Hello community,
here is the log from the commit of package pdns for openSUSE:Factory checked in at 2016-01-01 19:48:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pdns (Old)
and /work/SRC/openSUSE:Factory/.pdns.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pdns"
Changes:
--------
--- /work/SRC/openSUSE:Factory/pdns/pdns.changes 2015-09-03 18:12:20.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.pdns.new/pdns.changes 2016-01-01 19:51:21.000000000 +0100
@@ -1,0 +2,28 @@
+Tue Nov 3 16:02:55 UTC 2015 - michael@stroeder.com
+
+- update to 3.4.7
+
+Bug fixes:
+* Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler)
+* Don't reply to truncated queries (Christian Hofstaedtler)
+* don't log out-of-zone ents during AXFR in (Kees Monshouwer)
+* Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien
+ Cauquil at Sysdream for pointing this out.
+* Handle NULL and boolean properly in gPGSql (Aki Tuomi)
+* Improve negative caching (Kees Monshouwer)
+* Do not divide timeout twice (Aki Tuomi)
+* Correctly sort records with a priority.
+
+Improvements:
+* Direct query answers and correct zone-rectification in the GeoIP
+backend (Aki Tuomi)
+* Use token names to identify PKCS#11 keys (Aki Tuomi)
+* Fix typo in an error message (Arjen Zonneveld)
+* limit NSEC3 iterations in bindbackend (Kees Monshouwer)
+* Initialize minbody (Aki Tuomi)
+
+New features:
+* OPENPGPKEY record-type (James Cloos and Kees Monshouwer)
+* add global soa-edit settings (Kees Monshouwer)
+
+-------------------------------------------------------------------
Old:
----
pdns-3.4.6.tar.bz2
New:
----
pdns-3.4.7.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pdns.spec ++++++
--- /var/tmp/diff_new_pack.zOYUmW/_old 2016-01-01 19:51:23.000000000 +0100
+++ /var/tmp/diff_new_pack.zOYUmW/_new 2016-01-01 19:51:23.000000000 +0100
@@ -17,11 +17,11 @@
Name: pdns
-Version: 3.4.6
+Version: 3.4.7
Release: 0
#
%define pkg_name pdns
-%define pkg_version 3.4.6
+%define pkg_version 3.4.7
%define polarssl_version 1.3.2
#
%define home %{_var}/lib/pdns
++++++ pdns-3.4.6.tar.bz2 -> pdns-3.4.7.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/build-scripts/redhat/pdns-server-test.spec new/pdns-3.4.7/build-scripts/redhat/pdns-server-test.spec
--- old/pdns-3.4.6/build-scripts/redhat/pdns-server-test.spec 2015-08-27 15:17:34.000000000 +0200
+++ new/pdns-3.4.7/build-scripts/redhat/pdns-server-test.spec 2015-11-03 15:36:48.000000000 +0100
@@ -9,7 +9,7 @@
Epoch: 0
License: GPL
Group: System/Servers
-Source: http://downloads.powerdns.com/releases/pdns-3.4.6.tar.bz2
+Source: http://downloads.powerdns.com/releases/pdns-3.4.7.tar.bz2
BuildRequires: autoconf automake
BuildRequires: gcc gcc-c++
@@ -30,7 +30,7 @@
PowerDNS testbuild
%prep
-%setup -q -n pdns-3.4.6
+%setup -q -n pdns-3.4.7
%build
%configure \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/configure new/pdns-3.4.7/configure
--- old/pdns-3.4.6/configure 2015-08-27 15:17:47.000000000 +0200
+++ new/pdns-3.4.7/configure 2015-11-03 15:37:00.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for pdns 3.4.6.
+# Generated by GNU Autoconf 2.69 for pdns 3.4.7.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='pdns'
PACKAGE_TARNAME='pdns'
-PACKAGE_VERSION='3.4.6'
-PACKAGE_STRING='pdns 3.4.6'
+PACKAGE_VERSION='3.4.7'
+PACKAGE_STRING='pdns 3.4.7'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1470,7 +1470,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures pdns 3.4.6 to adapt to many kinds of systems.
+\`configure' configures pdns 3.4.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1540,7 +1540,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pdns 3.4.6:";;
+ short | recursive ) echo "Configuration of pdns 3.4.7:";;
esac
cat <<\_ACEOF
@@ -1740,7 +1740,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-pdns configure 3.4.6
+pdns configure 3.4.7
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2347,7 +2347,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pdns $as_me 3.4.6, which was
+It was created by pdns $as_me 3.4.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3170,7 +3170,7 @@
# Define the identity of the package.
PACKAGE='pdns'
- VERSION='3.4.6'
+ VERSION='3.4.7'
cat >>confdefs.h <<_ACEOF
@@ -21192,7 +21192,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by pdns $as_me 3.4.6, which was
+This file was extended by pdns $as_me 3.4.7, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -21258,7 +21258,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-pdns config.status 3.4.6
+pdns config.status 3.4.7
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/configure.ac new/pdns-3.4.7/configure.ac
--- old/pdns-3.4.6/configure.ac 2015-08-27 15:17:34.000000000 +0200
+++ new/pdns-3.4.7/configure.ac 2015-11-03 15:36:48.000000000 +0100
@@ -1,7 +1,7 @@
AC_PREREQ([2.61])
dnl The following lines may be patched by set-version-auth.
-AC_INIT([pdns], [3.4.6])
+AC_INIT([pdns], [3.4.7])
AC_SUBST([DIST_HOST], [jenkins@autotest.powerdns.com])
dnl End patch area.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/debian-pdns/changelog new/pdns-3.4.7/debian-pdns/changelog
--- old/pdns-3.4.6/debian-pdns/changelog 2015-08-27 15:17:34.000000000 +0200
+++ new/pdns-3.4.7/debian-pdns/changelog 2015-11-03 15:36:48.000000000 +0100
@@ -1,4 +1,4 @@
-pdns (3.4.6-1) unstable; urgency=medium
+pdns (3.4.7-1) unstable; urgency=medium
* fill in the blanks
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/modules/bindbackend/bindbackend2.hh new/pdns-3.4.7/modules/bindbackend/bindbackend2.hh
--- old/pdns-3.4.6/modules/bindbackend/bindbackend2.hh 2015-08-24 11:11:59.000000000 +0200
+++ new/pdns-3.4.7/modules/bindbackend/bindbackend2.hh 2015-11-02 13:32:28.000000000 +0100
@@ -39,6 +39,7 @@
#include "pdns/lock.hh"
#include "pdns/misc.hh"
#include "pdns/dnsbackend.hh"
+#include "pdns/logger.hh"
#include "pdns/namespaces.hh"
using namespace ::boost::multi_index;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/modules/bindbackend/binddnssec.cc new/pdns-3.4.7/modules/bindbackend/binddnssec.cc
--- old/pdns-3.4.6/modules/bindbackend/binddnssec.cc 2015-06-09 14:28:57.000000000 +0200
+++ new/pdns-3.4.7/modules/bindbackend/binddnssec.cc 2015-11-02 13:32:28.000000000 +0100
@@ -108,16 +108,19 @@
getDomainMetadata(zname, "NSEC3PARAM", meta);
if(!meta.empty())
value=*meta.begin();
-
- if(value.empty()) { // "no NSEC3"
- return false;
- }
-
+ else
+ return false; // "no NSEC3"
+
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) {
NSEC3PARAMRecordContent* tmp=dynamic_cast(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
*ns3p = *tmp;
delete tmp;
}
+ if (ns3p->d_iterations > maxNSEC3Iterations) {
+ ns3p->d_iterations = maxNSEC3Iterations;
+ L<
pthread_rwlock_t GeoIPBackend::s_state_lock=PTHREAD_RWLOCK_INITIALIZER;
+typedef map service_map_t;
+typedef map record_map_t;
class GeoIPDomain {
public:
int id;
string domain;
int ttl;
- map services;
- map records;
+ service_map_t services;
+ record_map_t records;
};
static vector<GeoIPDomain> s_domains;
@@ -128,6 +130,48 @@
dom.services[service->first.as<string>()] = service->second.as<string>();
}
+ // rectify the zone, first static records
+ BOOST_FOREACH(record_map_t::value_type& item, dom.records) {
+ // ensure we have parent in records
+ string name = item.first;
+ while(chopOff(name) && endsOn(name, dom.domain)) {
+ if (dom.records.find(name) == dom.records.end()) {
+ DNSResourceRecord rr;
+ vector<DNSResourceRecord> rrs;
+ rr.domain_id = dom.id;
+ rr.ttl = dom.ttl;
+ rr.qname = name;
+ rr.qtype = "NULL";
+ rr.content = "";
+ rr.auth = 1;
+ rr.d_place = DNSResourceRecord::ANSWER;
+ rrs.push_back(rr);
+ std::swap(dom.records[name], rrs);
+ }
+ }
+ }
+
+ // then services
+ BOOST_FOREACH(service_map_t::value_type& item, dom.services) {
+ // ensure we have parent in records
+ string name = item.first;
+ while(chopOff(name) && endsOn(name, dom.domain)) {
+ if (dom.records.find(name) == dom.records.end()) {
+ DNSResourceRecord rr;
+ vector<DNSResourceRecord> rrs;
+ rr.domain_id = dom.id;
+ rr.ttl = dom.ttl;
+ rr.qname = name;
+ rr.qtype = "NULL";
+ rr.content = "";
+ rr.auth = 1;
+ rr.d_place = DNSResourceRecord::ANSWER;
+ rrs.push_back(rr);
+ std::swap(dom.records[name], rrs);
+ }
+ }
+ }
+
tmp_domains.push_back(dom);
}
@@ -188,8 +232,6 @@
return;
}
- if (!(qtype == QType::ANY || qtype == QType::CNAME)) return;
-
string ip = "0.0.0.0";
bool v6 = false;
if (pkt_p != NULL) {
@@ -203,6 +245,21 @@
format = format2str(format, ip, v6);
+ // see if the record can be found
+ if (dom.records.count(format)) { // return static value
+ record_map_t::iterator i = dom.records.find(format);
+ BOOST_FOREACH(DNSResourceRecord rr, i->second) {
+ if (qtype == QType::ANY || rr.qtype == qtype) {
+ rr.scopeMask = (v6 ? 128 : 32);
+ d_result.push_back(rr);
+ d_result.back().qname = qdomain;
+ }
+ }
+ return;
+ }
+
+ if (!(qtype == QType::ANY || qtype == QType::CNAME)) return;
+
DNSResourceRecord rr;
rr.domain_id = dom.id;
rr.qtype = QType::CNAME;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/modules/gpgsqlbackend/spgsql.cc new/pdns-3.4.7/modules/gpgsqlbackend/spgsql.cc
--- old/pdns-3.4.6/modules/gpgsqlbackend/spgsql.cc 2015-06-09 14:28:57.000000000 +0200
+++ new/pdns-3.4.7/modules/gpgsqlbackend/spgsql.cc 2015-09-15 12:04:49.000000000 +0200
@@ -166,8 +166,16 @@
return false;
}
- for(int i=0;ireadWithTimeout(buffer, sizeof(buffer), timeout);
if (rd==0)
throw NetworkError("EOF while reading");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/common_startup.cc new/pdns-3.4.7/pdns/common_startup.cc
--- old/pdns-3.4.6/pdns/common_startup.cc 2015-06-09 14:29:04.000000000 +0200
+++ new/pdns-3.4.7/pdns/common_startup.cc 2015-11-02 14:05:07.000000000 +0100
@@ -138,6 +138,8 @@
::arg().set("soa-refresh-default","Default SOA refresh")="10800";
::arg().set("soa-retry-default","Default SOA retry")="3600";
::arg().set("soa-expire-default","Default SOA expire")="604800";
+ ::arg().set("default-soa-edit","Default SOA-EDIT value")="";
+ ::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")="";
::arg().set("trusted-notification-proxy", "IP address of incoming notification proxy")="";
::arg().set("slave-renotify", "If we should send out notifications for slaved updates")="no";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dbdnsseckeeper.cc new/pdns-3.4.7/pdns/dbdnsseckeeper.cc
--- old/pdns-3.4.6/pdns/dbdnsseckeeper.cc 2015-06-09 14:29:04.000000000 +0200
+++ new/pdns-3.4.7/pdns/dbdnsseckeeper.cc 2015-11-02 14:05:07.000000000 +0100
@@ -212,6 +212,23 @@
}
}
+void DNSSECKeeper::getSoaEdit(const std::string& zname, std::string& value)
+{
+ static const string soaEdit(::arg()["default-soa-edit"]);
+ static const string soaEditSigned(::arg()["default-soa-edit-signed"]);
+
+ getFromMeta(zname, "SOA-EDIT", value);
+
+ if ((!soaEdit.empty() || !soaEditSigned.empty()) && value.empty() && !isPresigned(zname)) {
+ if (!soaEditSigned.empty() && isSecuredZone(zname))
+ value=soaEditSigned;
+ if (value.empty())
+ value=soaEdit;
+ }
+
+ return;
+}
+
uint64_t DNSSECKeeper::dbdnssecCacheSizes(const std::string& str)
{
if(str=="meta-cache-size") {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnsbackend.cc new/pdns-3.4.7/pdns/dnsbackend.cc
--- old/pdns-3.4.6/pdns/dnsbackend.cc 2015-06-09 14:29:04.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnsbackend.cc 2015-10-13 10:37:24.000000000 +0200
@@ -44,18 +44,23 @@
return true;
}
-bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len)
+bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len, map& negCacheMap)
{
bool found=false;
string subdomain(target);
do {
- if( best_match_len >= (int)subdomain.length() )
+ if( best_match_len >= (int)subdomain.length() && p->qtype != QType::DS )
break;
- if( this->getSOA( subdomain, *sd, p ) ) {
+ map::iterator it = negCacheMap.find(subdomain);
+ bool negCached = ( it != negCacheMap.end() && it->second == 1 );
+
+ if(! negCached && this->getSOA( subdomain, *sd, p ) ) {
sd->qname = subdomain;
if(zoneId)
*zoneId = sd->domain_id;
+ if(found) // Second SOA found, we are done
+ return true;
if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) {
// Found authoritative zone but look for parent zone with 'DS' record.
@@ -63,6 +68,8 @@
} else
return true;
}
+ if (found)
+ negCacheMap[subdomain]=2; // don't cache SOA's during our quest for a parent zone
}
while( chopOff( subdomain ) ); // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> ''
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnsbackend.hh new/pdns-3.4.7/pdns/dnsbackend.hh
--- old/pdns-3.4.6/pdns/dnsbackend.hh 2015-08-24 11:11:59.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnsbackend.hh 2015-10-13 10:37:24.000000000 +0200
@@ -163,7 +163,7 @@
virtual void getAllDomains(vector<DomainInfo> *domains, bool include_disabled=false) { }
/** Determines if we are authoritative for a zone, and at what level */
- virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len);
+ virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len, map& negCacheMap);
struct KeyData {
unsigned int id;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnspacket.cc new/pdns-3.4.7/pdns/dnspacket.cc
--- old/pdns-3.4.6/pdns/dnspacket.cc 2015-08-25 19:58:41.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnspacket.cc 2015-11-02 11:33:21.000000000 +0100
@@ -464,10 +464,15 @@
bool gotit=false;
for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {
if(i->first.d_type == QType::TSIG) {
- *trc = *boost::dynamic_pointer_cast<TSIGRecordContent>(i->first.d_content);
-
- gotit=true;
+ // cast can fail, f.e. if d_content is an UnknownRecordContent.
+ shared_ptr<TSIGRecordContent> content = boost::dynamic_pointer_cast<TSIGRecordContent>(i->first.d_content);
+ if (!content) {
+ L<first.d_label;
+ gotit=true;
if(!keyname->empty())
keyname->resize(keyname->size()-1); // drop the trailing dot
}
@@ -492,7 +497,13 @@
}
if(i->first.d_type == QType::TKEY) {
- *tr = *boost::dynamic_pointer_cast<TKEYRecordContent>(i->first.d_content);
+ // cast can fail, f.e. if d_content is an UnknownRecordContent.
+ shared_ptr<TKEYRecordContent> content = boost::dynamic_pointer_cast<TKEYRecordContent>(i->first.d_content);
+ if (!content) {
+ L<first.d_label;
gotit=true;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnsrecords.cc new/pdns-3.4.7/pdns/dnsrecords.cc
--- old/pdns-3.4.6/pdns/dnsrecords.cc 2015-06-09 14:29:04.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnsrecords.cc 2015-11-02 13:32:28.000000000 +0100
@@ -284,6 +284,10 @@
conv.xfrHexBlob(d_cert, true);
)
+boilerplate_conv(OPENPGPKEY, 61,
+ conv.xfrBlob(d_keyring);
+ )
+
#undef DS
DSRecordContent::DSRecordContent() : DNSRecordContent(43) {}
boilerplate_conv(DS, 43,
@@ -525,6 +529,7 @@
NSEC3RecordContent::report();
NSEC3PARAMRecordContent::report();
TLSARecordContent::report();
+ OPENPGPKEYRecordContent::report();
DLVRecordContent::report();
DNSRecordContent::regist(QClass::ANY, QType::TSIG, &TSIGRecordContent::make, &TSIGRecordContent::make, "TSIG");
DNSRecordContent::regist(QClass::ANY, QType::TKEY, &TKEYRecordContent::make, &TKEYRecordContent::make, "TKEY");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnsrecords.hh new/pdns-3.4.7/pdns/dnsrecords.hh
--- old/pdns-3.4.6/pdns/dnsrecords.hh 2015-06-09 14:29:05.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnsrecords.hh 2015-11-02 13:32:28.000000000 +0100
@@ -348,6 +348,15 @@
string d_cert;
};
+class OPENPGPKEYRecordContent : public DNSRecordContent
+{
+public:
+ includeboilerplate(OPENPGPKEY)
+
+private:
+ string d_keyring;
+};
+
class RRSIGRecordContent : public DNSRecordContent
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnssecinfra.cc new/pdns-3.4.7/pdns/dnssecinfra.cc
--- old/pdns-3.4.6/pdns/dnssecinfra.cc 2015-06-09 14:29:05.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnssecinfra.cc 2015-11-02 13:32:28.000000000 +0100
@@ -60,8 +60,7 @@
pkcs11=true;
continue;
} else if (pdns_iequals(key,"slot")) {
- int slot = atoi(value.c_str());
- stormap["slot"]=lexical_cast<string>(slot);
+ stormap["slot"]=value;
continue;
} else if (pdns_iequals(key,"label")) {
stormap["label"]=value;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/dnsseckeeper.hh new/pdns-3.4.7/pdns/dnsseckeeper.hh
--- old/pdns-3.4.6/pdns/dnsseckeeper.hh 2015-06-09 14:29:05.000000000 +0200
+++ new/pdns-3.4.7/pdns/dnsseckeeper.hh 2015-11-02 14:05:07.000000000 +0100
@@ -106,6 +106,7 @@
}
void getFromMeta(const std::string& zname, const std::string& key, std::string& value);
+ void getSoaEdit(const std::string& zname, std::string& value);
private:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/docs/dnstcpbench.1 new/pdns-3.4.7/pdns/docs/dnstcpbench.1
--- old/pdns-3.4.6/pdns/docs/dnstcpbench.1 2015-08-27 15:18:35.000000000 +0200
+++ new/pdns-3.4.7/pdns/docs/dnstcpbench.1 2015-11-03 15:37:39.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: dnstcpbench
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.76.1 http://docbook.sf.net/
-.\" Date: 08/27/2015
+.\" Date: 11/03/2015
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
-.TH "DNSTCPBENCH" "1" "08/27/2015" "\ \&" "\ \&"
+.TH "DNSTCPBENCH" "1" "11/03/2015" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/ext/yahttp/yahttp/reqresp.hpp new/pdns-3.4.7/pdns/ext/yahttp/yahttp/reqresp.hpp
--- old/pdns-3.4.6/pdns/ext/yahttp/yahttp/reqresp.hpp 2015-06-19 11:40:21.000000000 +0200
+++ new/pdns-3.4.7/pdns/ext/yahttp/yahttp/reqresp.hpp 2015-11-03 14:32:09.000000000 +0100
@@ -303,7 +303,7 @@
void initialize(T* target) {
chunked = false; chunk_size = 0;
- bodybuf.str(""); maxbody = 0;
+ bodybuf.str(""); minbody = 0; maxbody = 0;
pos = 0; state = 0; this->target = target;
hasBody = false;
buffer = "";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/packethandler.cc new/pdns-3.4.7/pdns/packethandler.cc
--- old/pdns-3.4.6/pdns/packethandler.cc 2015-08-26 11:29:42.000000000 +0200
+++ new/pdns-3.4.7/pdns/packethandler.cc 2015-11-02 11:33:21.000000000 +0100
@@ -996,6 +996,14 @@
return 0;
}
+ if(p->d.tc) { // truncated query. MOADNSParser would silently parse this packet in an incomplete way.
+ if(d_logDNSDetails)
+ L<getRemote());
+ return 0;
+ }
+
if (p->hasEDNS() && p->getEDNSVersion() > 0) {
r = p->replyPacket();
r->setRcode(16 & 0xF);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/pdns.conf-dist new/pdns-3.4.7/pdns/pdns.conf-dist
--- old/pdns-3.4.6/pdns/pdns.conf-dist 2015-06-09 14:29:11.000000000 +0200
+++ new/pdns-3.4.7/pdns/pdns.conf-dist 2015-11-02 14:05:07.000000000 +0100
@@ -85,6 +85,16 @@
# default-ksk-size=0
#################################
+# default-soa-edit Default SOA-EDIT value
+#
+# default-soa-edit=
+
+#################################
+# default-soa-edit-signed Default SOA-EDIT value for signed zones
+#
+# default-soa-edit-signed=
+
+#################################
# default-soa-mail mail address to insert in the SOA record if none set in the backend
#
# default-soa-mail=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/pdnssec.cc new/pdns-3.4.7/pdns/pdnssec.cc
--- old/pdns-3.4.6/pdns/pdnssec.cc 2015-08-24 14:32:10.000000000 +0200
+++ new/pdns-3.4.7/pdns/pdnssec.cc 2015-11-02 14:05:07.000000000 +0100
@@ -133,6 +133,8 @@
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
+ ::arg().set("default-soa-edit","Default SOA-EDIT value")="";
+ ::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")="";
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("module-dir","Default directory for modules")=PKGLIBDIR;
::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
@@ -665,9 +667,14 @@
cout<<"No SOA for zone '"<lookup(QType(QType::SOA), zone);
vector<DNSResourceRecord> rrs;
@@ -2034,7 +2041,7 @@
std::vectorDNSBackend::KeyData keys;
if (cmds.size() < 9) {
- std::cout << "Usage: pdnssec hsm assign zone algorithm ksk|zsk module slot pin label" << std::endl;
+ std::cout << "Usage: pdnssec hsm assign zone algorithm ksk|zsk module token pin label" << std::endl;
return 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/pkcs11signers.cc new/pdns-3.4.7/pdns/pkcs11signers.cc
--- old/pdns-3.4.6/pdns/pkcs11signers.cc 2015-06-09 14:29:11.000000000 +0200
+++ new/pdns-3.4.7/pdns/pkcs11signers.cc 2015-11-02 13:32:28.000000000 +0100
@@ -213,6 +213,7 @@
L< pkcs11_slots;
static std::map pkcs11_tokens;
-boost::shared_ptr<Pkcs11Token> Pkcs11Token::GetToken(const std::string& module, const CK_SLOT_ID& slotId, const std::string& label) {
+CK_RV Pkcs11Slot::HuntSlot(const string& tokenId, CK_SLOT_ID &slotId, _CK_SLOT_INFO* info, CK_FUNCTION_LIST* functions)
+{
+ CK_RV err;
+ unsigned long slots;
+ _CK_TOKEN_INFO tinfo;
+
+ // go thru all slots
+ // this is required by certain tokens, otherwise C_GetSlotInfo will not return a token
+ err = functions->C_GetSlotList(CK_FALSE, NULL_PTR, &slots);
+ if (err) {
+ L<C_GetSlotInfo(slotId, info))) {
+ L<C_GetTokenInfo(slotId, &tinfo))) {
+ L<(tinfo.label), 32);
+ // trim it
+ boost::trim(slotName);
+ if (boost::iequals(slotName, tokenId)) {
+ return 0;
+ }
+ }
+
+ // see if we can find it with slotId
+ try {
+ slotId = boost::lexical_cast<int>(tokenId);
+ if ((err = functions->C_GetSlotInfo(slotId, info))) {
+ L<std::string(slotId));
- std::string sidx = tidx;
- tidx.append("|");
- tidx.append(label);
- std::map::iterator tokenIter;
+ std::string sidx = module;
+ sidx.append("|");
+ sidx.append(tokenId);
std::map::iterator slotIter;
CK_RV err;
CK_FUNCTION_LIST* functions;
- if ((tokenIter = pkcs11_tokens.find(tidx)) != pkcs11_tokens.end()) return tokenIter->second;
-
// see if we have slot
if ((slotIter = pkcs11_slots.find(sidx)) != pkcs11_slots.end()) {
- pkcs11_tokens[tidx] = boost::make_shared<Pkcs11Token>(slotIter->second, label);
- return pkcs11_tokens[tidx];
+ return slotIter->second;
}
#ifdef HAVE_P11KIT1_V2
@@ -644,23 +689,30 @@
// try to locate a slot
_CK_SLOT_INFO info;
- unsigned long slots;
-
- // this is required by certain tokens, otherwise C_GetSlotInfo will not return a token
- err = functions->C_GetSlotList(CK_FALSE, NULL_PTR, &slots);
- if (err)
- L<C_GetSlotInfo(slotId, &info))) {
- throw PDNSException(std::string("Cannot find PKCS#11 slot ") + boost::lexical_caststd::string(slotId) + std::string(" on module ") + module + std::string(": error code ") + boost::lexical_caststd::string(err));
+ if ((err = Pkcs11Slot::HuntSlot(tokenId, slotId, &info, functions))) {
+ throw PDNSException(std::string("Cannot find PKCS#11 token ") + tokenId + std::string(" on module ") + module + std::string(": error code ") + boost::lexical_caststd::string(err));
}
// store slot
pkcs11_slots[sidx] = boost::make_shared<Pkcs11Slot>(functions, slotId);
- // looks ok to me.
- pkcs11_tokens[tidx] = boost::make_shared<Pkcs11Token>(pkcs11_slots[sidx], label);
+ return pkcs11_slots[sidx];
+}
+boost::shared_ptr<Pkcs11Token> Pkcs11Token::GetToken(const std::string& module, const string& tokenId, const std::string& label) {
+ // see if we can find module
+ std::string tidx = module;
+ tidx.append("|");
+ tidx.append(boost::lexical_caststd::string(tokenId));
+ tidx.append("|");
+ tidx.append(label);
+ std::map::iterator tokenIter;
+ if ((tokenIter = pkcs11_tokens.find(tidx)) != pkcs11_tokens.end()) return tokenIter->second;
+
+ boost::shared_ptr<Pkcs11Slot> slot = Pkcs11Slot::GetSlot(module, tokenId);
+ pkcs11_tokens[tidx] = boost::make_shared<Pkcs11Token>(slot, label);
return pkcs11_tokens[tidx];
}
@@ -677,6 +729,14 @@
Pkcs11Token::~Pkcs11Token() {
}
+bool PKCS11ModuleSlotLogin(const std::string& module, const string& tokenId, const std::string& pin)
+{
+ boost::shared_ptr<Pkcs11Slot> slot;
+ slot = Pkcs11Slot::GetSlot(module, tokenId);
+ if (slot->LoggedIn()) return true; // no point failing
+ return slot->Login(pin);
+}
+
PKCS11DNSCryptoKeyEngine::PKCS11DNSCryptoKeyEngine(unsigned int algorithm): DNSCryptoKeyEngine(algorithm) {}
PKCS11DNSCryptoKeyEngine::~PKCS11DNSCryptoKeyEngine() {}
PKCS11DNSCryptoKeyEngine::PKCS11DNSCryptoKeyEngine(const PKCS11DNSCryptoKeyEngine& orig) : DNSCryptoKeyEngine(orig.d_algorithm) {}
@@ -866,7 +926,7 @@
boost::assign::push_back(storvect)
(make_pair("Algorithm", boost::lexical_caststd::string(d_algorithm)))
(make_pair("Engine", d_module))
- (make_pair("Slot", boost::lexical_caststd::string(d_slot_id)))
+ (make_pair("Slot", d_slot_id))
(make_pair("PIN", d_pin))
(make_pair("Label", d_label));
return storvect;
@@ -875,7 +935,8 @@
void PKCS11DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, stormap_t& stormap) {
drc.d_algorithm = atoi(stormap["algorithm"].c_str());
d_module = stormap["engine"];
- d_slot_id = atoi(stormap["slot"].c_str());
+ d_slot_id = stormap["slot"];
+ boost::trim(d_slot_id);
d_pin = stormap["pin"];
d_label = stormap["label"];
// validate parameters
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/pkcs11signers.hh new/pdns-3.4.7/pdns/pkcs11signers.hh
--- old/pdns-3.4.6/pdns/pkcs11signers.hh 2015-06-09 14:29:11.000000000 +0200
+++ new/pdns-3.4.7/pdns/pkcs11signers.hh 2015-11-02 13:32:28.000000000 +0100
@@ -2,7 +2,7 @@
{
protected:
std::string d_module;
- unsigned long d_slot_id;
+ std::string d_slot_id;
std::string d_pin;
std::string d_label;
@@ -41,3 +41,4 @@
static DNSCryptoKeyEngine* maker(unsigned int algorithm);
};
+bool PKCS11ModuleSlotLogin(const std::string& module, const string& tokenId, const std::string& pin);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/qtype.hh new/pdns-3.4.7/pdns/qtype.hh
--- old/pdns-3.4.6/pdns/qtype.hh 2015-06-09 14:29:12.000000000 +0200
+++ new/pdns-3.4.7/pdns/qtype.hh 2015-11-02 13:32:28.000000000 +0100
@@ -82,7 +82,7 @@
#undef DS
enum typeenum {A=1, NS=2, CNAME=5, SOA=6, MR=9, PTR=12, HINFO=13, MX=15, TXT=16, RP=17, AFSDB=18, SIG=24, KEY=25, AAAA=28, LOC=29, SRV=33, NAPTR=35, KX=36,
CERT=37, A6=38, DNAME=39, OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51,
- TLSA=52, SPF=99, EUI48=108, EUI64=109, TKEY=249, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
+ TLSA=52, OPENPGPKEY=61, SPF=99, EUI48=108, EUI64=109, TKEY=249, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
typedef pair namenum;
static vector<namenum> names;
@@ -153,6 +153,7 @@
qtype_insert("NSEC3", 50);
qtype_insert("NSEC3PARAM", 51);
qtype_insert("TLSA", 52);
+ qtype_insert("OPENPGPKEY", 61);
qtype_insert("SPF", 99);
qtype_insert("EUI48", 108);
qtype_insert("EUI64", 109);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/rfc2136handler.cc new/pdns-3.4.7/pdns/rfc2136handler.cc
--- old/pdns-3.4.6/pdns/rfc2136handler.cc 2015-06-09 14:29:12.000000000 +0200
+++ new/pdns-3.4.7/pdns/rfc2136handler.cc 2015-11-02 14:05:07.000000000 +0100
@@ -955,13 +955,13 @@
if (!soaEdit2136Setting.empty()) {
soaEdit2136 = soaEdit2136Setting[0];
if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
- vector<string> soaEditSetting;
- B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting);
+ string soaEditSetting;
+ d_dk.getSoaEdit(di->zone, soaEditSetting);
if (soaEditSetting.empty()) {
L<zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"< negCacheMap;
// If not special case of caching explicitly disabled (sd->db = -1), first
// find the best match from the cache. If DS then we need to find parent so
// dont bother with caching as it confuses matters.
- if( sd->db != (DNSBackend *)-1 && d_cache_ttl && p->qtype != QType::DS ) {
+ if( sd->db != (DNSBackend *)-1 && (d_cache_ttl || d_negcache_ttl)) {
string subdomain(target);
int cstat, loops = 0;
do {
@@ -292,7 +293,7 @@
cstat = cacheHas(d_question,d_answers);
- if(cstat==1 && !d_answers.empty()) {
+ if(cstat==1 && !d_answers.empty() && d_cache_ttl) {
fillSOAData(d_answers[0].content,*sd);
sd->domain_id = d_answers[0].domain_id;
sd->ttl = d_answers[0].ttl;
@@ -301,29 +302,51 @@
//L<qname << " itteration " << loops <qtype != QType::DS)
return true;
from_cache = true;
best_match_len = sd->qname.length();
- break;
- }
+ if ( p->qtype != QType::DS || best_match_len < (int)target.length())
+ break;
+ } else if (cstat==0 && d_negcache_ttl) {
+ negCacheMap[subdomain]=1;
+ } else
+ negCacheMap[subdomain]=0;
loops++;
}
while( chopOff( subdomain ) ); // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> ''
}
- for(vector::const_iterator i=backends.begin(); i!=backends.end();++i)
- if((*i)->getAuth(p, sd, target, zoneId, best_match_len)) {
+ for(vector::const_iterator i=backends.begin(); i!=backends.end();++i) {
+
+ // Shortcut for the case that we got a direct hit - no need to go
+ // through the other backends then.
+ if( best_match_len == (int)target.length() && p->qtype != QType::DS )
+ goto auth_found;
+
+ if((*i)->getAuth(p, sd, target, zoneId, best_match_len, negCacheMap)) {
best_match_len = sd->qname.length();
from_cache = false;
+ }
+ }
- // Shortcut for the case that we got a direct hit - no need to go
- // through the other backends then.
- if( best_match_len == (int)target.length() )
- goto auth_found;
+ if( sd->db != (DNSBackend *)-1 && d_negcache_ttl) {
+ string shorter(target);
+
+ d_question.qtype=QType::SOA;
+ d_question.zoneId=-1;
+ while((int)shorter.length() > best_match_len ) {
+ map::iterator it = negCacheMap.find(shorter);
+ if (it == negCacheMap.end() || it->second == 0) {
+ d_question.qname=shorter;
+ addNegCache(d_question);
+ }
+ if (!chopOff(shorter))
+ break;
}
+ }
if( best_match_len == -1 )
return false;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/ueberbackend.hh new/pdns-3.4.7/pdns/ueberbackend.hh
--- old/pdns-3.4.6/pdns/ueberbackend.hh 2015-08-24 11:12:00.000000000 +0200
+++ new/pdns-3.4.7/pdns/ueberbackend.hh 2015-10-13 10:37:24.000000000 +0200
@@ -114,8 +114,8 @@
void lookup(const QType &, const string &qdomain, DNSPacket *pkt_p=0, int zoneId=-1);
/* 5-arg version is only valid for backends and should never be called directly */
- virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len) {
- throw PDNSException("5-arg version of getAuth should not be called in UeberBackend");
+ virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len, map& negCacheMap) {
+ throw PDNSException("6-arg version of getAuth should not be called in UeberBackend");
}
bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-3.4.6/pdns/ws-auth.cc new/pdns-3.4.7/pdns/ws-auth.cc
--- old/pdns-3.4.6/pdns/ws-auth.cc 2015-08-24 11:12:00.000000000 +0200
+++ new/pdns-3.4.7/pdns/ws-auth.cc 2015-09-30 13:07:31.000000000 +0200
@@ -122,6 +122,9 @@
case '>':
result += ">";
break;
+ case '"':
+ result += """;
+ break;
default:
result += *it;
}
@@ -141,15 +144,15 @@
}
ret<<"