start + 1 < name.length()) {
+ *remote_name = name.substr(remote_keyname_start + 1);
+ } else {
+ *remote_name = name;
+ }
+
if(!d_dnssecQueries)
return false;
Index: pdns/backends/gsql/gsqlbackend.hh
===================================================================
--- pdns/backends/gsql/gsqlbackend.hh (revision 2279)
+++ pdns/backends/gsql/gsqlbackend.hh (working copy)
@@ -52,7 +52,7 @@
bool activateDomainKey(const string& name, unsigned int id);
bool deactivateDomainKey(const string& name, unsigned int id);
- bool getTSIGKey(const string& name, string* algorithm, string* content);
+ bool getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content);
private:
string d_qname;
QType d_qtype;
Index: modules/luabackend/luabackend.hh
===================================================================
--- modules/luabackend/luabackend.hh (revision 2279)
+++ modules/luabackend/luabackend.hh (working copy)
@@ -76,7 +76,7 @@
bool removeDomainKey(const string& name, unsigned int id);
bool activateDomainKey(const string& name, unsigned int id);
bool deactivateDomainKey(const string& name, unsigned int id);
- bool getTSIGKey(const string& name, string* algorithm, string* content);
+ bool getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content);
int addDomainKey(const string& name, const KeyData& key);
bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
Index: modules/luabackend/dnssec.cc
===================================================================
--- modules/luabackend/dnssec.cc (revision 2279)
+++ modules/luabackend/dnssec.cc (working copy)
@@ -32,7 +32,7 @@
virtual bool activateDomainKey(const string& name, unsigned int id)
virtual bool deactivateDomainKey(const string& name, unsigned int id)
- virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; }
+ virtual bool getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content) { return false; }
virtual bool setDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta)
virtual bool getDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta)
@@ -435,8 +435,16 @@
return j > 0;
}
-bool LUABackend::getTSIGKey(const string& name, string* algorithm, string* content) {
+bool LUABackend::getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content) {
+ size_t remote_keyname_start;
+ remote_keyname_start = name.find_first_of(':');
+ if (remote_keyname_start != string::npos && remote_keyname_start + 1 < name.length()) {
+ *remote_name = name.substr(remote_keyname_start + 1);
+ } else {
+ *remote_name = name;
+ }
+
if(f_lua_gettsigkey == 0)
return false;
Index: modules/mongodbbackend/mongodbbackend.hh
===================================================================
--- modules/mongodbbackend/mongodbbackend.hh (revision 2279)
+++ modules/mongodbbackend/mongodbbackend.hh (working copy)
@@ -68,7 +68,7 @@
bool removeDomainKey(const string& name, unsigned int id);
bool activateDomainKey(const string& name, unsigned int id);
bool deactivateDomainKey(const string& name, unsigned int id);
- bool getTSIGKey(const string& name, string* algorithm, string* content);
+ bool getTSIGKey(const string& name, string* remote_name, string* algorithm, string* content);
int addDomainKey(const string& name, const KeyData& key);
bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
Index: modules/mongodbbackend/dnssec.cc
===================================================================
--- modules/mongodbbackend/dnssec.cc (revision 2279)
+++ modules/mongodbbackend/dnssec.cc (working copy)
@@ -32,7 +32,7 @@
virtual bool activateDomainKey(const string& name, unsigned int id)
virtual bool deactivateDomainKey(const string& name, unsigned int id)
- virtual bool getTSIGKey(const string& name, string* algorithm, string* content) { return false; }
+ virtual bool getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content) { return false; }
virtual bool setDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta)
virtual bool getDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta)
@@ -199,7 +199,16 @@
return 1; //or id ??
}
-bool MONGODBBackend::getTSIGKey(const string& name, string* algorithm, string* content) {
+bool MONGODBBackend::getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content) {
+ size_t remote_keyname_start;
+
+ remote_keyname_start = name.find_first_of(':');
+ if (remote_keyname_start != string::npos && remote_keyname_start + 1 < name.length()) {
+ *remote_name = name.substr(remote_keyname_start + 1);
+ } else {
+ *remote_name = name;
+ }
+
if (!dnssec)
return false;
Index: modules/oraclebackend/oraclebackend.cc
===================================================================
--- modules/oraclebackend/oraclebackend.cc (revision 2279)
+++ modules/oraclebackend/oraclebackend.cc (working copy)
@@ -1307,6 +1307,15 @@
bool
OracleBackend::getTSIGKey (const string& name, string* algorithm, string* content)
{
+ size_t remote_keyname_start;
+
+ remote_keyname_start = name.find_first_of(':');
+ if (remote_keyname_start != string::npos && remote_keyname_start + 1 < name.length()) {
+ *remote_name = name.substr(remote_keyname_start + 1);
+ } else {
+ *remote_name = name;
+ }
+
sword rc;
OCIStmt *stmt;
Index: modules/oraclebackend/oraclebackend.hh
===================================================================
--- modules/oraclebackend/oraclebackend.hh (revision 2279)
+++ modules/oraclebackend/oraclebackend.hh (working copy)
@@ -83,7 +83,7 @@
bool getDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta);
bool setDomainMetadata(const string& name, const std::string& kind, const std::vector<std::string>& meta);
- bool getTSIGKey(const string& name, string* algorithm, string* content);
+ bool getTSIGKey(const string& name, string *remote_name, string* algorithm, string* content);
bool getDomainKeys(const string& name, unsigned int kind, vector<KeyData>& keys);
bool removeDomainKey(const string& name, unsigned int id);
int addDomainKey(const string& name, const KeyData& key);
_______________________________________________
Pdns-dev mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-dev
