From 18b566cceaecc00966dde6cdf94b56e12c182686 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 20 Jun 2023 15:44:17 +0200 Subject: [PATCH] Refactor findzonekeys Move dns_dnssec_findzonekeys from the dnssec.{c,h} source code to zone.{c,h} (the header file already commented that this should be done inside dns_zone_t). Alter the function in such a way, that keys are searched for in the key stores if a 'dnssec-policy' (kasp) is attached to the zone, otherwise keep using the zone's key-directory. --- bin/named/server.c | 13 +- bin/tests/system/multisigner/tests.sh | 8 +- lib/dns/dnssec.c | 171 ----------------- lib/dns/include/dns/dnssec.h | 14 -- lib/dns/include/dns/zone.h | 22 ++- lib/dns/zone.c | 255 ++++++++++++++++++++++++-- lib/dns/zone_p.h | 5 - tests/dns/sigs_test.c | 4 +- 8 files changed, 268 insertions(+), 224 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 304e1f3e2e..64fbd5dc99 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2793,8 +2793,8 @@ catz_addmodzone_cb(void *arg) { result = configure_zone(cfg->config, zoneobj, cfg->vconfig, cz->view, &cz->cbd->server->viewlist, &cz->cbd->server->kasplist, - &cz->cbd->server->keystorelist, - cfg->actx, true, false, cz->mod); + &cz->cbd->server->keystorelist, cfg->actx, true, + false, cz->mod); dns_view_freeze(cz->view); isc_loopmgr_resume(named_g_loopmgr); @@ -9137,11 +9137,10 @@ load_configuration(const char *filename, named_server_t *server, goto cleanup_cachelist; } - result = configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->kasplist, - &server->keystorelist, bindkeys, - named_g_mctx, named_g_aclconfctx, - false); + result = configure_view( + view, &viewlist, config, vconfig, &cachelist, + &server->kasplist, &server->keystorelist, bindkeys, + named_g_mctx, named_g_aclconfctx, false); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); goto cleanup_cachelist; diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh index 36d6252902..abe19ff215 100644 --- a/bin/tests/system/multisigner/tests.sh +++ b/bin/tests/system/multisigner/tests.sh @@ -147,7 +147,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)" ret=0 -grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # Verify again. @@ -176,7 +176,7 @@ status=$((status + ret)) n=$((n + 1)) echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)" ret=0 -grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # Verify again. @@ -521,7 +521,7 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) dnssec_verify no_dnssec_in_journal -grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # NS4 @@ -534,7 +534,7 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) dnssec_verify no_dnssec_in_journal -grep "dns_dnssec_findzonekeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +grep "dns_zone_findkeys: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 90234daa27..c1b1beedfa 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -759,177 +759,6 @@ syncdelete(dst_key_t *key, isc_stdtime_t now) { #define is_zone_key(key) \ ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE) -isc_result_t -dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, - const dns_name_t *name, const char *directory, - isc_stdtime_t now, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, - unsigned int *nkeys) { - dns_rdataset_t rdataset; - dns_rdata_t rdata = DNS_RDATA_INIT; - isc_result_t result; - dst_key_t *pubkey = NULL; - unsigned int count = 0; - - REQUIRE(nkeys != NULL); - REQUIRE(keys != NULL); - - *nkeys = 0; - memset(keys, 0, sizeof(*keys) * maxkeys); - dns_rdataset_init(&rdataset); - RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, - &rdataset, NULL)); - RETERR(dns_rdataset_first(&rdataset)); - while (result == ISC_R_SUCCESS && count < maxkeys) { - pubkey = NULL; - dns_rdataset_current(&rdataset, &rdata); - RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); - dst_key_setttl(pubkey, rdataset.ttl); - - if (!is_zone_key(pubkey) || - (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) - { - goto next; - } - /* Corrupted .key file? */ - if (!dns_name_equal(name, dst_key_name(pubkey))) { - goto next; - } - keys[count] = NULL; - result = dst_key_fromfile( - dst_key_name(pubkey), dst_key_id(pubkey), - dst_key_alg(pubkey), - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE, - directory, mctx, &keys[count]); - - /* - * If the key was revoked and the private file - * doesn't exist, maybe it was revoked internally - * by named. Try loading the unrevoked version. - */ - if (result == ISC_R_FILENOTFOUND) { - uint32_t flags; - flags = dst_key_flags(pubkey); - if ((flags & DNS_KEYFLAG_REVOKE) != 0) { - dst_key_setflags(pubkey, - flags & ~DNS_KEYFLAG_REVOKE); - result = dst_key_fromfile( - dst_key_name(pubkey), - dst_key_id(pubkey), dst_key_alg(pubkey), - DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | - DST_TYPE_STATE, - directory, mctx, &keys[count]); - if (result == ISC_R_SUCCESS && - dst_key_pubcompare(pubkey, keys[count], - false)) - { - dst_key_setflags(keys[count], flags); - } - dst_key_setflags(pubkey, flags); - } - } - - if (result != ISC_R_SUCCESS) { - char filename[DNS_NAME_FORMATSIZE + - DNS_SECALG_FORMATSIZE + - sizeof("key file for //65535")]; - isc_result_t result2; - isc_buffer_t buf; - - isc_buffer_init(&buf, filename, NAME_MAX); - result2 = dst_key_getfilename( - dst_key_name(pubkey), dst_key_id(pubkey), - dst_key_alg(pubkey), - (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | - DST_TYPE_STATE), - directory, mctx, &buf); - if (result2 != ISC_R_SUCCESS) { - char namebuf[DNS_NAME_FORMATSIZE]; - char algbuf[DNS_SECALG_FORMATSIZE]; - - dns_name_format(dst_key_name(pubkey), namebuf, - sizeof(namebuf)); - dns_secalg_format(dst_key_alg(pubkey), algbuf, - sizeof(algbuf)); - snprintf(filename, sizeof(filename) - 1, - "key file for %s/%s/%d", namebuf, - algbuf, dst_key_id(pubkey)); - } - - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING, - "dns_dnssec_findzonekeys: error " - "reading %s: %s", - filename, isc_result_totext(result)); - } - - if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) { - keys[count] = pubkey; - pubkey = NULL; - count++; - goto next; - } - - if (result != ISC_R_SUCCESS) { - goto failure; - } - - /* - * If a key is marked inactive, skip it - */ - if (!dns_dnssec_keyactive(keys[count], now)) { - dst_key_setinactive(pubkey, true); - dst_key_free(&keys[count]); - keys[count] = pubkey; - pubkey = NULL; - count++; - goto next; - } - - /* - * Whatever the key's default TTL may have - * been, the rdataset TTL takes priority. - */ - dst_key_setttl(keys[count], rdataset.ttl); - - if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { - /* We should never get here. */ - dst_key_free(&keys[count]); - goto next; - } - count++; - next: - if (pubkey != NULL) { - dst_key_free(&pubkey); - } - dns_rdata_reset(&rdata); - result = dns_rdataset_next(&rdataset); - } - if (result != ISC_R_NOMORE) { - goto failure; - } - if (count == 0) { - result = ISC_R_NOTFOUND; - } else { - result = ISC_R_SUCCESS; - } - -failure: - if (dns_rdataset_isassociated(&rdataset)) { - dns_rdataset_disassociate(&rdataset); - } - if (pubkey != NULL) { - dst_key_free(&pubkey); - } - if (result != ISC_R_SUCCESS) { - while (count > 0) { - dst_key_free(&keys[--count]); - } - } - *nkeys = count; - return (result); -} - isc_result_t dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { dns_rdata_sig_t sig; /* SIG(0) */ diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index b9bdffc681..7a6c5b5bc9 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -177,20 +177,6 @@ dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, *\li DST_R_* */ -/*@{*/ -isc_result_t -dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, - const dns_name_t *name, const char *directory, - isc_stdtime_t now, isc_mem_t *mctx, - unsigned int maxkeys, dst_key_t **keys, - unsigned int *nkeys); - -/*%< - * Finds a set of zone keys. - * XXX temporary - this should be handled in dns_zone_t. - */ -/*@}*/ - bool dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now); /*%< diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index a463fee162..d1e589f445 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -1644,7 +1644,7 @@ dns_zone_getkeystores(dns_zone_t *zone); isc_result_t dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now, dns_dnsseckeylist_t *keys); -/*% +/*%< * Find DNSSEC keys used for signing with dnssec-policy. Load these keys * into 'keys'. * @@ -1657,6 +1657,26 @@ dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, *\li Error */ +isc_result_t +dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, + isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, + dst_key_t **keys, unsigned int *nkeys); +/*%< + * Finds a set of zone keys. Searches in the applicable key stores for the + * given 'zone' if there is a dnssec-policy attached, otherwise it looks up + * the keys in the zone's key-directory. The found keys are loaded into 'keys'. + * + * Requires: + *\li 'zone' to be a valid initialised zone. + *\li 'mctx' is not NULL. + *\li 'keys' is not NULL and has enough space form 'nkeys' keys. + *\li 'nkeys' is not NULL. + * + * Returns: + *\li #ISC_R_SUCCESS + *\li Error + */ + void dns_zonemgr_create(isc_mem_t *mctx, isc_loopmgr_t *loopmgr, isc_nm_t *netmgr, dns_zonemgr_t **zmgrp); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 428dfd94b9..4d9fa86574 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -218,6 +218,13 @@ typedef struct dns_include dns_include_t; #define ZONEDB_LOCK(l, t) RWLOCK((l), (t)) #define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t)) +#define RETERR(x) \ + do { \ + result = (x); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + #ifdef ENABLE_AFL extern bool dns_fuzzing_resolver; #endif /* ifdef ENABLE_AFL */ @@ -6057,6 +6064,212 @@ was_dumping(dns_zone_t *zone) { return (false); } +static isc_result_t +keyfromfile(dns_zone_t *zone, dst_key_t *pubkey, isc_mem_t *mctx, + dst_key_t **key) { + const char *directory = dns_zone_getkeydirectory(zone); + dns_kasp_t *kasp = dns_zone_getkasp(zone); + dst_key_t *foundkey = NULL; + isc_result_t result = ISC_R_NOTFOUND; + + if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) || + (strcmp(dns_kasp_getname(kasp), "insecure") == 0)) + { + result = dst_key_fromfile( + dst_key_name(pubkey), dst_key_id(pubkey), + dst_key_alg(pubkey), + (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE), + directory, mctx, &foundkey); + } else { + for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); + kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) + { + dns_keystore_t *ks = dns_kasp_key_keystore(kkey); + if (ks == NULL || + strcmp(dns_keystore_name(ks), "key-directory") == 0) + { + directory = dns_zone_getkeydirectory(zone); + } else { + directory = dns_keystore_directory(ks); + } + + result = dst_key_fromfile( + dst_key_name(pubkey), dst_key_id(pubkey), + dst_key_alg(pubkey), + (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | + DST_TYPE_STATE), + directory, mctx, &foundkey); + if (result == ISC_R_SUCCESS) { + break; + } + } + } + + *key = foundkey; + return (result); +} + +#define is_zone_key(key) \ + ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE) + +static isc_result_t +findzonekeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, + dns_dbnode_t *node, const dns_name_t *name, isc_stdtime_t now, + isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, + unsigned int *nkeys) { + dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; + dst_key_t *pubkey = NULL; + unsigned int count = 0; + + *nkeys = 0; + memset(keys, 0, sizeof(*keys) * maxkeys); + dns_rdataset_init(&rdataset); + RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, + &rdataset, NULL)); + RETERR(dns_rdataset_first(&rdataset)); + while (result == ISC_R_SUCCESS && count < maxkeys) { + pubkey = NULL; + dns_rdataset_current(&rdataset, &rdata); + RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); + dst_key_setttl(pubkey, rdataset.ttl); + + if (!is_zone_key(pubkey) || + (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) + { + goto next; + } + /* Corrupted .key file? */ + if (!dns_name_equal(name, dst_key_name(pubkey))) { + goto next; + } + keys[count] = NULL; + result = keyfromfile(zone, pubkey, mctx, &keys[count]); + + /* + * If the key was revoked and the private file + * doesn't exist, maybe it was revoked internally + * by named. Try loading the unrevoked version. + */ + if (result == ISC_R_FILENOTFOUND) { + uint32_t flags; + flags = dst_key_flags(pubkey); + if ((flags & DNS_KEYFLAG_REVOKE) != 0) { + dst_key_setflags(pubkey, + flags & ~DNS_KEYFLAG_REVOKE); + result = keyfromfile(zone, pubkey, mctx, + &keys[count]); + if (result == ISC_R_SUCCESS && + dst_key_pubcompare(pubkey, keys[count], + false)) + { + dst_key_setflags(keys[count], flags); + } + dst_key_setflags(pubkey, flags); + } + } + + if (result != ISC_R_SUCCESS) { + char filename[DNS_NAME_FORMATSIZE + + DNS_SECALG_FORMATSIZE + + sizeof("key file for //65535")]; + isc_result_t result2; + isc_buffer_t buf; + + isc_buffer_init(&buf, filename, sizeof(filename)); + result2 = dst_key_getfilename( + dst_key_name(pubkey), dst_key_id(pubkey), + dst_key_alg(pubkey), + (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | + DST_TYPE_STATE), + NULL, mctx, &buf); + if (result2 != ISC_R_SUCCESS) { + char namebuf[DNS_NAME_FORMATSIZE]; + char algbuf[DNS_SECALG_FORMATSIZE]; + + dns_name_format(dst_key_name(pubkey), namebuf, + sizeof(namebuf)); + dns_secalg_format(dst_key_alg(pubkey), algbuf, + sizeof(algbuf)); + snprintf(filename, sizeof(filename) - 1, + "key file for %s/%s/%d", namebuf, + algbuf, dst_key_id(pubkey)); + } + + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING, + "dns_zone_findkeys: error reading %s: %s", + filename, isc_result_totext(result)); + } + + if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) { + keys[count] = pubkey; + pubkey = NULL; + count++; + goto next; + } + + if (result != ISC_R_SUCCESS) { + goto failure; + } + + /* + * If a key is marked inactive, skip it + */ + if (!dns_dnssec_keyactive(keys[count], now)) { + dst_key_setinactive(pubkey, true); + dst_key_free(&keys[count]); + keys[count] = pubkey; + pubkey = NULL; + count++; + goto next; + } + + /* + * Whatever the key's default TTL may have + * been, the rdataset TTL takes priority. + */ + dst_key_setttl(keys[count], rdataset.ttl); + + if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { + /* We should never get here. */ + dst_key_free(&keys[count]); + goto next; + } + count++; + next: + if (pubkey != NULL) { + dst_key_free(&pubkey); + } + dns_rdata_reset(&rdata); + result = dns_rdataset_next(&rdataset); + } + if (result != ISC_R_NOMORE) { + goto failure; + } + if (count == 0) { + result = ISC_R_NOTFOUND; + } else { + result = ISC_R_SUCCESS; + } + +failure: + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + if (pubkey != NULL) { + dst_key_free(&pubkey); + } + if (result != ISC_R_SUCCESS) { + while (count > 0) { + dst_key_free(&keys[--count]); + } + } + *nkeys = count; + return (result); +} + /*% * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'. @@ -6064,21 +6277,23 @@ was_dumping(dns_zone_t *zone) { * 'now'. Store the number of keys found in 'nkeys'. */ isc_result_t -dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, - isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys) { +dns_zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, + isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, + dst_key_t **keys, unsigned int *nkeys) { isc_result_t result; dns_dbnode_t *node = NULL; - const char *directory = dns_zone_getkeydirectory(zone); + + REQUIRE(DNS_ZONE_VALID(zone)); + REQUIRE(mctx != NULL); + REQUIRE(nkeys != NULL); + REQUIRE(keys != NULL); CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node)); - memset(keys, 0, sizeof(*keys) * maxkeys); dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findzonekeys(db, ver, node, dns_db_origin(db), - directory, now, mctx, maxkeys, keys, - nkeys); + result = findzonekeys(zone, db, ver, node, dns_db_origin(db), now, mctx, + maxkeys, keys, nkeys); dns_zone_unlock_keyfiles(zone); @@ -6752,11 +6967,11 @@ zone_resigninc(dns_zone_t *zone) { now = isc_stdtime_now(); - result = dns__zone_findkeys(zone, db, version, now, zone->mctx, - DNS_MAXZONEKEYS, zone_keys, &nkeys); + result = dns_zone_findkeys(zone, db, version, now, zone->mctx, + DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, - "zone_resigninc:dns__zone_findkeys -> %s", + "zone_resigninc:dns_zone_findkeys -> %s", isc_result_totext(result)); goto failure; } @@ -7987,11 +8202,11 @@ zone_nsec3chain(dns_zone_t *zone) { now = isc_stdtime_now(); - result = dns__zone_findkeys(zone, db, version, now, zone->mctx, - DNS_MAXZONEKEYS, zone_keys, &nkeys); + result = dns_zone_findkeys(zone, db, version, now, zone->mctx, + DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:dns__zone_findkeys -> %s", + "zone_nsec3chain:dns_zone_findkeys -> %s", isc_result_totext(result)); goto failure; } @@ -9072,11 +9287,11 @@ zone_sign(dns_zone_t *zone) { now = isc_stdtime_now(); - result = dns__zone_findkeys(zone, db, version, now, zone->mctx, - DNS_MAXZONEKEYS, zone_keys, &nkeys); + result = dns_zone_findkeys(zone, db, version, now, zone->mctx, + DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, - "zone_sign:dns__zone_findkeys -> %s", + "zone_sign:dns_zone_findkeys -> %s", isc_result_totext(result)); goto cleanup; } @@ -20139,11 +20354,11 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dst_key_t *zone_keys[DNS_MAXZONEKEYS]; unsigned int nkeys = 0, i; - result = dns__zone_findkeys(zone, db, ver, now, zone->mctx, - DNS_MAXZONEKEYS, zone_keys, &nkeys); + result = dns_zone_findkeys(zone, db, ver, now, zone->mctx, + DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, - "sign_apex:dns__zone_findkeys -> %s", + "sign_apex:dns_zone_findkeys -> %s", isc_result_totext(result)); return (result); } diff --git a/lib/dns/zone_p.h b/lib/dns/zone_p.h index fcbd3711c2..16ee0e522a 100644 --- a/lib/dns/zone_p.h +++ b/lib/dns/zone_p.h @@ -29,11 +29,6 @@ typedef struct { bool offline; } dns__zonediff_t; -isc_result_t -dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, - isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, - dst_key_t **keys, unsigned int *nkeys); - isc_result_t dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, dst_key_t *zone_keys[], unsigned int nkeys, diff --git a/tests/dns/sigs_test.c b/tests/dns/sigs_test.c index 94d94fbb39..0910504003 100644 --- a/tests/dns/sigs_test.c +++ b/tests/dns/sigs_test.c @@ -315,8 +315,8 @@ ISC_RUN_TEST_IMPL(updatesigs_next) { result = dns_zone_setkeydirectory(zone, TESTS_DIR "/testkeys"); assert_int_equal(result, ISC_R_SUCCESS); - result = dns__zone_findkeys(zone, db, NULL, now, mctx, DNS_MAXZONEKEYS, - zone_keys, &nkeys); + result = dns_zone_findkeys(zone, db, NULL, now, mctx, DNS_MAXZONEKEYS, + zone_keys, &nkeys); assert_int_equal(result, ISC_R_SUCCESS); assert_int_equal(nkeys, 2);