Hello community, here is the log from the commit of package pdns for openSUSE:Factory checked in at 2016-06-07 23:47:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pdns (Old) and /work/SRC/openSUSE:Factory/.pdns.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pdns" Changes: -------- --- /work/SRC/openSUSE:Factory/pdns/pdns.changes 2016-02-05 00:32:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pdns.new/pdns.changes 2016-06-07 23:48:01.000000000 +0200 @@ -1,0 +2,11 @@ +Sun May 29 14:17:49 UTC 2016 - [email protected] + +- update to 3.4.9 + * use OpenSSL for ECDSA signing where available + * allow common signing key + * Add a disable-syslog setting + * fix SOA caching with multiple backends + * whitespace-related zone parsing fixes [ticket #3568] + * bindbackend: fix, set domain in list() + +------------------------------------------------------------------- Old: ---- pdns-3.4.8.tar.bz2 New: ---- pdns-3.4.9.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pdns.spec ++++++ --- /var/tmp/diff_new_pack.dYkVHz/_old 2016-06-07 23:48:02.000000000 +0200 +++ /var/tmp/diff_new_pack.dYkVHz/_new 2016-06-07 23:48:02.000000000 +0200 @@ -17,11 +17,11 @@ Name: pdns -Version: 3.4.8 +Version: 3.4.9 Release: 0 # %define pkg_name pdns -%define pkg_version 3.4.8 +%define pkg_version 3.4.9 %define polarssl_version 1.3.2 # %define home %{_var}/lib/pdns ++++++ pdns-3.4.8.tar.bz2 -> pdns-3.4.9.tar.bz2 ++++++ ++++ 2708 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/build-scripts/redhat/pdns-server-test.spec new/pdns-3.4.9/build-scripts/redhat/pdns-server-test.spec --- old/pdns-3.4.8/build-scripts/redhat/pdns-server-test.spec 2016-02-03 08:45:22.000000000 +0100 +++ new/pdns-3.4.9/build-scripts/redhat/pdns-server-test.spec 2016-05-17 10:38:37.000000000 +0200 @@ -9,7 +9,7 @@ Epoch: 0 License: GPL Group: System/Servers -Source: http://downloads.powerdns.com/releases/pdns-3.4.8.tar.bz2 +Source: http://downloads.powerdns.com/releases/pdns-3.4.9.tar.bz2 BuildRequires: autoconf automake BuildRequires: gcc gcc-c++ @@ -30,7 +30,7 @@ PowerDNS testbuild %prep -%setup -q -n pdns-3.4.8 +%setup -q -n pdns-3.4.9 %build %configure \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/config.h.in new/pdns-3.4.9/config.h.in --- old/pdns-3.4.8/config.h.in 2016-02-03 08:45:33.000000000 +0100 +++ new/pdns-3.4.9/config.h.in 2016-05-17 10:38:46.000000000 +0200 @@ -30,6 +30,14 @@ /* Define to 1 if you have crypto++ */ #undef HAVE_CRYPTOPP +/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you + don't. */ +#undef HAVE_DECL_NID_SECP384R1 + +/* Define to 1 if you have the declaration of `NID_X9_62_prime256v1', and to 0 + if you don't. */ +#undef HAVE_DECL_NID_X9_62_PRIME256V1 + /* Define to 1 if you have the <dlfcn.h> header file. */ #undef HAVE_DLFCN_H @@ -93,6 +101,9 @@ /* Define to 1 if you have the <odbx.h> header file. */ #undef HAVE_ODBX_H +/* Define to 1 if you openssl */ +#undef HAVE_OPENSSL + /* Define to 1 if you have p11-kit-1 */ #undef HAVE_P11KIT1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/configure.ac new/pdns-3.4.9/configure.ac --- old/pdns-3.4.8/configure.ac 2016-02-03 08:45:22.000000000 +0100 +++ new/pdns-3.4.9/configure.ac 2016-05-17 10:38:37.000000000 +0200 @@ -1,7 +1,7 @@ AC_PREREQ([2.61]) dnl The following lines may be patched by set-version-auth. -AC_INIT([pdns], [3.4.8]) +AC_INIT([pdns], [3.4.9]) AC_SUBST([DIST_HOST], [[email protected]]) dnl End patch area. @@ -88,6 +88,14 @@ [have_mmap=no] ) +AX_CHECK_OPENSSL([ + AM_CONDITIONAL([OPENSSL], [true]) + AC_DEFINE(HAVE_OPENSSL, [1], [Define to 1 if you openssl]) + ],[ + AM_CONDITIONAL([OPENSSL], [false]) + ] +) + PDNS_CHECK_RAGEL AC_CHECK_PROG([ASCIIDOC], [asciidoc], [asciidoc]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/debian-pdns/changelog new/pdns-3.4.9/debian-pdns/changelog --- old/pdns-3.4.8/debian-pdns/changelog 2016-02-03 08:45:22.000000000 +0100 +++ new/pdns-3.4.9/debian-pdns/changelog 2016-05-17 10:38:37.000000000 +0200 @@ -1,4 +1,4 @@ -pdns (3.4.8-1) unstable; urgency=medium +pdns (3.4.9-1) unstable; urgency=medium * fill in the blanks diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/m4/ax_check_openssl.m4 new/pdns-3.4.9/m4/ax_check_openssl.m4 --- old/pdns-3.4.8/m4/ax_check_openssl.m4 1970-01-01 01:00:00.000000000 +0100 +++ new/pdns-3.4.9/m4/ax_check_openssl.m4 2016-05-13 18:04:46.000000000 +0200 @@ -0,0 +1,137 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_openssl.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]]) +# +# DESCRIPTION +# +# Look for OpenSSL in a number of default spots, or in a user-selected +# spot (via --with-openssl). Sets +# +# OPENSSL_INCLUDES to the include directives required +# OPENSSL_LIBS to the -l directives required +# OPENSSL_LDFLAGS to the -L or -R flags required +# +# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately +# +# This macro sets OPENSSL_INCLUDES such that source files should use the +# openssl/ directory in include directives: +# +# #include <openssl/hmac.h> +# +# LICENSE +# +# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/> +# Copyright (c) 2009,2010 Dustin J. Mitchell <[email protected]> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 8 (PowerDNS modified) + +AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL]) +AC_DEFUN([AX_CHECK_OPENSSL], [ + found=false + AC_ARG_WITH([openssl], + [AS_HELP_STRING([--with-openssl=DIR], + [root of the OpenSSL directory])], + [ + case "$withval" in + "" | y | ye | yes | n | no) + AC_MSG_ERROR([Invalid --with-openssl value]) + ;; + *) ssldirs="$withval" + ;; + esac + ], [ + # if pkg-config is installed and openssl has installed a .pc file, + # then use that information and don't search ssldirs + AC_PATH_PROG([PKG_CONFIG], [pkg-config]) + if test x"$PKG_CONFIG" != x""; then + OPENSSL_LDFLAGS=`$PKG_CONFIG libcryptol --libs-only-L 2>/dev/null` + if test $? = 0; then + OPENSSL_LIBS=`$PKG_CONFIG libcrypto --libs-only-l 2>/dev/null` + OPENSSL_INCLUDES=`$PKG_CONFIG libcrypto --cflags-only-I 2>/dev/null` + found=true + fi + fi + + # no such luck; use some default ssldirs + if ! $found; then + ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr" + fi + ] + ) + + + # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in + # an 'openssl' subdirectory + + if ! $found; then + OPENSSL_INCLUDES= + for ssldir in $ssldirs; do + AC_MSG_CHECKING([for openssl/crypto.h in $ssldir]) + if test -f "$ssldir/include/openssl/crypto.h"; then + OPENSSL_INCLUDES="-I$ssldir/include" + OPENSSL_LDFLAGS="-L$ssldir/lib" + OPENSSL_LIBS="-lcrypto" + found=true + AC_MSG_RESULT([yes]) + break + else + AC_MSG_RESULT([no]) + fi + done + + # if the file wasn't found, well, go ahead and try the link anyway -- maybe + # it will just work! + fi + + # try the preprocessor and linker with our new flags, + # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS + + AC_MSG_CHECKING([whether compiling and linking against OpenSSL works]) + echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \ + "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD + + save_LIBS="$LIBS" + save_LDFLAGS="$LDFLAGS" + save_CPPFLAGS="$CPPFLAGS" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + LIBS="$OPENSSL_LIBS $LIBS" + CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([#include <openssl/crypto.h>], [CRYPTO_free(NULL)])], + [ + AC_MSG_RESULT([yes]) + openssl_ecdsa=yes + AC_CHECK_FUNC(ECDSA_do_sign, + [ + AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [ : ], [ openssl_ecdsa=no ], [AC_INCLUDES_DEFAULT +#include <openssl/evp.h> + ]) + ], [ + openssl_ecdsa=no + ]) + AS_IF([test "x$openssl_ecdsa" = "xyes"], [ + $1 + ], [ + $2 + ]) + ], [ + AC_MSG_RESULT([no]) + $2 + ]) + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + + AC_SUBST([OPENSSL_INCLUDES]) + AC_SUBST([OPENSSL_LIBS]) + AC_SUBST([OPENSSL_LDFLAGS]) +]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/m4/boost.m4 new/pdns-3.4.9/m4/boost.m4 --- old/pdns-3.4.8/m4/boost.m4 2016-02-02 21:31:19.000000000 +0100 +++ new/pdns-3.4.9/m4/boost.m4 2016-05-13 18:04:46.000000000 +0200 @@ -1296,6 +1296,8 @@ # I'm not sure about my test for `il' (be careful: Intel's ICC pre-defines # the same defines as GCC's). for i in \ + _BOOST_mingw_test(6, 1) \ + _BOOST_gcc_test(6, 1) \ _BOOST_mingw_test(6, 0) \ _BOOST_gcc_test(6, 0) \ _BOOST_mingw_test(5, 3) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/modules/bindbackend/bindbackend2.cc new/pdns-3.4.9/modules/bindbackend/bindbackend2.cc --- old/pdns-3.4.8/modules/bindbackend/bindbackend2.cc 2015-12-11 14:31:17.000000000 +0100 +++ new/pdns-3.4.9/modules/bindbackend/bindbackend2.cc 2016-03-23 10:01:37.000000000 +0100 @@ -1201,6 +1201,7 @@ d_handle.d_qname_end=d_handle.d_records->end(); // iter now points to a vector of pointers to vector<BBResourceRecords> d_handle.id=id; + d_handle.domain=bbd.d_name; d_handle.d_list=true; return true; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/Makefile.am new/pdns-3.4.9/pdns/Makefile.am --- old/pdns-3.4.8/pdns/Makefile.am 2015-08-24 14:32:10.000000000 +0200 +++ new/pdns-3.4.9/pdns/Makefile.am 2016-05-13 18:04:46.000000000 +0200 @@ -87,6 +87,12 @@ pdns_server_LDADD += $(CRYPTOPP_LIBS) endif +if OPENSSL +pdns_server_SOURCES += opensslsigners.cc opensslsigners.hh +pdns_server_LDFLAGS += $(OPENSSL_LDFLAGS) +pdns_server_LDADD += $(OPENSSL_LIBS) +endif + if SQLITE3 pdns_server_SOURCES += ssqlite3.cc ssqlite3.hh endif @@ -174,6 +180,12 @@ pdnssec_LDADD += -lcryptopp endif +if OPENSSL +pdnssec_SOURCES += opensslsigners.cc opensslsigners.hh +pdnssec_LDFLAGS += $(OPENSSL_LDFLAGS) +pdnssec_LDADD += $(OPENSSL_LIBS) +endif + if SQLITE3 pdnssec_SOURCES += ssqlite3.cc ssqlite3.hh endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/common_startup.cc new/pdns-3.4.9/pdns/common_startup.cc --- old/pdns-3.4.8/pdns/common_startup.cc 2015-11-02 14:05:07.000000000 +0100 +++ new/pdns-3.4.9/pdns/common_startup.cc 2016-05-13 18:04:47.000000000 +0200 @@ -78,6 +78,7 @@ ::arg().set("version-string","PowerDNS version in packets - full, anonymous, powerdns or custom")="full"; ::arg().set("control-console","Debugging switch - don't use")="no"; // but I know you will! ::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="4"; + ::arg().set("disable-syslog","Disable logging to syslog, useful when running inside a supervisor that logs stdout")="no"; ::arg().set("default-soa-name","name to insert in the SOA record if none set in the backend")="a.misconfigured.powerdns.server"; ::arg().set("default-soa-mail","mail address to insert in the SOA record if none set in the backend")=""; ::arg().set("distributor-threads","Default number of Distributor (backend) threads to start")="3"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/dnsbackend.cc new/pdns-3.4.9/pdns/dnsbackend.cc --- old/pdns-3.4.8/pdns/dnsbackend.cc 2015-10-13 10:37:24.000000000 +0200 +++ new/pdns-3.4.9/pdns/dnsbackend.cc 2016-05-13 18:04:47.000000000 +0200 @@ -44,36 +44,9 @@ return true; } -bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len, map<string,int>& negCacheMap) +bool DNSBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target) { - bool found=false; - string subdomain(target); - do { - if( best_match_len >= (int)subdomain.length() && p->qtype != QType::DS ) - break; - - map<string,int>::iterator it = negCacheMap.find(subdomain); - bool negCached = ( it != negCacheMap.end() && it->second == 1 ); - - if(! negCached && this->getSOA( subdomain, *sd, p ) ) { - sd->qname = subdomain; - if(zoneId) - *zoneId = sd->domain_id; - if(found) // Second SOA found, we are done - return true; - - if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) { - // Found authoritative zone but look for parent zone with 'DS' record. - found=true; - } else - return true; - } - if (found) - negCacheMap[subdomain]=2; // don't cache SOA's during our quest for a parent zone - } - while( chopOff( subdomain ) ); // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> '' - - return found; + return this->getSOA(target, *sd, p); } void DNSBackend::setArgPrefix(const string &prefix) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/dnsbackend.hh new/pdns-3.4.9/pdns/dnsbackend.hh --- old/pdns-3.4.8/pdns/dnsbackend.hh 2015-10-13 10:37:24.000000000 +0200 +++ new/pdns-3.4.9/pdns/dnsbackend.hh 2016-05-13 18:04:48.000000000 +0200 @@ -163,7 +163,7 @@ virtual void getAllDomains(vector<DomainInfo> *domains, bool include_disabled=false) { } /** Determines if we are authoritative for a zone, and at what level */ - virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId, const int best_match_len, map<string,int>& negCacheMap); + virtual bool getAuth(DNSPacket *p, SOAData *sd, const string &target); struct KeyData { unsigned int id; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/docs/dnstcpbench.1 new/pdns-3.4.9/pdns/docs/dnstcpbench.1 --- old/pdns-3.4.8/pdns/docs/dnstcpbench.1 2016-02-03 08:46:28.000000000 +0100 +++ new/pdns-3.4.9/pdns/docs/dnstcpbench.1 2016-05-17 10:39:18.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: dnstcpbench .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 02/03/2016 +.\" Date: 05/17/2016 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "DNSTCPBENCH" "1" "02/03/2016" "\ \&" "\ \&" +.TH "DNSTCPBENCH" "1" "05/17/2016" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/logger.cc new/pdns-3.4.9/pdns/logger.cc --- old/pdns-3.4.8/pdns/logger.cc 2015-06-09 14:29:11.000000000 +0200 +++ new/pdns-3.4.9/pdns/logger.cc 2016-05-13 18:04:48.000000000 +0200 @@ -50,7 +50,7 @@ clog<<buffer; clog <<msg <<endl; } - if( u <= d_loglevel ) { + if( u <= d_loglevel && !d_disableSyslog ) { #ifndef RECURSOR S.ringAccount("logmessages",msg); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/logger.hh new/pdns-3.4.9/pdns/logger.hh --- old/pdns-3.4.8/pdns/logger.hh 2015-06-09 14:29:11.000000000 +0200 +++ new/pdns-3.4.9/pdns/logger.hh 2016-05-13 18:04:48.000000000 +0200 @@ -58,6 +58,10 @@ void toConsole(Urgency); void setLoglevel( Urgency ); + void disableSyslog(bool d) { + d_disableSyslog = d; + } + //! Log to a file. void toFile( const string & filename ); @@ -91,6 +95,7 @@ Urgency d_loglevel; Urgency consoleUrgency; pthread_mutex_t lock; + bool d_disableSyslog; }; extern Logger &theL(const string &pname=""); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/opensslsigners.cc new/pdns-3.4.9/pdns/opensslsigners.cc --- old/pdns-3.4.8/pdns/opensslsigners.cc 1970-01-01 01:00:00.000000000 +0100 +++ new/pdns-3.4.9/pdns/opensslsigners.cc 2016-05-13 18:04:49.000000000 +0200 @@ -0,0 +1,394 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include <openssl/obj_mac.h> +#include <openssl/ecdsa.h> +#include <openssl/sha.h> +#include <openssl/rsa.h> + +#include "opensslsigners.hh" +#include "dnssecinfra.hh" + + +/* pthread locking */ + +static pthread_mutex_t *openssllocks; + +extern "C" { +void openssl_pthreads_locking_callback(int mode, int type, const char *file, int line) +{ + if (mode & CRYPTO_LOCK) { + pthread_mutex_lock(&(openssllocks[type])); + + }else { + pthread_mutex_unlock(&(openssllocks[type])); + } +} + +unsigned long openssl_pthreads_id_callback() +{ + return (unsigned long)pthread_self(); +} +} + +void openssl_thread_setup() +{ + openssllocks = (pthread_mutex_t*)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); + + for (int i = 0; i < CRYPTO_num_locks(); i++) + pthread_mutex_init(&(openssllocks[i]), NULL); + + CRYPTO_set_id_callback(openssl_pthreads_id_callback); + CRYPTO_set_locking_callback(openssl_pthreads_locking_callback); +} + +void openssl_thread_cleanup() +{ + CRYPTO_set_locking_callback(NULL); + + for (int i=0; i<CRYPTO_num_locks(); i++) { + pthread_mutex_destroy(&(openssllocks[i])); + } + + OPENSSL_free(openssllocks); +} + + +/* seeding PRNG */ + +void openssl_seed() +{ + std::string entropy; + entropy.reserve(1024); + + unsigned int r; + for(int i=0; i<1024; i+=4) { + r=dns_random(0xffffffff); + entropy.append((const char*)&r, 4); + } + + RAND_seed((const unsigned char*)entropy.c_str(), 1024); +} + + +class OpenSSLECDSADNSCryptoKeyEngine : public DNSCryptoKeyEngine +{ +public: + explicit OpenSSLECDSADNSCryptoKeyEngine(unsigned int algo) : DNSCryptoKeyEngine(algo) + { + d_eckey = NULL; + d_ecgroup = NULL; + d_ctx = NULL; + + int ret = RAND_status(); + if (ret != 1) { + throw runtime_error(getName()+" insufficient entropy"); + } + + d_eckey = EC_KEY_new(); + if (d_eckey == NULL) { + throw runtime_error(getName()+" allocation of key structure failed"); + } + + if(d_algorithm == 13) { + d_ecgroup = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); + d_len = 32; + } else if (d_algorithm == 14) { + d_ecgroup = EC_GROUP_new_by_curve_name(NID_secp384r1); + d_len = 48; + } else { + throw runtime_error(getName()+" unknown algorithm "+lexical_cast<string>(d_algorithm)); + } + if (d_ecgroup == NULL) { + throw runtime_error(getName()+" allocation of group structure failed"); + } + + ret = EC_KEY_set_group(d_eckey,d_ecgroup); + if (ret != 1) { + throw runtime_error(getName()+" setting key group failed"); + } + + } + + ~OpenSSLECDSADNSCryptoKeyEngine() + { + EC_KEY_free(d_eckey); + EC_GROUP_free(d_ecgroup); + BN_CTX_free(d_ctx); + } + + string getName() const { return "OpenSSL ECDSA"; } + int getBits() const { return d_len << 3; } + + void create(unsigned int bits); + storvector_t convertToISCVector() const; + std::string hash(const std::string& hash) const; + std::string sign(const std::string& hash) const; + bool verify(const std::string& hash, const std::string& signature) const; + std::string getPubKeyHash() const; + std::string getPublicKeyString() const; + void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap); + void fromPublicKeyString(const std::string& content); + + static DNSCryptoKeyEngine* maker(unsigned int algorithm) + { + return new OpenSSLECDSADNSCryptoKeyEngine(algorithm); + } + +private: + unsigned int d_len; + + EC_KEY *d_eckey; + EC_GROUP *d_ecgroup; + BN_CTX *d_ctx; +}; + + +void OpenSSLECDSADNSCryptoKeyEngine::create(unsigned int bits) +{ + if (bits >> 3 != d_len) { + throw runtime_error(getName()+" unknown key length of "+lexical_cast<string>(bits)+" bits requested"); + } + + int res = EC_KEY_generate_key(d_eckey); + if (res == 0) { + throw runtime_error(getName()+" key generation failed"); + } +} + + +DNSCryptoKeyEngine::storvector_t OpenSSLECDSADNSCryptoKeyEngine::convertToISCVector() const +{ + storvector_t storvect; + string algorithm; + + if(d_algorithm == 13) + algorithm = "13 (ECDSAP256SHA256)"; + else if(d_algorithm == 14) + algorithm = "14 (ECDSAP384SHA384)"; + else + algorithm = " ? (?)"; + + storvect.push_back(make_pair("Algorithm", algorithm)); + + const BIGNUM *key = EC_KEY_get0_private_key(d_eckey); + if (key == NULL) { + throw runtime_error(getName()+" private key not set"); + } + + unsigned char tmp[BN_num_bytes(key)]; + int len = BN_bn2bin(key, tmp); + + string prefix; + if (d_len - len) + prefix.append(d_len - len, 0x00); + + storvect.push_back(make_pair("PrivateKey", prefix + string((char*) tmp, sizeof(tmp)))); + + return storvect; +} + + +std::string OpenSSLECDSADNSCryptoKeyEngine::hash(const std::string& orig) const +{ + if(getBits() == 256) { + unsigned char hash[SHA256_DIGEST_LENGTH]; + SHA256((unsigned char*) orig.c_str(), orig.length(), hash); + return string((char*) hash, sizeof(hash)); + } + else if(getBits() == 384) { + unsigned char hash[SHA384_DIGEST_LENGTH]; + SHA384((unsigned char*) orig.c_str(), orig.length(), hash); + return string((char*) hash, sizeof(hash)); + } + + throw runtime_error(getName()+" does not support a hash size of "+lexical_cast<string>(getBits())+" bits"); +} + + +std::string OpenSSLECDSADNSCryptoKeyEngine::sign(const std::string& msg) const +{ + string hash = this->hash(msg); + + ECDSA_SIG *signature = ECDSA_do_sign((unsigned char*) hash.c_str(), hash.length(), d_eckey); + if (NULL == signature) { + throw runtime_error(getName()+" failed to generate signature"); + } + + string ret; + unsigned char tmp[d_len]; + + int len = BN_bn2bin(signature->r, tmp); + if (d_len - len) + ret.append(d_len - len, 0x00); + ret.append(string((char*) tmp, len)); + + len = BN_bn2bin(signature->s, tmp); + if (d_len - len) + ret.append(d_len - len, 0x00); + ret.append(string((char*) tmp, len)); + + ECDSA_SIG_free(signature); + + return ret; +} + + +bool OpenSSLECDSADNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const +{ + if (signature.length() != (d_len * 2)) { + throw runtime_error(getName()+" invalid signature size "+lexical_cast<string>(signature.length())); + } + + string hash = this->hash(msg); + + ECDSA_SIG *sig; + sig = ECDSA_SIG_new(); + if (sig == NULL) { + throw runtime_error(getName()+" allocation of signature structure failed"); + } + + sig->r = BN_bin2bn((unsigned char*) signature.c_str(), d_len, sig->r); + sig->s = BN_bin2bn((unsigned char*) signature.c_str() + d_len, d_len, sig->s); + if (!sig->r || !sig->s) { + ECDSA_SIG_free(sig); + throw runtime_error(getName()+" invalid signature"); + } + + int ret = ECDSA_do_verify((unsigned char*) hash.c_str(), hash.length(), sig, d_eckey); + + ECDSA_SIG_free(sig); + + if (ret == -1){ + throw runtime_error(getName()+" verify error"); + } + + return (ret == 1); +} + + +std::string OpenSSLECDSADNSCryptoKeyEngine::getPubKeyHash() const +{ + string pubKey = getPublicKeyString(); + unsigned char hash[SHA_DIGEST_LENGTH]; + SHA1((unsigned char*) pubKey.c_str(), pubKey.length(), hash); + return string((char*) hash, sizeof(hash)); +} + + +std::string OpenSSLECDSADNSCryptoKeyEngine::getPublicKeyString() const +{ + unsigned char binaryPoint[(d_len * 2) + 1]; + + int ret = EC_POINT_point2oct(d_ecgroup, EC_KEY_get0_public_key(d_eckey), POINT_CONVERSION_UNCOMPRESSED, binaryPoint, sizeof(binaryPoint), d_ctx); + if (ret == 0) { + throw runtime_error(getName()+" exporting point to binary failed"); + } + + /* we skip the first byte as the other backends use + raw field elements, as opposed to the format described in + SEC1: "2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion" */ + return string((const char *)(binaryPoint + 1), sizeof(binaryPoint) - 1); +} + + +void OpenSSLECDSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap) +{ + drc.d_algorithm = atoi(stormap["algorithm"].c_str()); + + if (drc.d_algorithm != d_algorithm) { + throw runtime_error(getName()+" tried to feed an algorithm "+lexical_cast<string>(drc.d_algorithm)+" to a "+lexical_cast<string>(d_algorithm)+" key"); + } + + string privateKey = stormap["privatekey"]; + + BIGNUM *prv_key = BN_bin2bn((unsigned char*) privateKey.c_str(), privateKey.length(), NULL); + if (prv_key == NULL) { + throw runtime_error(getName()+" reading private key from binary failed"); + } + + int ret = EC_KEY_set_private_key(d_eckey, prv_key); + if (ret != 1) { + BN_clear_free(prv_key); + throw runtime_error(getName()+" setting private key failed"); + } + + EC_POINT *pub_key = EC_POINT_new(d_ecgroup); + if (pub_key == NULL) { + BN_clear_free(prv_key); + throw runtime_error(getName()+" allocation of public key point failed"); + } + + ret = EC_POINT_mul(d_ecgroup, pub_key, prv_key, NULL, NULL, d_ctx); + if (ret != 1) { + EC_POINT_free(pub_key); + BN_clear_free(prv_key); + throw runtime_error(getName()+" computing public key from private failed"); + } + + BN_clear_free(prv_key); + + ret = EC_KEY_set_public_key(d_eckey, pub_key); + if (ret != 1) { + EC_POINT_free(pub_key); + throw runtime_error(getName()+" setting public key failed"); + } + + EC_POINT_free(pub_key); + +// ret = EC_KEY_check_key(d_eckey); +// if (ret != 1) { +// throw runtime_error(getName()+" invalid public key"); +// } + +} + + +void OpenSSLECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input) +{ + /* uncompressed point, from SEC1: + "2.3.4 Octet-String-to-Elliptic-Curve-Point Conversion" */ + string ecdsaPoint= "\x04"; + ecdsaPoint.append(input); + + EC_POINT *pub_key = EC_POINT_new(d_ecgroup); + if (pub_key == NULL) { + throw runtime_error(getName()+" allocation of point structure failed"); + } + + int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx); + if (ret != 1) { + throw runtime_error(getName()+" reading ECP point from binary failed"); + } + + ret = EC_KEY_set_private_key(d_eckey, NULL); + if (ret == 1) { + EC_POINT_free(pub_key); + throw runtime_error(getName()+" setting private key failed"); + } + + ret = EC_KEY_set_public_key(d_eckey, pub_key); + if (ret != 1) { + EC_POINT_free(pub_key); + throw runtime_error(getName()+" setting public key failed"); + } + + EC_POINT_free(pub_key); + +// ret = EC_KEY_check_key(d_eckey); +// if (ret != 1) { +// throw runtime_error(getName()+" invalid public key"); +// } +} + + +namespace { + struct LoaderStruct + { + LoaderStruct() + { + DNSCryptoKeyEngine::report(13, &OpenSSLECDSADNSCryptoKeyEngine::maker, true); + DNSCryptoKeyEngine::report(14, &OpenSSLECDSADNSCryptoKeyEngine::maker, true); + } + } loaderOpenSSL; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/opensslsigners.hh new/pdns-3.4.9/pdns/opensslsigners.hh --- old/pdns-3.4.8/pdns/opensslsigners.hh 1970-01-01 01:00:00.000000000 +0100 +++ new/pdns-3.4.9/pdns/opensslsigners.hh 2016-05-13 18:04:49.000000000 +0200 @@ -0,0 +1,17 @@ +#include <string> +#include <pthread.h> +#include <openssl/crypto.h> +#include <openssl/rand.h> + +#include "dns_random.hh" + + +/* pthread locking */ + +void openssl_thread_setup(); +void openssl_thread_cleanup(); + + +/* seeding PRNG */ + +void openssl_seed(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/pdns.conf-dist new/pdns-3.4.9/pdns/pdns.conf-dist --- old/pdns-3.4.8/pdns/pdns.conf-dist 2015-11-02 14:05:07.000000000 +0100 +++ new/pdns-3.4.9/pdns/pdns.conf-dist 2016-05-13 18:04:49.000000000 +0200 @@ -135,6 +135,11 @@ # disable-axfr-rectify=no ################################# +# disable-syslog Disable logging to syslog, useful when running inside a supervisor that logs stdout +# +# disable-syslog=no + +################################# # disable-tcp Do not listen to TCP queries # # disable-tcp=no diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/pdns_recursor.cc new/pdns-3.4.9/pdns/pdns_recursor.cc --- old/pdns-3.4.8/pdns/pdns_recursor.cc 2015-06-09 14:29:11.000000000 +0200 +++ new/pdns-3.4.9/pdns/pdns_recursor.cc 2016-05-13 18:04:50.000000000 +0200 @@ -1749,6 +1749,7 @@ L.setName(s_programname); L.setLoglevel((Logger::Urgency)(6)); // info and up + L.disableSyslog(::arg().mustDo("disable-syslog")); if(!::arg()["logging-facility"].empty()) { int val=logFacilityToLOG(::arg().asNum("logging-facility") ); @@ -2086,6 +2087,7 @@ ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off"; ::arg().set("daemon","Operate as a daemon")="yes"; ::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="4"; + ::arg().set("disable-syslog","Disable logging to syslog, useful when running inside a supervisor that logs stdout")="no"; ::arg().set("log-common-errors","If we should log rather common errors")="yes"; ::arg().set("chroot","switch to chroot jail")=""; ::arg().set("setgid","If set, change group id to this gid for more security")=""; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/pdnssec.cc new/pdns-3.4.9/pdns/pdnssec.cc --- old/pdns-3.4.8/pdns/pdnssec.cc 2016-02-02 21:31:19.000000000 +0100 +++ new/pdns-3.4.9/pdns/pdnssec.cc 2016-05-13 18:04:50.000000000 +0200 @@ -15,6 +15,9 @@ #include "signingpipe.hh" #include "dns_random.hh" #include <fstream> +#ifdef HAVE_OPENSSL +#include "opensslsigners.hh" +#endif #ifdef HAVE_SQLITE3 #include "ssqlite3.hh" #include "bind-dnssec.schema.sqlite3.sql.h" @@ -1023,18 +1026,14 @@ throw runtime_error("KSK key size must be equal to or greater than 0"); } - if (k_algos.size() < 1) { - throw runtime_error("No algorithm(s) given for KSK"); + if (k_algos.size() < 1 && z_algos.size() < 1) { + throw runtime_error("Zero algorithms given for KSK+ZSK in total"); } if (z_size < 0) { throw runtime_error("ZSK key size must be equal to or greater than 0"); } - if (z_algos.size() < 1) { - throw runtime_error("No algorithm(s) given for ZSK"); - } - if(dk.isSecuredZone(zone)) { cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl; return false; @@ -1054,17 +1053,38 @@ } if (k_size) - cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl; + cout << "Securing zone with key size " << k_size << endl; else - cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl; + cout << "Securing zone with default key size" << endl; - // run secure-zone with first default algorith, then add keys - if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) { - cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl; - cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl; - cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl; - cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl; - return false; + BOOST_FOREACH(string k_algo, k_algos) + { + cout << "Adding KSK with algorithm " << k_algo << endl; + + int algo = shorthand2algorithm(k_algo); + + if(!dk.addKey(zone, true, algo, k_size, true)) { + cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl; + cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl; + cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl; + cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl; + return false; + } + } + + BOOST_FOREACH(string z_algo, z_algos) + { + cout << "Adding ZSK with algorithm " << z_algo << endl; + + int algo = shorthand2algorithm(z_algo); + + if(!dk.addKey(zone, false, algo, z_size, true)) { + cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl; + cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl; + cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl; + cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl; + return false; + } } if(!dk.isSecuredZone(zone)) { @@ -1072,25 +1092,9 @@ cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl; cerr<<"If you run with the BIND backend, make sure you have configured"<<endl; cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl; - cerr<<"'pdnssec create-bind-db /path/fname'!"<<endl; - return false; - } - - DNSSECKeeper::keyset_t zskset=dk.getKeys(zone, false); - - if(!zskset.empty()) { - cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl; + cerr<<"'pdnsutil create-bind-db /path/fname'!"<<endl; return false; } - - for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++) - dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true); // obvious errors will have been caught above - - BOOST_FOREACH(string z_algo, z_algos) - { - int algo = shorthand2algorithm(z_algo); - dk.addKey(zone, false, algo, z_size); - } // rectifyZone(dk, zone); // showZone(dk, zone); @@ -1279,6 +1283,14 @@ return 0; } +loadMainConfig(g_vm["config-dir"].as<string>()); + +seedRandom(::arg()["entropy-source"]); + +#ifdef HAVE_OPENSSL + openssl_seed(); +#endif + if (cmds[0] == "test-algorithm") { if(cmds.size() != 2) { cerr << "Syntax: pdnssec test-algorithm algonum"<<endl; @@ -1293,7 +1305,6 @@ return 0; } - loadMainConfig(g_vm["config-dir"].as<string>()); reportAllTypes(); if(cmds[0] == "create-bind-db") { @@ -1859,7 +1870,6 @@ } cerr << "Generating new key with " << klen << " bytes (this can take a while)" << endl; - seedRandom(::arg()["entropy-source"]); for(size_t i = 0; i < klen; i+=4) { *(unsigned int*)(tmpkey+i) = dns_random(0xffffffff); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/receiver.cc new/pdns-3.4.9/pdns/receiver.cc --- old/pdns-3.4.8/pdns/receiver.cc 2015-06-09 14:29:12.000000000 +0200 +++ new/pdns-3.4.9/pdns/receiver.cc 2016-05-13 18:04:50.000000000 +0200 @@ -43,6 +43,9 @@ #include <fcntl.h> #include <fstream> #include <boost/algorithm/string.hpp> +#ifdef HAVE_OPENSSL +#include "opensslsigners.hh" +#endif #include "config.h" #include "dns.hh" @@ -450,6 +453,7 @@ } L.setLoglevel((Logger::Urgency)(::arg().asNum("loglevel"))); + L.disableSyslog(::arg().mustDo("disable-syslog")); L.toConsole((Logger::Urgency)(::arg().asNum("loglevel"))); if(::arg().mustDo("help") || ::arg().mustDo("config")) { @@ -482,6 +486,12 @@ seedRandom(::arg()["entropy-source"]); + +#ifdef HAVE_OPENSSL + openssl_thread_setup(); + openssl_seed(); +#endif + loadModules(); BackendMakers().launch(::arg()["launch"]); // vrooooom! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/ueberbackend.cc new/pdns-3.4.9/pdns/ueberbackend.cc --- old/pdns-3.4.8/pdns/ueberbackend.cc 2015-10-13 10:37:24.000000000 +0200 +++ new/pdns-3.4.9/pdns/ueberbackend.cc 2016-05-13 18:04:51.000000000 +0200 @@ -276,85 +276,73 @@ bool UeberBackend::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId) { - int best_match_len = -1; - bool from_cache = false; // Was this result fetched from the cache? - map<string,int> negCacheMap; - - // If not special case of caching explicitly disabled (sd->db = -1), first - // find the best match from the cache. If DS then we need to find parent so - // dont bother with caching as it confuses matters. - if( sd->db != (DNSBackend *)-1 && (d_cache_ttl || d_negcache_ttl)) { - string subdomain(target); - int cstat, loops = 0; - do { - d_question.qtype = QType::SOA; - d_question.qname = subdomain; - d_question.zoneId = -1; - - cstat = cacheHas(d_question,d_answers); - - if(cstat==1 && !d_answers.empty() && d_cache_ttl) { - fillSOAData(d_answers[0].content,*sd); - sd->domain_id = d_answers[0].domain_id; - sd->ttl = d_answers[0].ttl; - sd->db = 0; - sd->qname = subdomain; - //L<<Logger::Error<<"Best cache match: " << sd->qname << " itteration " << loops <<endl; - - // Found first time round this must be the best match - if( loops == 0 && p->qtype != QType::DS) - return true; - - from_cache = true; - best_match_len = sd->qname.length(); - - if ( p->qtype != QType::DS || best_match_len < (int)target.length()) - break; - } else if (cstat==0 && d_negcache_ttl) { - negCacheMap[subdomain]=1; - } else - negCacheMap[subdomain]=0; - loops++; + bool found = false; + int cstat; + string shorter(target); + vector<pair<size_t, SOAData> > bestmatch (backends.size(), make_pair(target.size()+1, SOAData())); + do { + + // Check cache + if(sd->db != (DNSBackend *)-1 && (d_cache_ttl || d_negcache_ttl)) { + d_question.qtype = QType::SOA; + d_question.qname = shorter; + d_question.zoneId = -1; + + cstat = cacheHas(d_question,d_answers); + + if(cstat == 1 && !d_answers.empty() && d_cache_ttl) { + DLOG(L<<Logger::Error<<"has pos: "<<shorter<<endl); + fillSOAData(d_answers[0].content, *sd); + sd->domain_id = d_answers[0].domain_id; + sd->ttl = d_answers[0].ttl; + sd->db = 0; + sd->qname = shorter; + goto found; + } else if(cstat == 0 && d_negcache_ttl) { + DLOG(L<<Logger::Error<<"has neg: "<<shorter<<endl); + continue; } - while( chopOff( subdomain ) ); // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> '' - } - - for(vector<DNSBackend *>::const_iterator i=backends.begin(); i!=backends.end();++i) { - - // Shortcut for the case that we got a direct hit - no need to go - // through the other backends then. - if( best_match_len == (int)target.length() && p->qtype != QType::DS ) - goto auth_found; - - if((*i)->getAuth(p, sd, target, zoneId, best_match_len, negCacheMap)) { - best_match_len = sd->qname.length(); - from_cache = false; } - } - if( sd->db != (DNSBackend *)-1 && d_negcache_ttl) { - string shorter(target); - - d_question.qtype=QType::SOA; - d_question.zoneId=-1; - while((int)shorter.length() > best_match_len ) { - map<string,int>::iterator it = negCacheMap.find(shorter); - if (it == negCacheMap.end() || it->second == 0) { - d_question.qname=shorter; - addNegCache(d_question); + // Check backends + { + vector<DNSBackend *>::const_iterator i = backends.begin(); + vector<pair<size_t, SOAData> >::iterator j = bestmatch.begin(); + for(; i != backends.end() && j != bestmatch.end(); ++i, ++j) { + + DLOG(L<<Logger::Error<<"backend: "<<i-backends.begin()<<", qname: "<<shorter<<endl); + + if(j->first < shorter.length()) { + DLOG(L<<Logger::Error<<"skipped, already found shorter best match: "<<j->second.qname<<endl); + continue; + } else if(j->first == shorter.length()) { + DLOG(L<<Logger::Error<<"use shorter best match: "<<j->second.qname<<endl); + *sd = j->second; + break; + } else { + DLOG(L<<Logger::Error<<"lookup: "<<shorter<<endl); + if((*i)->getAuth(p, sd, shorter)) { + DLOG(L<<Logger::Error<<"got: "<<sd->qname<<endl); + j->first = sd->qname.length(); + if(sd->qname.length() == shorter.length()) { + break; + } + } else { + DLOG(L<<Logger::Error<<"no match for: "<<shorter<<endl); + } + } } - if (!chopOff(shorter)) - break; - } - } - - if( best_match_len == -1 ) - return false; -auth_found: - // Insert into cache. Don't cache if the query was a DS - if( d_cache_ttl && ! from_cache && p->qtype != QType::DS ) { - //L<<Logger::Error<<"Saving auth cache for " << sd->qname <<endl; + // Add to cache + if(i == backends.end()) { + if(d_negcache_ttl) { + DLOG(L<<Logger::Error<<"add neg:"<<shorter<<endl); + d_question.qname=shorter; + addNegCache(d_question); + } + continue; + } else if(d_cache_ttl) { + DLOG(L<<Logger::Error<<"add pos: "<<sd->qname<<endl); d_question.qtype = QType::SOA; d_question.qname = sd->qname; d_question.zoneId = -1; @@ -368,9 +356,20 @@ vector<DNSResourceRecord> rrs; rrs.push_back(rr); addCache(d_question, rrs); + } + } + +found: + if(found == (p->qtype == QType::DS)){ + DLOG(L<<Logger::Error<<"found: "<<sd->qname<<endl); + return true; + } else { + DLOG(L<<Logger::Error<<"chasing next: "<<sd->qname<<endl); + found = true; } - return true; + } while(chopOff(shorter)); + return found; } /** special trick - if sd.db is set to -1, the cache is ignored */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/version.cc new/pdns-3.4.9/pdns/version.cc --- old/pdns-3.4.8/pdns/version.cc 2016-02-02 21:31:19.000000000 +0100 +++ new/pdns-3.4.9/pdns/version.cc 2016-05-13 18:04:51.000000000 +0200 @@ -82,6 +82,9 @@ #ifdef HAVE_CRYPTOPP "cryptopp " << #endif +#ifdef HAVE_OPENSSL + "openssl " << +#endif #ifdef HAVE_LIBDL "libdl " << #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns/zoneparser-tng.cc new/pdns-3.4.9/pdns/zoneparser-tng.cc --- old/pdns-3.4.8/pdns/zoneparser-tng.cc 2016-02-02 15:41:29.000000000 +0100 +++ new/pdns-3.4.9/pdns/zoneparser-tng.cc 2016-05-13 18:04:51.000000000 +0200 @@ -250,7 +250,7 @@ if(!getTemplateLine() && !getLine()) return false; - boost::trim_right_if(d_line, is_any_of(" \r\n\x1a")); + boost::trim_right_if(d_line, is_any_of(" \t\r\n\x1a")); if(comment) comment->clear(); if(comment && d_line.find(';') != string::npos) @@ -368,7 +368,7 @@ rr.content=d_line.substr(range.first); chopComment(rr.content); - trim(rr.content); + trim_if(rr.content, is_any_of(" \r\n\t\x1a")); if(equals(rr.content, "@")) rr.content=d_zonename; @@ -387,6 +387,7 @@ } } } + trim_if(rr.content, is_any_of(" \r\n\t\x1a")); vector<string> recparts; switch(rr.qtype.getCode()) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pdns-3.4.8/pdns.spec new/pdns-3.4.9/pdns.spec --- old/pdns-3.4.8/pdns.spec 2016-02-03 08:45:22.000000000 +0100 +++ new/pdns-3.4.9/pdns.spec 2016-05-17 10:38:37.000000000 +0200 @@ -1,6 +1,6 @@ BuildRoot: /tmp/pdns Name: pdns-static -Version: 3.4.8 +Version: 3.4.9 Release: 1 Summary: extremely powerful and versatile nameserver License: GPL
