Factor code responsible for the NSEC{,3} QType bitmap computation.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Author: miodvallat

pdns/packethandler.cc

@@ -672,173 +672,151 @@ vector<ComboAddress> PacketHandler::getIPAddressFor(const DNSName &target, const
   return ret;
 }
 
-void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name, const DNSName& next, int mode)
+// Common part to NSEC and NSEC3 to compute the QType bitmap in the NSEC
+// or NSEC3 response, part 1.
+void PacketHandler::computeNSECbitmap1(NSECBitmap& bitmap)
 {
-  NSECRecordContent nrc;
-  nrc.d_next = next;
-
-  nrc.set(QType::NSEC);
-  nrc.set(QType::RRSIG);
-  if(d_sd.qname() == name) {
-    nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
-    if(!isPresigned()) {
-      auto keyset = d_dk.getKeys(d_sd.zonename);
-      for(const auto& value: keyset) {
-        if (value.second.published) {
-          nrc.set(QType::DNSKEY);
-          string publishCDNSKEY;
-          d_dk.getPublishCDNSKEY(d_sd.zonename, publishCDNSKEY);
-          if (! publishCDNSKEY.empty())
-            nrc.set(QType::CDNSKEY);
-          string publishCDS;
-          d_dk.getPublishCDS(d_sd.zonename, publishCDS);
-          if (! publishCDS.empty())
-            nrc.set(QType::CDS);
-          break;
+  bitmap.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
+  if (!isPresigned()) {
+    auto keyset = d_dk.getKeys(d_sd.zonename);
+    for (const auto& value: keyset) {
+      if (value.second.published) {
+        bitmap.set(QType::DNSKEY);
+        string publishCDNSKEY;
+        d_dk.getPublishCDNSKEY(d_sd.zonename, publishCDNSKEY);
+        if (!publishCDNSKEY.empty()) {
+          bitmap.set(QType::CDNSKEY);
+        }
+        string publishCDS;
+        d_dk.getPublishCDS(d_sd.zonename, publishCDS);
+        if (!publishCDS.empty()) {
+          bitmap.set(QType::CDS);
         }
+        break;
       }
     }
   }
+}
 
-  DNSZoneRecord rr;
+// Common part to NSEC and NSEC3 to compute the QType bitmap in the NSEC
+// or NSEC3 response, part 2.
+domainid_t PacketHandler::computeNSECbitmap2(NSECBitmap& bitmap, const DNSName& name, bool includeENT)
+{
+  DNSZoneRecord rec;
 #ifdef HAVE_LUA_RECORDS
   bool first{true};
   bool doLua{false};
 #endif
 
   B.lookup(QType(QType::ANY), name, d_sd.domain_id);
-  while(B.get(rr)) {
+  while (B.get(rec)) {
 #ifdef HAVE_LUA_RECORDS
-    if (rr.dr.d_type == QType::LUA && first && !isPresigned()) {
+    if (rec.dr.d_type == QType::LUA && first && !isPresigned()) {
       first = false;
       doLua = doLuaRecords();
     }
 
-    if (rr.dr.d_type == QType::LUA && doLua) {
-      nrc.set(getRR<LUARecordContent>(rr.dr)->d_type);
+    if (rec.dr.d_type == QType::LUA && doLua) {
+      bitmap.set(getRR<LUARecordContent>(rec.dr)->d_type);
+      continue;
     }
-    else
 #endif
-    if (d_doExpandALIAS && rr.dr.d_type == QType::ALIAS) {
+
+    if (d_doExpandALIAS && rec.dr.d_type == QType::ALIAS) {
       // Set the A and AAAA in the NSEC bitmap so aggressive NSEC
       // does not falsely deny the type for this name.
       // This does NOT add the ALIAS to the bitmap, as that record cannot
       // be requested.
       if (!isPresigned()) {
-        nrc.set(QType::A);
-        nrc.set(QType::AAAA);
+        bitmap.set(QType::A);
+        bitmap.set(QType::AAAA);
       }
     }
-    else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !isPresigned() && !::arg().mustDo("direct-dnskey")) {
+    else if((rec.dr.d_type == QType::DNSKEY || rec.dr.d_type == QType::CDS || rec.dr.d_type == QType::CDNSKEY) && !isPresigned() && !::arg().mustDo("direct-dnskey")) {
       continue;
     }
-    else if(rr.dr.d_type == QType::NS || rr.auth) {
-      nrc.set(rr.dr.d_type);
+    else if (rec.dr.d_type == QType::NS || rec.auth) {
+      // skip empty non-terminals unless explicitly requested
+      if (rec.dr.d_type != QType::ENT || includeENT) {
+        bitmap.set(rec.dr.d_type);
+      }
     }
   }
 
-  rr.dr.d_name = name;
-  rr.dr.d_ttl = d_sd.getNegativeTTL();
-  rr.dr.d_type = QType::NSEC;
-  rr.dr.setContent(std::make_shared<NSECRecordContent>(std::move(nrc)));
-  rr.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
-  rr.auth = true;
+  // Callers need a proper domain id value to put in the NSEC or NSEC3 record
+  // they're building, for the sake of addRRSigs() later.
+  return rec.domain_id;
+}
 
-  r->addRecord(std::move(rr));
+void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name, const DNSName& next, int mode)
+{
+  NSECBitmap bitmap;
+  if (d_sd.qname() == name) {
+    computeNSECbitmap1(bitmap);
+  }
+
+  DNSZoneRecord rec;
+  rec.domain_id = computeNSECbitmap2(bitmap, name, true);
+
+  NSECRecordContent nrc;
+  nrc.d_next = next;
+  nrc.set(bitmap);
+  nrc.set(QType::NSEC);
+  nrc.set(QType::RRSIG);
+
+  rec.dr.d_name = name;
+  rec.dr.d_ttl = d_sd.getNegativeTTL();
+  rec.dr.d_type = QType::NSEC;
+  rec.dr.setContent(std::make_shared<NSECRecordContent>(std::move(nrc)));
+  rec.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
+  rec.auth = true;
+
+  r->addRecord(std::move(rec));
 }
 
 void PacketHandler::emitNSEC3(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRecordContent& ns3prc, const DNSName& name, const string& namehash, const string& nexthash, int mode) // NOLINT(readability-identifier-length)
 {
-  NSEC3RecordContent n3rc;
-  n3rc.d_algorithm = ns3prc.d_algorithm;
-  n3rc.d_flags = ns3prc.d_flags;
-  n3rc.d_iterations = ns3prc.d_iterations;
-  n3rc.d_salt = ns3prc.d_salt;
-  n3rc.d_nexthash = nexthash;
-
-  DNSZoneRecord rr;
+  NSECBitmap bitmap;
+  DNSZoneRecord rec;
 
-  if(!name.empty()) {
+  if (!name.empty()) {
     if (d_sd.qname() == name) {
-      n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
-      n3rc.set(QType::NSEC3PARAM);
-      if(!isPresigned()) {
-        auto keyset = d_dk.getKeys(d_sd.zonename);
-        for(const auto& value: keyset) {
-          if (value.second.published) {
-            n3rc.set(QType::DNSKEY);
-            string publishCDNSKEY;
-            d_dk.getPublishCDNSKEY(d_sd.zonename, publishCDNSKEY);
-            if (! publishCDNSKEY.empty())
-              n3rc.set(QType::CDNSKEY);
-            string publishCDS;
-            d_dk.getPublishCDS(d_sd.zonename, publishCDS);
-            if (! publishCDS.empty())
-              n3rc.set(QType::CDS);
-            break;
-          }
-        }
-      }
-    } else if(mode == 6) {
+      bitmap.set(QType::NSEC3PARAM);
+      computeNSECbitmap1(bitmap);
+      bitmap.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
+    } else if (mode == 6) {
       if (p.qtype.getCode() != QType::CDS) {
-        n3rc.set(QType::CDS);
+        bitmap.set(QType::CDS);
       }
       if (p.qtype.getCode() != QType::CDNSKEY) {
-        n3rc.set(QType::CDNSKEY);
+        bitmap.set(QType::CDNSKEY);
       }
     }
 
-#ifdef HAVE_LUA_RECORDS
-    bool first{true};
-    bool doLua{false};
-#endif
-
-    B.lookup(QType(QType::ANY), name, d_sd.domain_id);
-    while(B.get(rr)) {
-#ifdef HAVE_LUA_RECORDS
-      if (rr.dr.d_type == QType::LUA && first && !isPresigned()) {
-        first = false;
-        doLua = doLuaRecords();
-      }
-
-      if (rr.dr.d_type == QType::LUA && doLua) {
-        n3rc.set(getRR<LUARecordContent>(rr.dr)->d_type);
-      }
-      else
-#endif
-      if (d_doExpandALIAS && rr.dr.d_type == QType::ALIAS) {
-        // Set the A and AAAA in the NSEC3 bitmap so aggressive NSEC
-        // does not falsely deny the type for this name.
-        // This does NOT add the ALIAS to the bitmap, as that record cannot
-        // be requested.
-        if (!isPresigned()) {
-          n3rc.set(QType::A);
-          n3rc.set(QType::AAAA);
-        }
-      }
-      else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !isPresigned() && !::arg().mustDo("direct-dnskey")) {
-        continue;
-      }
-      else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
-          // skip empty non-terminals
-          n3rc.set(rr.dr.d_type);
-      }
-    }
+    rec.domain_id = computeNSECbitmap2(bitmap, name, false); // skip empty non-terminals
   }
 
+  NSEC3RecordContent n3rc;
+  n3rc.d_algorithm = ns3prc.d_algorithm;
+  n3rc.d_flags = ns3prc.d_flags;
+  n3rc.d_iterations = ns3prc.d_iterations;
+  n3rc.d_salt = ns3prc.d_salt;
+  n3rc.d_nexthash = nexthash;
+
+  n3rc.set(bitmap);
   const auto numberOfTypesSet = n3rc.numberOfTypesSet();
   if (numberOfTypesSet != 0 && !(numberOfTypesSet == 1 && n3rc.isSet(QType::NS))) {
     n3rc.set(QType::RRSIG);
   }
 
-  rr.dr.d_name = DNSName(toBase32Hex(namehash))+d_sd.qname();
-  rr.dr.d_ttl = d_sd.getNegativeTTL();
-  rr.dr.d_type=QType::NSEC3;
-  rr.dr.setContent(std::make_shared<NSEC3RecordContent>(std::move(n3rc)));
-  rr.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
-  rr.auth = true;
+  rec.dr.d_name = DNSName(toBase32Hex(namehash))+d_sd.qname();
+  rec.dr.d_ttl = d_sd.getNegativeTTL();
+  rec.dr.d_type=QType::NSEC3;
+  rec.dr.setContent(std::make_shared<NSEC3RecordContent>(std::move(n3rc)));
+  rec.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
+  rec.auth = true;
 
-  r->addRecord(std::move(rr));
+  r->addRecord(std::move(rec));
 }
 
 /*

pdns/packethandler.hh

@@ -88,6 +88,8 @@ private:
   void addNSEC(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const DNSName &target, const DNSName &wildcard, int mode);
   bool getNSEC3Hashes(bool narrow, const std::string& hashed, bool decrement, DNSName& unhashed, std::string& before, std::string& after, int mode=0);
   void addNSEC3(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const DNSName &target, const DNSName &wildcard, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
+  void computeNSECbitmap1(NSECBitmap& bitmap);
+  domainid_t computeNSECbitmap2(NSECBitmap& bitmap, const DNSName& name, bool includeENT);
   void emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name, const DNSName& next, int mode);
   void emitNSEC3(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRecordContent &ns3prc, const DNSName& name, const string& namehash, const string& nexthash, int mode);
   int processUpdate(DNSPacket& p);