mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-08 23:42:06 -04:00
Refactor findzonekeys
Move dns_dnssec_findzonekeys from the dnssec.{c,h} source code to
zone.{c,h} (the header file already commented that this should be done
inside dns_zone_t).
Alter the function in such a way, that keys are searched for in the
key stores if a 'dnssec-policy' (kasp) is attached to the zone,
otherwise keep using the zone's key-directory.
This commit is contained in:
Matthijs Mekking
parent
b0f14a604d
commit
18b566ccea
8 changed files with 268 additions and 224 deletions
|
|
@ -2793,8 +2793,8 @@ catz_addmodzone_cb(void *arg) {
|
|||
result = configure_zone(cfg->config, zoneobj, cfg->vconfig, cz->view,
|
||||
&cz->cbd->server->viewlist,
|
||||
&cz->cbd->server->kasplist,
|
||||
&cz->cbd->server->keystorelist,
|
||||
cfg->actx, true, false, cz->mod);
|
||||
&cz->cbd->server->keystorelist, cfg->actx, true,
|
||||
false, cz->mod);
|
||||
dns_view_freeze(cz->view);
|
||||
isc_loopmgr_resume(named_g_loopmgr);
|
||||
|
||||
|
|
@ -9137,11 +9137,10 @@ load_configuration(const char *filename, named_server_t *server,
|
|||
goto cleanup_cachelist;
|
||||
}
|
||||
|
||||
result = configure_view(view, &viewlist, config, vconfig,
|
||||
&cachelist, &server->kasplist,
|
||||
&server->keystorelist, bindkeys,
|
||||
named_g_mctx, named_g_aclconfctx,
|
||||
false);
|
||||
result = configure_view(
|
||||
view, &viewlist, config, vconfig, &cachelist,
|
||||
&server->kasplist, &server->keystorelist, bindkeys,
|
||||
named_g_mctx, named_g_aclconfctx, false);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_view_detach(&view);
|
||||
goto cleanup_cachelist;
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ status=$((status + ret))
|
|||
n=$((n + 1))
|
||||
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Verify again.
|
||||
|
|
@ -176,7 +176,7 @@ status=$((status + ret))
|
|||
n=$((n + 1))
|
||||
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Verify again.
|
||||
|
|
@ -521,7 +521,7 @@ test "$ret" -eq 0 || echo_i "failed"
|
|||
status=$((status + ret))
|
||||
dnssec_verify
|
||||
no_dnssec_in_journal
|
||||
grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# NS4
|
||||
|
|
@ -534,7 +534,7 @@ test "$ret" -eq 0 || echo_i "failed"
|
|||
status=$((status + ret))
|
||||
dnssec_verify
|
||||
no_dnssec_in_journal
|
||||
grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
|
|
|
|||
171
lib/dns/dnssec.c
171
lib/dns/dnssec.c
|
|
@ -759,177 +759,6 @@ syncdelete(dst_key_t *key, isc_stdtime_t now) {
|
|||
#define is_zone_key(key) \
|
||||
((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
|
||||
const dns_name_t *name, const char *directory,
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys) {
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
isc_result_t result;
|
||||
dst_key_t *pubkey = NULL;
|
||||
unsigned int count = 0;
|
||||
|
||||
REQUIRE(nkeys != NULL);
|
||||
REQUIRE(keys != NULL);
|
||||
|
||||
*nkeys = 0;
|
||||
memset(keys, 0, sizeof(*keys) * maxkeys);
|
||||
dns_rdataset_init(&rdataset);
|
||||
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
|
||||
&rdataset, NULL));
|
||||
RETERR(dns_rdataset_first(&rdataset));
|
||||
while (result == ISC_R_SUCCESS && count < maxkeys) {
|
||||
pubkey = NULL;
|
||||
dns_rdataset_current(&rdataset, &rdata);
|
||||
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
|
||||
dst_key_setttl(pubkey, rdataset.ttl);
|
||||
|
||||
if (!is_zone_key(pubkey) ||
|
||||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
|
||||
{
|
||||
goto next;
|
||||
}
|
||||
/* Corrupted .key file? */
|
||||
if (!dns_name_equal(name, dst_key_name(pubkey))) {
|
||||
goto next;
|
||||
}
|
||||
keys[count] = NULL;
|
||||
result = dst_key_fromfile(
|
||||
dst_key_name(pubkey), dst_key_id(pubkey),
|
||||
dst_key_alg(pubkey),
|
||||
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE,
|
||||
directory, mctx, &keys[count]);
|
||||
|
||||
/*
|
||||
* If the key was revoked and the private file
|
||||
* doesn't exist, maybe it was revoked internally
|
||||
* by named. Try loading the unrevoked version.
|
||||
*/
|
||||
if (result == ISC_R_FILENOTFOUND) {
|
||||
uint32_t flags;
|
||||
flags = dst_key_flags(pubkey);
|
||||
if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
|
||||
dst_key_setflags(pubkey,
|
||||
flags & ~DNS_KEYFLAG_REVOKE);
|
||||
result = dst_key_fromfile(
|
||||
dst_key_name(pubkey),
|
||||
dst_key_id(pubkey), dst_key_alg(pubkey),
|
||||
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
|
||||
DST_TYPE_STATE,
|
||||
directory, mctx, &keys[count]);
|
||||
if (result == ISC_R_SUCCESS &&
|
||||
dst_key_pubcompare(pubkey, keys[count],
|
||||
false))
|
||||
{
|
||||
dst_key_setflags(keys[count], flags);
|
||||
}
|
||||
dst_key_setflags(pubkey, flags);
|
||||
}
|
||||
}
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char filename[DNS_NAME_FORMATSIZE +
|
||||
DNS_SECALG_FORMATSIZE +
|
||||
sizeof("key file for //65535")];
|
||||
isc_result_t result2;
|
||||
isc_buffer_t buf;
|
||||
|
||||
isc_buffer_init(&buf, filename, NAME_MAX);
|
||||
result2 = dst_key_getfilename(
|
||||
dst_key_name(pubkey), dst_key_id(pubkey),
|
||||
dst_key_alg(pubkey),
|
||||
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
|
||||
DST_TYPE_STATE),
|
||||
directory, mctx, &buf);
|
||||
if (result2 != ISC_R_SUCCESS) {
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char algbuf[DNS_SECALG_FORMATSIZE];
|
||||
|
||||
dns_name_format(dst_key_name(pubkey), namebuf,
|
||||
sizeof(namebuf));
|
||||
dns_secalg_format(dst_key_alg(pubkey), algbuf,
|
||||
sizeof(algbuf));
|
||||
snprintf(filename, sizeof(filename) - 1,
|
||||
"key file for %s/%s/%d", namebuf,
|
||||
algbuf, dst_key_id(pubkey));
|
||||
}
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
|
||||
DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
|
||||
"dns_dnssec_findzonekeys: error "
|
||||
"reading %s: %s",
|
||||
filename, isc_result_totext(result));
|
||||
}
|
||||
|
||||
if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
|
||||
keys[count] = pubkey;
|
||||
pubkey = NULL;
|
||||
count++;
|
||||
goto next;
|
||||
}
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto failure;
|
||||
}
|
||||
|
||||
/*
|
||||
* If a key is marked inactive, skip it
|
||||
*/
|
||||
if (!dns_dnssec_keyactive(keys[count], now)) {
|
||||
dst_key_setinactive(pubkey, true);
|
||||
dst_key_free(&keys[count]);
|
||||
keys[count] = pubkey;
|
||||
pubkey = NULL;
|
||||
count++;
|
||||
goto next;
|
||||
}
|
||||
|
||||
/*
|
||||
* Whatever the key's default TTL may have
|
||||
* been, the rdataset TTL takes priority.
|
||||
*/
|
||||
dst_key_setttl(keys[count], rdataset.ttl);
|
||||
|
||||
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
|
||||
/* We should never get here. */
|
||||
dst_key_free(&keys[count]);
|
||||
goto next;
|
||||
}
|
||||
count++;
|
||||
next:
|
||||
if (pubkey != NULL) {
|
||||
dst_key_free(&pubkey);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
result = dns_rdataset_next(&rdataset);
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
goto failure;
|
||||
}
|
||||
if (count == 0) {
|
||||
result = ISC_R_NOTFOUND;
|
||||
} else {
|
||||
result = ISC_R_SUCCESS;
|
||||
}
|
||||
|
||||
failure:
|
||||
if (dns_rdataset_isassociated(&rdataset)) {
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
}
|
||||
if (pubkey != NULL) {
|
||||
dst_key_free(&pubkey);
|
||||
}
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
while (count > 0) {
|
||||
dst_key_free(&keys[--count]);
|
||||
}
|
||||
}
|
||||
*nkeys = count;
|
||||
return (result);
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
|
||||
dns_rdata_sig_t sig; /* SIG(0) */
|
||||
|
|
|
|||
|
|
@ -177,20 +177,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
|
|||
*\li DST_R_*
|
||||
*/
|
||||
|
||||
/*@{*/
|
||||
isc_result_t
|
||||
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
|
||||
const dns_name_t *name, const char *directory,
|
||||
isc_stdtime_t now, isc_mem_t *mctx,
|
||||
unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys);
|
||||
|
||||
/*%<
|
||||
* Finds a set of zone keys.
|
||||
* XXX temporary - this should be handled in dns_zone_t.
|
||||
*/
|
||||
/*@}*/
|
||||
|
||||
bool
|
||||
dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now);
|
||||
/*%<
|
||||
|
|
|
|||
|
|
@ -1644,7 +1644,7 @@ dns_zone_getkeystores(dns_zone_t *zone);
|
|||
isc_result_t
|
||||
dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
isc_stdtime_t now, dns_dnsseckeylist_t *keys);
|
||||
/*%
|
||||
/*%<
|
||||
* Find DNSSEC keys used for signing with dnssec-policy. Load these keys
|
||||
* into 'keys'.
|
||||
*
|
||||
|
|
@ -1657,6 +1657,26 @@ dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
*\li Error
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys);
|
||||
/*%<
|
||||
* Finds a set of zone keys. Searches in the applicable key stores for the
|
||||
* given 'zone' if there is a dnssec-policy attached, otherwise it looks up
|
||||
* the keys in the zone's key-directory. The found keys are loaded into 'keys'.
|
||||
*
|
||||
* Requires:
|
||||
*\li 'zone' to be a valid initialised zone.
|
||||
*\li 'mctx' is not NULL.
|
||||
*\li 'keys' is not NULL and has enough space form 'nkeys' keys.
|
||||
*\li 'nkeys' is not NULL.
|
||||
*
|
||||
* Returns:
|
||||
*\li #ISC_R_SUCCESS
|
||||
*\li Error
|
||||
*/
|
||||
|
||||
void
|
||||
dns_zonemgr_create(isc_mem_t *mctx, isc_loopmgr_t *loopmgr, isc_nm_t *netmgr,
|
||||
dns_zonemgr_t **zmgrp);
|
||||
|
|
|
|||
255
lib/dns/zone.c
255
lib/dns/zone.c
|
|
@ -218,6 +218,13 @@ typedef struct dns_include dns_include_t;
|
|||
#define ZONEDB_LOCK(l, t) RWLOCK((l), (t))
|
||||
#define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t))
|
||||
|
||||
#define RETERR(x) \
|
||||
do { \
|
||||
result = (x); \
|
||||
if (result != ISC_R_SUCCESS) \
|
||||
goto failure; \
|
||||
} while (0)
|
||||
|
||||
#ifdef ENABLE_AFL
|
||||
extern bool dns_fuzzing_resolver;
|
||||
#endif /* ifdef ENABLE_AFL */
|
||||
|
|
@ -6057,6 +6064,212 @@ was_dumping(dns_zone_t *zone) {
|
|||
return (false);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx,
|
||||
dst_key_t **key) {
|
||||
const char *directory = dns_zone_getkeydirectory(zone);
|
||||
dns_kasp_t *kasp = dns_zone_getkasp(zone);
|
||||
dst_key_t *foundkey = NULL;
|
||||
isc_result_t result = ISC_R_NOTFOUND;
|
||||
|
||||
if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
|
||||
(strcmp(dns_kasp_getname(kasp), "insecure") == 0))
|
||||
{
|
||||
result = dst_key_fromfile(
|
||||
dst_key_name(pubkey), dst_key_id(pubkey),
|
||||
dst_key_alg(pubkey),
|
||||
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
|
||||
directory, mctx, &foundkey);
|
||||
} else {
|
||||
for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
|
||||
kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
|
||||
{
|
||||
dns_keystore_t *ks = dns_kasp_key_keystore(kkey);
|
||||
if (ks == NULL ||
|
||||
strcmp(dns_keystore_name(ks), "key-directory") == 0)
|
||||
{
|
||||
directory = dns_zone_getkeydirectory(zone);
|
||||
} else {
|
||||
directory = dns_keystore_directory(ks);
|
||||
}
|
||||
|
||||
result = dst_key_fromfile(
|
||||
dst_key_name(pubkey), dst_key_id(pubkey),
|
||||
dst_key_alg(pubkey),
|
||||
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
|
||||
DST_TYPE_STATE),
|
||||
directory, mctx, &foundkey);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
*key = foundkey;
|
||||
return (result);
|
||||
}
|
||||
|
||||
#define is_zone_key(key) \
|
||||
((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
|
||||
|
||||
static isc_result_t
|
||||
findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now,
|
||||
isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys,
|
||||
unsigned int *nkeys) {
|
||||
dns_rdataset_t rdataset;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
isc_result_t result;
|
||||
dst_key_t *pubkey = NULL;
|
||||
unsigned int count = 0;
|
||||
|
||||
*nkeys = 0;
|
||||
memset(keys, 0, sizeof(*keys) * maxkeys);
|
||||
dns_rdataset_init(&rdataset);
|
||||
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
|
||||
&rdataset, NULL));
|
||||
RETERR(dns_rdataset_first(&rdataset));
|
||||
while (result == ISC_R_SUCCESS && count < maxkeys) {
|
||||
pubkey = NULL;
|
||||
dns_rdataset_current(&rdataset, &rdata);
|
||||
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
|
||||
dst_key_setttl(pubkey, rdataset.ttl);
|
||||
|
||||
if (!is_zone_key(pubkey) ||
|
||||
(dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
|
||||
{
|
||||
goto next;
|
||||
}
|
||||
/* Corrupted .key file? */
|
||||
if (!dns_name_equal(name, dst_key_name(pubkey))) {
|
||||
goto next;
|
||||
}
|
||||
keys[count] = NULL;
|
||||
result = keyfromfile(zone, pubkey, mctx, &keys[count]);
|
||||
|
||||
/*
|
||||
* If the key was revoked and the private file
|
||||
* doesn't exist, maybe it was revoked internally
|
||||
* by named. Try loading the unrevoked version.
|
||||
*/
|
||||
if (result == ISC_R_FILENOTFOUND) {
|
||||
uint32_t flags;
|
||||
flags = dst_key_flags(pubkey);
|
||||
if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
|
||||
dst_key_setflags(pubkey,
|
||||
flags & ~DNS_KEYFLAG_REVOKE);
|
||||
result = keyfromfile(zone, pubkey, mctx,
|
||||
&keys[count]);
|
||||
if (result == ISC_R_SUCCESS &&
|
||||
dst_key_pubcompare(pubkey, keys[count],
|
||||
false))
|
||||
{
|
||||
dst_key_setflags(keys[count], flags);
|
||||
}
|
||||
dst_key_setflags(pubkey, flags);
|
||||
}
|
||||
}
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
char filename[DNS_NAME_FORMATSIZE +
|
||||
DNS_SECALG_FORMATSIZE +
|
||||
sizeof("key file for //65535")];
|
||||
isc_result_t result2;
|
||||
isc_buffer_t buf;
|
||||
|
||||
isc_buffer_init(&buf, filename, sizeof(filename));
|
||||
result2 = dst_key_getfilename(
|
||||
dst_key_name(pubkey), dst_key_id(pubkey),
|
||||
dst_key_alg(pubkey),
|
||||
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
|
||||
DST_TYPE_STATE),
|
||||
NULL, mctx, &buf);
|
||||
if (result2 != ISC_R_SUCCESS) {
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char algbuf[DNS_SECALG_FORMATSIZE];
|
||||
|
||||
dns_name_format(dst_key_name(pubkey), namebuf,
|
||||
sizeof(namebuf));
|
||||
dns_secalg_format(dst_key_alg(pubkey), algbuf,
|
||||
sizeof(algbuf));
|
||||
snprintf(filename, sizeof(filename) - 1,
|
||||
"key file for %s/%s/%d", namebuf,
|
||||
algbuf, dst_key_id(pubkey));
|
||||
}
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
|
||||
DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
|
||||
"dns_zone_findkeys: error reading %s: %s",
|
||||
filename, isc_result_totext(result));
|
||||
}
|
||||
|
||||
if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
|
||||
keys[count] = pubkey;
|
||||
pubkey = NULL;
|
||||
count++;
|
||||
goto next;
|
||||
}
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto failure;
|
||||
}
|
||||
|
||||
/*
|
||||
* If a key is marked inactive, skip it
|
||||
*/
|
||||
if (!dns_dnssec_keyactive(keys[count], now)) {
|
||||
dst_key_setinactive(pubkey, true);
|
||||
dst_key_free(&keys[count]);
|
||||
keys[count] = pubkey;
|
||||
pubkey = NULL;
|
||||
count++;
|
||||
goto next;
|
||||
}
|
||||
|
||||
/*
|
||||
* Whatever the key's default TTL may have
|
||||
* been, the rdataset TTL takes priority.
|
||||
*/
|
||||
dst_key_setttl(keys[count], rdataset.ttl);
|
||||
|
||||
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
|
||||
/* We should never get here. */
|
||||
dst_key_free(&keys[count]);
|
||||
goto next;
|
||||
}
|
||||
count++;
|
||||
next:
|
||||
if (pubkey != NULL) {
|
||||
dst_key_free(&pubkey);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
result = dns_rdataset_next(&rdataset);
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
goto failure;
|
||||
}
|
||||
if (count == 0) {
|
||||
result = ISC_R_NOTFOUND;
|
||||
} else {
|
||||
result = ISC_R_SUCCESS;
|
||||
}
|
||||
|
||||
failure:
|
||||
if (dns_rdataset_isassociated(&rdataset)) {
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
}
|
||||
if (pubkey != NULL) {
|
||||
dst_key_free(&pubkey);
|
||||
}
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
while (count > 0) {
|
||||
dst_key_free(&keys[--count]);
|
||||
}
|
||||
}
|
||||
*nkeys = count;
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*%
|
||||
* Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database
|
||||
* 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
|
||||
|
|
@ -6064,21 +6277,23 @@ was_dumping(dns_zone_t *zone) {
|
|||
* 'now'. Store the number of keys found in 'nkeys'.
|
||||
*/
|
||||
isc_result_t
|
||||
dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys) {
|
||||
dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys) {
|
||||
isc_result_t result;
|
||||
dns_dbnode_t *node = NULL;
|
||||
const char *directory = dns_zone_getkeydirectory(zone);
|
||||
|
||||
REQUIRE(DNS_ZONE_VALID(zone));
|
||||
REQUIRE(mctx != NULL);
|
||||
REQUIRE(nkeys != NULL);
|
||||
REQUIRE(keys != NULL);
|
||||
|
||||
CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
|
||||
memset(keys, 0, sizeof(*keys) * maxkeys);
|
||||
|
||||
dns_zone_lock_keyfiles(zone);
|
||||
|
||||
result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db),
|
||||
directory, now, mctx, maxkeys, keys,
|
||||
nkeys);
|
||||
result = findzonekeys(zone, db, ver, node, dns_db_origin(db), now, mctx,
|
||||
maxkeys, keys, nkeys);
|
||||
|
||||
dns_zone_unlock_keyfiles(zone);
|
||||
|
||||
|
|
@ -6752,11 +6967,11 @@ zone_resigninc(dns_zone_t *zone) {
|
|||
|
||||
now = isc_stdtime_now();
|
||||
|
||||
result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dns_zone_log(zone, ISC_LOG_ERROR,
|
||||
"zone_resigninc:dns__zone_findkeys -> %s",
|
||||
"zone_resigninc:dns_zone_findkeys -> %s",
|
||||
isc_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
|
|
@ -7987,11 +8202,11 @@ zone_nsec3chain(dns_zone_t *zone) {
|
|||
|
||||
now = isc_stdtime_now();
|
||||
|
||||
result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_nsec3chain:dns__zone_findkeys -> %s",
|
||||
"zone_nsec3chain:dns_zone_findkeys -> %s",
|
||||
isc_result_totext(result));
|
||||
goto failure;
|
||||
}
|
||||
|
|
@ -9072,11 +9287,11 @@ zone_sign(dns_zone_t *zone) {
|
|||
|
||||
now = isc_stdtime_now();
|
||||
|
||||
result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
result = dns_zone_findkeys(zone, db, version, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"zone_sign:dns__zone_findkeys -> %s",
|
||||
"zone_sign:dns_zone_findkeys -> %s",
|
||||
isc_result_totext(result));
|
||||
goto cleanup;
|
||||
}
|
||||
|
|
@ -20139,11 +20354,11 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
|||
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
|
||||
unsigned int nkeys = 0, i;
|
||||
|
||||
result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
result = dns_zone_findkeys(zone, db, ver, now, zone->mctx,
|
||||
DNS_MAXZONEKEYS, zone_keys, &nkeys);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
dnssec_log(zone, ISC_LOG_ERROR,
|
||||
"sign_apex:dns__zone_findkeys -> %s",
|
||||
"sign_apex:dns_zone_findkeys -> %s",
|
||||
isc_result_totext(result));
|
||||
return (result);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,11 +29,6 @@ typedef struct {
|
|||
bool offline;
|
||||
} dns__zonediff_t;
|
||||
|
||||
isc_result_t
|
||||
dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
|
||||
dst_key_t **keys, unsigned int *nkeys);
|
||||
|
||||
isc_result_t
|
||||
dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
|
||||
dst_key_t *zone_keys[], unsigned int nkeys,
|
||||
|
|
|
|||
|
|
@ -315,8 +315,8 @@ ISC_RUN_TEST_IMPL(updatesigs_next) {
|
|||
result = dns_zone_setkeydirectory(zone, TESTS_DIR "/testkeys");
|
||||
assert_int_equal(result, ISC_R_SUCCESS);
|
||||
|
||||
result = dns__zone_findkeys(zone, db, NULL, now, mctx, DNS_MAXZONEKEYS,
|
||||
zone_keys, &nkeys);
|
||||
result = dns_zone_findkeys(zone, db, NULL, now, mctx, DNS_MAXZONEKEYS,
|
||||
zone_keys, &nkeys);
|
||||
assert_int_equal(result, ISC_R_SUCCESS);
|
||||
assert_int_equal(nkeys, 2);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue