diff --git a/CHANGES b/CHANGES
index 2b646b0583..83846d3877 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+5152. [func] Improved logging of DNSSEC key events:
+ - Zone signing and DNSKEY maintenance events are
+ now logged to the "dnssec" category
+ - Messages are now logged when DNSSEC keys are
+ pubished, activated, inactivated, deleted,
+ or revoked.
+ [GL #714]
+
5151. [func] Options that have been been marked as obsolete in
named.conf for a very long time are now fatal
configuration errors. [GL #358]
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index cf14a00de4..69798cb5d3 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1467,5 +1467,20 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "checking key maintenance events were logged correctly ($n)"
+ret=0
+pub=`grep "DNSKEY .* is now published" ns1/named.run | wc -l`
+[ "$pub" -eq 6 ] || ret=1
+act=`grep "DNSKEY .* is now active" ns1/named.run | wc -l`
+[ "$act" -eq 5 ] || ret=1
+rev=`grep "DNSKEY .* is now revoked" ns1/named.run | wc -l`
+[ "$rev" -eq 1 ] || ret=1
+inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l`
+[ "$inac" -eq 1 ] || ret=1
+del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l`
+[ "$del" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index baf98b9bd5..83cdfc2bae 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -597,6 +597,13 @@
disables reading of the file $HOME/.digrc.
+
+
+ Zone signing and key maintenance events are now logged to the
+ dnssec category rather than
+ zone.
+
+
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 420c93aa05..437778460b 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1818,23 +1818,20 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
isc_result_t result;
dns_difftuple_t *tuple = NULL;
unsigned char buf[DST_KEY_MAXSIZE];
+ char keystr[DST_KEY_FORMATSIZE];
dns_rdata_t dnskey = DNS_RDATA_INIT;
- char alg[80];
dns_rdata_reset(&dnskey);
RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+ dst_key_format(key->key, keystr, sizeof(keystr));
- dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
- report("Fetching %s %d/%s from key %s.",
- key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK",
- dst_key_id(key->key), alg,
+ report("Fetching %s (%s) from key %s.",
+ keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK",
key->source == dns_keysource_user ? "file" : "repository");
if (key->prepublish && ttl > key->prepublish) {
- char keystr[DST_KEY_FORMATSIZE];
isc_stdtime_t now;
- dst_key_format(key->key, keystr, sizeof(keystr));
report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
keystr, ttl);
@@ -2048,9 +2045,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
*/
for (key = ISC_LIST_HEAD(*keys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
+ key = ISC_LIST_NEXT(key, link))
+ {
if (key->source == dns_keysource_user &&
- (key->hint_publish || key->force_publish)) {
+ (key->hint_publish || key->force_publish))
+ {
RETERR(publish_key(diff, key, origin, ttl,
mctx, allzsk, report));
}
@@ -2069,15 +2068,19 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
for (key = ISC_LIST_HEAD(*newkeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
+ key = ISC_LIST_NEXT(key, link))
+ {
dns_ttl_t thisttl = dst_key_getttl(key->key);
if (thisttl != 0 &&
(shortest == 0 || thisttl < shortest))
+ {
shortest = thisttl;
+ }
}
- if (shortest != 0)
+ if (shortest != 0) {
ttl = shortest;
+ }
}
/*
@@ -2086,20 +2089,23 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
*/
for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
bool key_revoked = false;
+ char keystr1[DST_KEY_FORMATSIZE];
+ char keystr2[DST_KEY_FORMATSIZE];
next = ISC_LIST_NEXT(key1, link);
for (key2 = ISC_LIST_HEAD(*keys);
key2 != NULL;
- key2 = ISC_LIST_NEXT(key2, link)) {
+ key2 = ISC_LIST_NEXT(key2, link))
+ {
int f1 = dst_key_flags(key1->key);
int f2 = dst_key_flags(key2->key);
int nr1 = f1 & ~DNS_KEYFLAG_REVOKE;
int nr2 = f2 & ~DNS_KEYFLAG_REVOKE;
if (nr1 == nr2 &&
dst_key_alg(key1->key) == dst_key_alg(key2->key) &&
- dst_key_pubcompare(key1->key, key2->key,
- true)) {
+ dst_key_pubcompare(key1->key, key2->key, true))
+ {
int r1, r2;
r1 = dst_key_flags(key1->key) &
DNS_KEYFLAG_REVOKE;
@@ -2110,33 +2116,68 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
}
}
+ /* Printable version of key1 (the newly aquired key) */
+ dst_key_format(key1->key, keystr1, sizeof(keystr1));
+
/* No match found in keys; add the new key. */
if (key2 == NULL) {
ISC_LIST_UNLINK(*newkeys, key1, link);
ISC_LIST_APPEND(*keys, key1, link);
if (key1->source != dns_keysource_zoneapex &&
- (key1->hint_publish || key1->force_publish)) {
+ (key1->hint_publish || key1->force_publish))
+ {
RETERR(publish_key(diff, key1, origin, ttl,
mctx, allzsk, report));
- if (key1->hint_sign || key1->force_sign)
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now published",
+ keystr1, key1->ksk ?
+ (allzsk ? "KSK/ZSK" : "KSK") :
+ "ZSK");
+ if (key1->hint_sign || key1->force_sign) {
key1->first_sign = true;
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now "
+ "active",
+ keystr1, key1->ksk ?
+ (allzsk ? "KSK/ZSK" :
+ "KSK") : "ZSK");
+ }
}
continue;
}
+ /* Printable version of key2 (the old key, if any) */
+ dst_key_format(key2->key, keystr2, sizeof(keystr2));
+
/* Match found: remove or update it as needed */
if (key1->hint_remove) {
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"expired", report));
ISC_LIST_UNLINK(*keys, key2, link);
- if (removed != NULL)
+
+ if (removed != NULL) {
ISC_LIST_APPEND(*removed, key2, link);
- else
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now deleted",
+ keystr2, key2->ksk ? (allzsk ?
+ "KSK/ZSK" : "KSK") : "ZSK");
+ } else {
dns_dnsseckey_destroy(mctx, &key2);
+ }
} else if (key_revoked &&
- (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
+ (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0)
+ {
/*
* A previously valid key has been revoked.
@@ -2146,10 +2187,20 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"revoked", report));
ISC_LIST_UNLINK(*keys, key2, link);
- if (removed != NULL)
+ if (removed != NULL) {
ISC_LIST_APPEND(*removed, key2, link);
- else
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now revoked; "
+ "new ID is %05d",
+ keystr2, key2->ksk ? (allzsk ?
+ "KSK/ZSK" : "KSK") : "ZSK",
+ dst_key_id(key1->key));
+ } else {
dns_dnsseckey_destroy(mctx, &key2);
+ }
RETERR(publish_key(diff, key1, origin, ttl,
mctx, allzsk, report));
@@ -2169,7 +2220,27 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
} else {
if (!key2->is_active &&
(key1->hint_sign || key1->force_sign))
+ {
key2->first_sign = true;
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now active",
+ keystr1, key1->ksk ? (allzsk ?
+ "KSK/ZSK" : "KSK") : "ZSK");
+ } else if (key2->is_active &&
+ !key1->hint_sign && !key1->force_sign)
+ {
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_INFO,
+ "DNSKEY %s (%s) is now inactive",
+ keystr1, key1->ksk ? (allzsk ?
+ "KSK/ZSK" : "KSK") : "ZSK");
+ }
+
key2->hint_sign = key1->hint_sign;
key2->hint_publish = key1->hint_publish;
}
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index e60375e039..a03b3e3af5 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -49,22 +49,22 @@ typedef enum {
*/
struct dns_dnsseckey {
dst_key_t *key;
- bool hint_publish; /*% metadata says to publish */
- bool force_publish; /*% publish regardless of metadata */
- bool hint_sign; /*% metadata says to sign with this key */
- bool force_sign; /*% sign with key regardless of metadata */
- bool hint_remove; /*% metadata says *don't* publish */
- bool is_active; /*% key is already active */
- bool first_sign; /*% key is newly becoming active */
- unsigned int prepublish; /*% how long until active? */
- dns_keysource_t source; /*% how the key was found */
- bool ksk; /*% this is a key-signing key */
- bool legacy; /*% this is old-style key with no
- metadata (possibly generated by
- an older version of BIND9) and
- should be ignored when searching
- for keys to import into the zone */
- unsigned int index; /*% position in list */
+ bool hint_publish; /*% metadata says to publish */
+ bool force_publish; /*% publish regardless of metadata */
+ bool hint_sign; /*% metadata says to sign with this key */
+ bool force_sign; /*% sign with key regardless of metadata */
+ bool hint_remove; /*% metadata says *don't* publish */
+ bool is_active; /*% key is already active */
+ bool first_sign; /*% key is newly becoming active */
+ unsigned int prepublish; /*% how long until active? */
+ dns_keysource_t source; /*% how the key was found */
+ bool ksk; /*% this is a key-signing key */
+ bool legacy; /*% this is old-style key with no
+ metadata (possibly generated by
+ an older version of BIND9) and
+ should be ignored when searching
+ for keys to import into the zone */
+ unsigned int index; /*% position in list */
ISC_LINK(dns_dnsseckey_t) link;
};
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 385ee31616..7e6eaf9bf4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -736,6 +736,8 @@ static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
ISC_FORMAT_PRINTF(3, 4);
+static void dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
+ ISC_FORMAT_PRINTF(3, 4);
static void queue_xfrin(dns_zone_t *zone);
static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
dns_diff_t *diff, dns_diffop_t op,
@@ -3193,15 +3195,17 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
const char *algorithm;
result = dns_db_findnode(db, &zone->origin, false, &node);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
dns_db_currentversion(db, &version);
dns_rdataset_init(&rdataset);
result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
dns_rdatatype_none, 0, &rdataset, NULL);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
@@ -3237,10 +3241,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
algorithm = "RSASHA1";
}
if (logit) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "weak %s (%u) key found "
- "(exponent=3)", algorithm,
- dnskey.algorithm);
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "weak %s (%u) key found "
+ "(exponent=3)", algorithm,
+ dnskey.algorithm);
}
}
dns_rdata_reset(&rdata);
@@ -3248,10 +3252,12 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
dns_rdataset_disassociate(&rdataset);
cleanup:
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (version != NULL)
+ }
+ if (version != NULL) {
dns_db_closeversion(db, &version, false);
+ }
}
static void
@@ -3264,15 +3270,18 @@ resume_signingwithkey(dns_zone_t *zone) {
dns_db_t *db = NULL;
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (db == NULL)
+ if (db == NULL) {
goto cleanup;
+ }
result = dns_db_findnode(db, &zone->origin, false, &node);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
dns_db_currentversion(db, &version);
dns_rdataset_init(&rdataset);
@@ -3291,7 +3300,8 @@ resume_signingwithkey(dns_zone_t *zone) {
{
dns_rdataset_current(&rdataset, &rdata);
if (rdata.length != 5 ||
- rdata.data[0] == 0 || rdata.data[4] != 0) {
+ rdata.data[0] == 0 || rdata.data[4] != 0)
+ {
dns_rdata_reset(&rdata);
continue;
}
@@ -3300,9 +3310,9 @@ resume_signingwithkey(dns_zone_t *zone) {
(rdata.data[1] << 8) | rdata.data[2],
rdata.data[3]);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_signwithkey failed: %s",
+ dns_result_totext(result));
}
dns_rdata_reset(&rdata);
}
@@ -3310,10 +3320,12 @@ resume_signingwithkey(dns_zone_t *zone) {
cleanup:
if (db != NULL) {
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (version != NULL)
+ }
+ if (version != NULL) {
dns_db_closeversion(db, &version, false);
+ }
dns_db_detach(&db);
}
}
@@ -3337,8 +3349,9 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
dns_db_t *db = NULL;
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
if (db == NULL) {
@@ -3390,45 +3403,47 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
/*
* Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
*/
- if (nsec3param->flags == 0)
+ if (nsec3param->flags == 0) {
strlcpy(flags, "NONE", sizeof(flags));
- else {
+ } else {
flags[0] = '\0';
if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) {
strlcat(flags, "REMOVE", sizeof(flags));
}
if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) {
- if (flags[0] == '\0')
+ if (flags[0] == '\0') {
strlcpy(flags, "INITIAL", sizeof(flags));
- else
+ } else {
strlcat(flags, "|INITIAL", sizeof(flags));
+ }
}
if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) {
- if (flags[0] == '\0')
+ if (flags[0] == '\0') {
strlcpy(flags, "CREATE", sizeof(flags));
- else
+ } else {
strlcat(flags, "|CREATE", sizeof(flags));
+ }
}
if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) {
- if (flags[0] == '\0')
+ if (flags[0] == '\0') {
strlcpy(flags, "NONSEC", sizeof(flags));
- else
+ } else {
strlcat(flags, "|NONSEC", sizeof(flags));
+ }
}
if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) {
- if (flags[0] == '\0')
+ if (flags[0] == '\0') {
strlcpy(flags, "OPTOUT", sizeof(flags));
- else
+ } else {
strlcat(flags, "|OPTOUT", sizeof(flags));
+ }
}
}
result = dns_nsec3param_salttotext(nsec3param, saltbuf,
sizeof(saltbuf));
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_zone_log(zone, ISC_LOG_INFO,
- "zone_addnsec3chain(%u,%s,%u,%s)",
- nsec3param->hash, flags, nsec3param->iterations,
- saltbuf);
+ dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
+ nsec3param->hash, flags, nsec3param->iterations, saltbuf);
/*
* If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
@@ -3437,14 +3452,19 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
*/
for (current = ISC_LIST_HEAD(zone->nsec3chain);
current != NULL;
- current = ISC_LIST_NEXT(current, link)) {
- if (current->db == db &&
- current->nsec3param.hash == nsec3param->hash &&
- current->nsec3param.iterations == nsec3param->iterations &&
- current->nsec3param.salt_length == nsec3param->salt_length
- && !memcmp(current->nsec3param.salt, nsec3param->salt,
- nsec3param->salt_length))
+ current = ISC_LIST_NEXT(current, link))
+ {
+ if ((current->db == db) &&
+ (current->nsec3param.hash == nsec3param->hash) &&
+ (current->nsec3param.iterations ==
+ nsec3param->iterations) &&
+ (current->nsec3param.salt_length ==
+ nsec3param->salt_length) &&
+ memcmp(current->nsec3param.salt, nsec3param->salt,
+ nsec3param->salt_length) == 0)
+ {
current->done = true;
+ }
}
/*
@@ -3453,12 +3473,14 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
* creating NSEC3 records for NSEC3 records.
*/
dns_db_attach(db, &nsec3chain->db);
- if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
+ if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) {
options = DNS_DB_NONSEC3;
+ }
result = dns_db_createiterator(nsec3chain->db, options,
&nsec3chain->dbiterator);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
result = dns_dbiterator_first(nsec3chain->dbiterator);
+ }
if (result == ISC_R_SUCCESS) {
/*
* Database iterator initialization succeeded. We are now
@@ -3475,22 +3497,26 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
if (isc_time_isepoch(&zone->nsec3chaintime)) {
TIME_NOW(&now);
zone->nsec3chaintime = now;
- if (zone->task != NULL)
+ if (zone->task != NULL) {
zone_settimer(zone, &now);
+ }
}
}
if (nsec3chain != NULL) {
- if (nsec3chain->db != NULL)
+ if (nsec3chain->db != NULL) {
dns_db_detach(&nsec3chain->db);
- if (nsec3chain->dbiterator != NULL)
+ }
+ if (nsec3chain->dbiterator != NULL) {
dns_dbiterator_destroy(&nsec3chain->dbiterator);
+ }
isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
}
cleanup:
- if (db != NULL)
+ if (db != NULL) {
dns_db_detach(&db);
+ }
return (result);
}
@@ -3517,15 +3543,18 @@ resume_addnsec3chain(dns_zone_t *zone) {
return;
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (db == NULL)
+ if (db == NULL) {
goto cleanup;
+ }
result = dns_db_findnode(db, &zone->origin, false, &node);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
dns_db_currentversion(db, &version);
@@ -3564,7 +3593,9 @@ resume_addnsec3chain(dns_zone_t *zone) {
*/
if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
sizeof(buf)))
+ {
continue;
+ }
result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
@@ -3577,19 +3608,22 @@ resume_addnsec3chain(dns_zone_t *zone) {
*/
result = zone_addnsec3chain(zone, &nsec3param);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_addnsec3chain failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_addnsec3chain failed: %s",
+ dns_result_totext(result));
}
}
}
dns_rdataset_disassociate(&rdataset);
+
cleanup:
if (db != NULL) {
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (version != NULL)
+ }
+ if (version != NULL) {
dns_db_closeversion(db, &version, false);
+ }
dns_db_detach(&db);
}
}
@@ -3649,8 +3683,8 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
bool ok = false;
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
- bool dynamic = (zone->type == dns_zone_master) ?
- dns_zone_isdynamic(zone, false) : false;
+ bool dynamic = (zone->type == dns_zone_master)
+ ? dns_zone_isdynamic(zone, false) : false;
dns_rdataset_init(&rdataset);
result = dns_db_findnode(db, &zone->origin, false, &node);
@@ -3712,11 +3746,13 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
dns_zone_log(zone, ISC_LOG_WARNING,
"unsupported nsec3 hash algorithm: %u",
nsec3param.hash);
- } else
+ } else {
ok = true;
+ }
}
- if (result == ISC_R_NOMORE)
+ if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
+ }
if (!ok) {
result = DNS_R_BADZONE;
@@ -3725,8 +3761,9 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
}
cleanup:
- if (dns_rdataset_isassociated(&rdataset))
+ if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
+ }
dns_db_closeversion(db, &version, false);
dns_db_detachnode(db, &node);
return (result);
@@ -3979,14 +4016,16 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
/* Now insert all the accepted trust anchors from this keydata set. */
for (result = dns_rdataset_first(rdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset)) {
+ result = dns_rdataset_next(rdataset))
+ {
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
/* Convert rdata to keydata. */
result = dns_rdata_tostruct(&rdata, &keydata, NULL);
- if (result == ISC_R_UNEXPECTEDEND)
+ if (result == ISC_R_UNEXPECTEDEND) {
continue;
+ }
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/* Set the key refresh timer to force a fast refresh. */
@@ -4012,20 +4051,19 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
/* Add to keytables. */
trusted++;
- trust_key(zone, name, &dnskey,
- (keydata.addhd == 0), mctx);
+ trust_key(zone, name, &dnskey, (keydata.addhd == 0), mctx);
}
if (trusted == 0 && pending != 0) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(name, namebuf, sizeof namebuf);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "No valid trust anchors for '%s'!", namebuf);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "%d key(s) revoked, %d still pending",
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "No valid trust anchors for '%s'!", namebuf);
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "%d key(s) revoked, %d still pending",
revoked, pending);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "All queries to '%s' will fail", namebuf);
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "All queries to '%s' will fail", namebuf);
fail_secure(zone, name);
}
}
@@ -4269,9 +4307,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
result = dns_db_newversion(db, &ver);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sync_keyzone:dns_db_newversion -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sync_keyzone:dns_db_newversion -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -4285,7 +4323,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
dns_rriterator_init(&rrit, db, ver, 0);
for (result = dns_rriterator_first(&rrit);
result == ISC_R_SUCCESS;
- result = dns_rriterator_nextrrset(&rrit)) {
+ result = dns_rriterator_nextrrset(&rrit))
+ {
dns_rdataset_t *rdataset = NULL;
dns_name_t *rrname = NULL;
uint32_t ttl;
@@ -4296,8 +4335,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
goto failure;
}
- if (rdataset->type != dns_rdatatype_keydata)
+ if (rdataset->type != dns_rdatatype_keydata) {
continue;
+ }
result = dns_keytable_find(sr, rrname, &keynode);
if ((result != ISC_R_SUCCESS &&
@@ -4311,8 +4351,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
load_secroots(zone, rrname, rdataset);
}
- if (keynode != NULL)
+ if (keynode != NULL) {
dns_keytable_detachkeynode(sr, &keynode);
+ }
}
dns_rriterator_destroy(&rrit);
@@ -4341,18 +4382,22 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
failure:
if (result != ISC_R_SUCCESS &&
- !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "unable to synchronize managed keys: %s",
- dns_result_totext(result));
+ !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+ {
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "unable to synchronize managed keys: %s",
+ dns_result_totext(result));
isc_time_settoepoch(&zone->refreshkeytime);
}
- if (keynode != NULL)
+ if (keynode != NULL) {
dns_keytable_detachkeynode(sr, &keynode);
- if (sr != NULL)
+ }
+ if (sr != NULL) {
dns_keytable_detach(&sr);
- if (ver != NULL)
+ }
+ if (ver != NULL) {
dns_db_closeversion(db, &ver, commit);
+ }
dns_diff_clear(&diff);
INSIST(ver == NULL);
@@ -4365,8 +4410,9 @@ dns_zone_synckeyzone(dns_zone_t *zone) {
isc_result_t result;
dns_db_t *db = NULL;
- if (zone->type != dns_zone_key)
+ if (zone->type != dns_zone_key) {
return (DNS_R_BADZONE);
+ }
CHECK(dns_zone_getdb(zone, &db));
@@ -4375,8 +4421,9 @@ dns_zone_synckeyzone(dns_zone_t *zone) {
UNLOCK_ZONE(zone);
failure:
- if (db != NULL)
+ if (db != NULL) {
dns_db_detach(&db);
+ }
return (result);
}
@@ -4399,8 +4446,8 @@ maybe_send_secure(dns_zone_t *zone) {
unsigned int soacount;
result = zone_get_from_db(zone->raw, zone->raw->db,
- NULL, &soacount, &serial, NULL,
- NULL, NULL, NULL, NULL);
+ NULL, &soacount, &serial,
+ NULL, NULL, NULL, NULL, NULL);
if (result == ISC_R_SUCCESS && soacount > 0U)
zone_send_secureserial(zone->raw, serial);
} else
@@ -4445,8 +4492,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
dns_include_t *inc;
INSIST(LOCKED_ZONE(zone));
- if (inline_raw(zone))
+ if (inline_raw(zone)) {
INSIST(LOCKED_ZONE(zone->secure));
+ }
TIME_NOW(&now);
@@ -4460,18 +4508,20 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
zone->type == dns_zone_mirror ||
zone->type == dns_zone_stub ||
(zone->type == dns_zone_redirect &&
- zone->masters == NULL)) {
- if (result == ISC_R_FILENOTFOUND)
+ zone->masters == NULL))
+ {
+ if (result == ISC_R_FILENOTFOUND) {
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_DEBUG(1),
"no master file");
- else if (result != DNS_R_NOMASTERFILE)
+ } else if (result != DNS_R_NOMASTERFILE) {
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_ERROR,
"loading from master file %s "
"failed: %s",
zone->masterfile,
dns_result_totext(result));
+ }
} else if (zone->type == dns_zone_master &&
inline_secure(zone) && result == ISC_R_FILENOTFOUND)
{
@@ -4491,18 +4541,20 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
nomaster = true;
}
- if (zone->type != dns_zone_key)
+ if (zone->type != dns_zone_key) {
goto cleanup;
+ }
}
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2),
"number of nodes in database: %u",
dns_db_nodecount(db));
- if (result == DNS_R_SEENINCLUDE)
+ if (result == DNS_R_SEENINCLUDE) {
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
- else
+ } else {
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+ }
/*
* If there's no master file for a key zone, then the zone is new:
@@ -4512,8 +4564,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
*/
if (nomaster && zone->type == dns_zone_key) {
result = add_soa(zone, db);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
}
/*
@@ -4555,8 +4608,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
"journal rollforward completed "
"successfully: %s",
dns_result_totext(result));
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
needdump = true;
+ }
}
/*
@@ -4577,7 +4631,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
* updates otherwise.
*/
if (zone->journal != NULL && dns_zone_isdynamic(zone, true) &&
- ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
+ ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
+ {
uint32_t jserial;
dns_journal_t *journal = NULL;
bool empty = false;
@@ -4594,11 +4649,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
}
if (jserial != serial) {
- if (!empty)
+ if (!empty) {
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_INFO,
"journal file is out of date: "
"removing journal file");
+ }
if (remove(zone->journal) < 0 && errno != ENOENT) {
char strbuf[ISC_STRERRORSIZE];
strerror_r(errno, strbuf, sizeof(strbuf));
@@ -4640,27 +4696,31 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
"has no NS records");
result = DNS_R_BADZONE;
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
if (zone->type == dns_zone_master && errors != 0) {
result = DNS_R_BADZONE;
goto cleanup;
}
if (zone->type != dns_zone_stub &&
- zone->type != dns_zone_redirect) {
+ zone->type != dns_zone_redirect)
+ {
result = check_nsec3param(zone, db);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
if (zone->type == dns_zone_master &&
DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
- !integrity_checks(zone, db)) {
+ !integrity_checks(zone, db))
+ {
result = DNS_R_BADZONE;
goto cleanup;
}
if (zone->type == dns_zone_master &&
DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
- !zone_check_dup(zone, db)) {
+ !zone_check_dup(zone, db))
+ {
result = DNS_R_BADZONE;
goto cleanup;
}
@@ -4712,20 +4772,22 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
serialmax);
result = DNS_R_BADZONE;
goto cleanup;
- } else if (!isc_serial_ge(serial, oldserial))
+ } else if (!isc_serial_ge(serial, oldserial)) {
dns_zone_logc(zone,
DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_ERROR,
"zone serial (%u/%u) has gone "
"backwards", serial, oldserial);
- else if (serial == oldserial && !hasinclude &&
- strcmp(zone->db_argv[0], "_builtin") != 0)
+ } else if (serial == oldserial && !hasinclude &&
+ strcmp(zone->db_argv[0], "_builtin") != 0)
+ {
dns_zone_logc(zone,
DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_ERROR,
"zone serial (%u) unchanged. "
"zone may fail to transfer "
"to slaves.", serial);
+ }
}
if (zone->type == dns_zone_master &&
@@ -4752,26 +4814,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
zone->type == dns_zone_mirror ||
zone->type == dns_zone_stub ||
(zone->type == dns_zone_redirect &&
- zone->masters != NULL)) {
+ zone->masters != NULL))
+ {
isc_time_t t;
uint32_t delay;
result = isc_file_getmodtime(zone->journal, &t);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
result = isc_file_getmodtime(zone->masterfile,
&t);
- if (result == ISC_R_SUCCESS)
+ }
+ if (result == ISC_R_SUCCESS) {
DNS_ZONE_TIME_ADD(&t, zone->expire,
&zone->expiretime);
- else
+ } else {
DNS_ZONE_TIME_ADD(&now, zone->retry,
&zone->expiretime);
+ }
- delay = zone->retry - isc_random_uniform((zone->retry * 3) / 4);
+ delay = (zone->retry -
+ isc_random_uniform((zone->retry * 3) / 4));
DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
if (isc_time_compare(&zone->refreshtime,
&zone->expiretime) >= 0)
+ {
zone->refreshtime = now;
+ }
}
break;
@@ -4793,23 +4861,27 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
/*
* Check for weak DNSKEY's.
*/
- if (zone->type == dns_zone_master)
+ if (zone->type == dns_zone_master) {
zone_check_dnskeys(zone, db);
+ }
/*
* Schedule DNSSEC key refresh.
*/
if (zone->type == dns_zone_master &&
DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+ {
zone->refreshkeytime = now;
+ }
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
if (zone->db != NULL) {
had_db = true;
result = zone_replacedb(zone, db, false);
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto cleanup;
+ }
} else {
zone_attachdb(zone, db);
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
@@ -4819,10 +4891,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
inline_raw(zone))
{
- if (zone->secure->db == NULL)
+ if (zone->secure->db == NULL) {
zone_send_securedb(zone, db);
- else
+ } else {
zone_send_secureserial(zone, serial);
+ }
}
}
@@ -4830,17 +4903,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
* Finished loading inline-signing zone; need to get status
* from the raw side now.
*/
- if (zone->type == dns_zone_master && inline_secure(zone))
+ if (zone->type == dns_zone_master && inline_secure(zone)) {
maybe_send_secure(zone);
-
+ }
result = ISC_R_SUCCESS;
if (needdump) {
- if (zone->type == dns_zone_key)
+ if (zone->type == dns_zone_key) {
zone_needdump(zone, 30);
- else
+ } else {
zone_needdump(zone, DNS_DUMP_DELAY);
+ }
}
if (zone->task != NULL) {
@@ -4853,7 +4927,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
if (zone->type == dns_zone_master &&
!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
dns_zone_isdynamic(zone, false) &&
- dns_db_issecure(db)) {
+ dns_db_issecure(db))
+ {
dns_name_t *name;
dns_fixedname_t fixed;
dns_rdataset_t next;
@@ -4871,18 +4946,17 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
dns_name_format(name, namebuf, sizeof(namebuf));
dns_rdatatype_format(next.covers,
typebuf, sizeof(typebuf));
- dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
- ISC_LOG_DEBUG(3),
- "next resign: %s/%s "
- "in %d seconds", namebuf, typebuf,
- next.resign - timenow -
- zone->sigresigninginterval);
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "next resign: %s/%s "
+ "in %d seconds", namebuf, typebuf,
+ next.resign - timenow -
+ zone->sigresigninginterval);
dns_rdataset_disassociate(&next);
- } else
- dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
- ISC_LOG_WARNING,
- "signed dynamic zone has no "
- "resign event scheduled");
+ } else {
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "signed dynamic zone has no "
+ "resign event scheduled");
+ }
}
zone_settimer(zone, &now);
@@ -4893,7 +4967,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
*/
for (inc = ISC_LIST_HEAD(zone->includes);
inc != NULL;
- inc = ISC_LIST_HEAD(zone->includes)) {
+ inc = ISC_LIST_HEAD(zone->includes))
+ {
ISC_LIST_UNLINK(zone->includes, inc, link);
isc_mem_free(zone->mctx, inc->name);
isc_mem_put(zone->mctx, inc, sizeof(*inc));
@@ -4905,7 +4980,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
*/
for (inc = ISC_LIST_HEAD(zone->newincludes);
inc != NULL;
- inc = ISC_LIST_HEAD(zone->newincludes)) {
+ inc = ISC_LIST_HEAD(zone->newincludes))
+ {
ISC_LIST_UNLINK(zone->newincludes, inc, link);
ISC_LIST_APPEND(zone->includes, inc, link);
zone->nincludes++;
@@ -4927,10 +5003,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
cleanup:
if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "failed to initialize managed-keys (%s): "
- "DNSSEC validation is at risk",
- isc_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "failed to initialize managed-keys (%s): "
+ "DNSSEC validation is at risk",
+ isc_result_totext(result));
}
for (inc = ISC_LIST_HEAD(zone->newincludes);
@@ -4945,29 +5021,35 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
zone->type == dns_zone_mirror ||
zone->type == dns_zone_stub ||
zone->type == dns_zone_key ||
- (zone->type == dns_zone_redirect && zone->masters != NULL)) {
+ (zone->type == dns_zone_redirect && zone->masters != NULL))
+ {
if (result != ISC_R_NOMEMORY) {
- if (zone->journal != NULL)
+ if (zone->journal != NULL) {
zone_saveunique(zone, zone->journal,
"jn-XXXXXXXX");
- if (zone->masterfile != NULL)
+ }
+ if (zone->masterfile != NULL) {
zone_saveunique(zone, zone->masterfile,
"db-XXXXXXXX");
+ }
}
/* Mark the zone for immediate refresh. */
zone->refreshtime = now;
- if (zone->task != NULL)
+ if (zone->task != NULL) {
zone_settimer(zone, &now);
+ }
result = ISC_R_SUCCESS;
} else if (zone->type == dns_zone_master ||
- zone->type == dns_zone_redirect) {
- if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND))
+ zone->type == dns_zone_redirect)
+ {
+ if (! (inline_secure(zone) && result == ISC_R_FILENOTFOUND)) {
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
ISC_LOG_ERROR,
"not loaded due to errors.");
- else if (zone->type == dns_zone_master)
+ } else if (zone->type == dns_zone_master) {
result = ISC_R_SUCCESS;
+ }
}
done:
@@ -7601,9 +7683,9 @@ zone_nsec3chain(dns_zone_t *zone) {
result = dns_db_newversion(db, &version);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:dns_db_newversion -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns_db_newversion -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -7612,9 +7694,9 @@ zone_nsec3chain(dns_zone_t *zone) {
result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:dns__zone_findkeys -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns__zone_findkeys -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -7653,8 +7735,9 @@ zone_nsec3chain(dns_zone_t *zone) {
UNLOCK_ZONE(zone);
first = true;
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+ }
/*
* Generate new NSEC3 chains first.
*
@@ -7740,40 +7823,47 @@ zone_nsec3chain(dns_zone_t *zone) {
* Check to see if this is a bottom of zone node.
*/
result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result == ISC_R_NOTFOUND) /* Empty node? */
+ if (result == ISC_R_NOTFOUND) {
+ /* Empty node? */
goto next_addnode;
- if (result != ISC_R_SUCCESS)
+ }
+ if (result != ISC_R_SUCCESS) {
goto failure;
+ }
- seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec =
- false;
+ seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = false;
for (result = dns_rdatasetiter_first(iterator);
result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
+ result = dns_rdatasetiter_next(iterator))
+ {
dns_rdatasetiter_current(iterator, &rdataset);
INSIST(rdataset.type != dns_rdatatype_nsec3);
- if (rdataset.type == dns_rdatatype_soa)
+ if (rdataset.type == dns_rdatatype_soa) {
seen_soa = true;
- else if (rdataset.type == dns_rdatatype_ns)
+ } else if (rdataset.type == dns_rdatatype_ns) {
seen_ns = true;
- else if (rdataset.type == dns_rdatatype_dname)
+ } else if (rdataset.type == dns_rdatatype_dname) {
seen_dname = true;
- else if (rdataset.type == dns_rdatatype_ds)
+ } else if (rdataset.type == dns_rdatatype_ds) {
seen_ds = true;
- else if (rdataset.type == dns_rdatatype_nsec)
+ } else if (rdataset.type == dns_rdatatype_nsec) {
seen_nsec = true;
+ }
dns_rdataset_disassociate(&rdataset);
}
dns_rdatasetiter_destroy(&iterator);
/*
* Is there a NSEC chain than needs to be cleaned up?
*/
- if (seen_nsec)
+ if (seen_nsec) {
nsec3chain->seen_nsec = true;
- if (seen_ns && !seen_soa && !seen_ds)
+ }
+ if (seen_ns && !seen_soa && !seen_ds) {
unsecure = true;
- if ((seen_ns && !seen_soa) || seen_dname)
+ }
+ if ((seen_ns && !seen_soa) || seen_dname) {
delegation = true;
+ }
/*
* Process one node.
@@ -7784,9 +7874,9 @@ zone_nsec3chain(dns_zone_t *zone) {
zone->minimum, unsecure,
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns_nsec3_addnsec3 -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+ "dns_nsec3_addnsec3 -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -7842,10 +7932,10 @@ zone_nsec3chain(dns_zone_t *zone) {
ISC_LIST_APPEND(cleanup, nsec3chain, link);
goto next_addchain;
} else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_dbiterator_next -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "dns_dbiterator_next -> %s",
+ dns_result_totext(result));
goto failure;
} else if (delegation) {
dns_dbiterator_current(nsec3chain->dbiterator,
@@ -7853,8 +7943,9 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_db_detachnode(db, &node);
if (!dns_name_issubdomain(nextname, name))
break;
- } else
+ } else {
break;
+ }
} while (1);
continue;
@@ -7867,12 +7958,14 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_dbiterator_pause(nsec3chain->dbiterator);
nsec3chain = nextnsec3chain;
first = true;
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+ }
}
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
goto skip_removals;
+ }
/*
* Process removals.
@@ -7897,11 +7990,13 @@ zone_nsec3chain(dns_zone_t *zone) {
nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
UNLOCK_ZONE(zone);
- if (nsec3chain->db != db)
+ if (nsec3chain->db != db) {
goto next_removechain;
+ }
- if (!NSEC3REMOVE(nsec3chain->nsec3param.flags))
+ if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) {
goto next_removechain;
+ }
/*
* Work out if we need to build a NSEC chain as a consequence
@@ -7914,17 +8009,19 @@ zone_nsec3chain(dns_zone_t *zone) {
&nsec3chain->nsec3param,
&buildnsecchain);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "need_nsec_chain -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "need_nsec_chain -> %s",
+ dns_result_totext(result));
goto failure;
}
}
- if (first)
- dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
- "buildnsecchain = %u\n", buildnsecchain);
+ if (first) {
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "zone_nsec3chain:buildnsecchain = %u\n",
+ buildnsecchain);
+ }
dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
delegation = false;
@@ -7939,10 +8036,10 @@ zone_nsec3chain(dns_zone_t *zone) {
true, privatetype,
¶m_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "fixup_nsec3param -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "fixup_nsec3param -> %s",
+ dns_result_totext(result));
goto failure;
}
}
@@ -7954,10 +8051,10 @@ zone_nsec3chain(dns_zone_t *zone) {
&nsec3chain->nsec3param,
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "deletematchingnsec3 -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "deletematchingnsec3 -> %s",
+ dns_result_totext(result));
goto failure;
}
goto next_removenode;
@@ -7973,7 +8070,8 @@ zone_nsec3chain(dns_zone_t *zone) {
NULL, NULL);
if ((result == DNS_R_DELEGATION ||
result == DNS_R_DNAME) &&
- !dns_name_equal(name, found)) {
+ !dns_name_equal(name, found))
+ {
/*
* Remember the obscuring name so that
* we skip all obscured names.
@@ -7988,37 +8086,44 @@ zone_nsec3chain(dns_zone_t *zone) {
* Check to see if this is a bottom of zone node.
*/
result = dns_db_allrdatasets(db, node, version, 0, &iterator);
- if (result == ISC_R_NOTFOUND) /* Empty node? */
+ if (result == ISC_R_NOTFOUND) {
+ /* Empty node? */
goto next_removenode;
- if (result != ISC_R_SUCCESS)
+ }
+ if (result != ISC_R_SUCCESS) {
goto failure;
+ }
- seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
- seen_rr = false;
+ seen_soa = seen_ns = seen_dname = seen_nsec3 =
+ seen_nsec = seen_rr = false;
for (result = dns_rdatasetiter_first(iterator);
result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
+ result = dns_rdatasetiter_next(iterator))
+ {
dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_soa)
+ if (rdataset.type == dns_rdatatype_soa) {
seen_soa = true;
- else if (rdataset.type == dns_rdatatype_ns)
+ } else if (rdataset.type == dns_rdatatype_ns) {
seen_ns = true;
- else if (rdataset.type == dns_rdatatype_dname)
+ } else if (rdataset.type == dns_rdatatype_dname) {
seen_dname = true;
- else if (rdataset.type == dns_rdatatype_nsec)
+ } else if (rdataset.type == dns_rdatatype_nsec) {
seen_nsec = true;
- else if (rdataset.type == dns_rdatatype_nsec3)
+ } else if (rdataset.type == dns_rdatatype_nsec3) {
seen_nsec3 = true;
- if (rdataset.type != dns_rdatatype_rrsig)
+ } else if (rdataset.type != dns_rdatatype_rrsig) {
seen_rr = true;
+ }
dns_rdataset_disassociate(&rdataset);
}
dns_rdatasetiter_destroy(&iterator);
- if (!seen_rr || seen_nsec3 || seen_nsec)
+ if (!seen_rr || seen_nsec3 || seen_nsec) {
goto next_removenode;
- if ((seen_ns && !seen_soa) || seen_dname)
+ }
+ if ((seen_ns && !seen_soa) || seen_dname) {
delegation = true;
+ }
/*
* Add a NSEC record except at the origin.
@@ -8055,27 +8160,29 @@ zone_nsec3chain(dns_zone_t *zone) {
privatetype,
¶m_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "fixup_nsec3param -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "fixup_nsec3param -> %s",
+ dns_result_totext(result));
goto failure;
}
goto next_removechain;
} else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_dbiterator_next -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "dns_dbiterator_next -> %s",
+ dns_result_totext(result));
goto failure;
} else if (delegation) {
dns_dbiterator_current(nsec3chain->dbiterator,
&node, nextname);
dns_db_detachnode(db, &node);
- if (!dns_name_issubdomain(nextname, name))
+ if (!dns_name_issubdomain(nextname, name)) {
break;
- } else
+ }
+ } else {
break;
+ }
} while (1);
continue;
@@ -8102,53 +8209,56 @@ zone_nsec3chain(dns_zone_t *zone) {
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = dns_db_allrdatasets(db, node, version, 0, &iterator);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns_db_allrdatasets -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns_db_allrdatasets -> %s",
+ dns_result_totext(result));
goto failure;
}
for (result = dns_rdatasetiter_first(iterator);
result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(iterator)) {
+ result = dns_rdatasetiter_next(iterator))
+ {
dns_rdatasetiter_current(iterator, &rdataset);
- if (rdataset.type == dns_rdatatype_nsec)
+ if (rdataset.type == dns_rdatatype_nsec) {
rebuild_nsec = true;
- if (rdataset.type == dns_rdatatype_nsec3param)
+ } else if (rdataset.type == dns_rdatatype_nsec3param) {
rebuild_nsec3 = true;
+ }
dns_rdataset_disassociate(&rdataset);
}
dns_rdatasetiter_destroy(&iterator);
dns_db_detachnode(db, &node);
if (rebuild_nsec) {
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
dns_dbiterator_pause(nsec3chain->dbiterator);
+ }
result = updatesecure(db, version, &zone->origin,
zone->minimum, true,
&nsec_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "updatesecure -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:updatesecure -> %s",
+ dns_result_totext(result));
goto failure;
}
}
if (rebuild_nsec3) {
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
dns_dbiterator_pause(nsec3chain->dbiterator);
+ }
result = dns_nsec3_addnsec3s(db, version,
dns_db_origin(db),
zone->minimum, false,
&nsec3_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_nsec3chain:"
- "dns_nsec3_addnsec3s -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:"
+ "dns_nsec3_addnsec3s -> %s",
+ dns_result_totext(result));
goto failure;
}
}
@@ -8157,15 +8267,16 @@ zone_nsec3chain(dns_zone_t *zone) {
/*
* Add / update signatures for the NSEC3 records.
*/
- if (nsec3chain != NULL)
+ if (nsec3chain != NULL) {
dns_dbiterator_pause(nsec3chain->dbiterator);
+ }
result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
nkeys, zone, inception, expire, 0, now,
check_ksk, keyset_kskonly, &zonediff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns__zone_updatesigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns__zone_updatesigs -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -8177,9 +8288,9 @@ zone_nsec3chain(dns_zone_t *zone) {
nkeys, zone, inception, expire, 0, now,
check_ksk, keyset_kskonly, &zonediff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns__zone_updatesigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns__zone_updatesigs -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -8187,9 +8298,9 @@ zone_nsec3chain(dns_zone_t *zone) {
result = updatesecure(db, version, &zone->origin,
zone->minimum, false, &nsec_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "updatesecure -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:updatesecure -> %s",
+ dns_result_totext(result));
goto failure;
}
}
@@ -8198,9 +8309,9 @@ zone_nsec3chain(dns_zone_t *zone) {
nkeys, zone, inception, expire, 0, now,
check_ksk, keyset_kskonly, &zonediff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "dns__zone_updatesigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:dns__zone_updatesigs -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -8219,17 +8330,18 @@ zone_nsec3chain(dns_zone_t *zone) {
result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
&zonediff, zone_keys, nkeys, now, false);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "del_sigs -> %s", dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:del_sigs -> %s",
+ dns_result_totext(result));
goto failure;
}
result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
zone->updatemethod);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "update_soa_serial -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:update_soa_serial -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -8237,8 +8349,9 @@ zone_nsec3chain(dns_zone_t *zone) {
zonediff.diff, zone_keys, nkeys, zone->mctx,
inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
- "add_sigs -> %s", dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_nsec3chain:add_sigs -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -8258,7 +8371,9 @@ zone_nsec3chain(dns_zone_t *zone) {
for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
nsec3chain != NULL;
nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+ {
dns_dbiterator_pause(nsec3chain->dbiterator);
+ }
UNLOCK_ZONE(zone);
/*
@@ -8282,9 +8397,11 @@ zone_nsec3chain(dns_zone_t *zone) {
set_resigntime(zone);
failure:
- if (result != ISC_R_SUCCESS)
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
- dns_result_totext(result));
+ if (result != ISC_R_SUCCESS) {
+ dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
+ dns_result_totext(result));
+ }
+
/*
* On error roll back the current nsec3chain.
*/
@@ -8327,7 +8444,9 @@ zone_nsec3chain(dns_zone_t *zone) {
for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
nsec3chain != NULL;
nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+ {
dns_dbiterator_pause(nsec3chain->dbiterator);
+ }
UNLOCK_ZONE(zone);
dns_diff_clear(¶m_diff);
@@ -8335,30 +8454,36 @@ zone_nsec3chain(dns_zone_t *zone) {
dns_diff_clear(&nsec_diff);
dns_diff_clear(&_sig_diff);
- if (iterator != NULL)
+ if (iterator != NULL) {
dns_rdatasetiter_destroy(&iterator);
+ }
- for (i = 0; i < nkeys; i++)
+ for (i = 0; i < nkeys; i++) {
dst_key_free(&zone_keys[i]);
+ }
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
+ }
if (version != NULL) {
dns_db_closeversion(db, &version, false);
dns_db_detach(&db);
- } else if (db != NULL)
+ } else if (db != NULL) {
dns_db_detach(&db);
+ }
LOCK_ZONE(zone);
if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
isc_interval_t interval;
- if (zone->update_disabled || result != ISC_R_SUCCESS)
+ if (zone->update_disabled || result != ISC_R_SUCCESS) {
isc_interval_set(&interval, 60, 0); /* 1 minute */
- else
+ } else {
isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+ }
isc_time_nowplusinterval(&zone->nsec3chaintime, &interval);
- } else
+ } else {
isc_time_settoepoch(&zone->nsec3chaintime);
+ }
UNLOCK_ZONE(zone);
INSIST(version == NULL);
@@ -8520,8 +8645,9 @@ zone_sign(dns_zone_t *zone) {
}
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
if (db == NULL) {
result = ISC_R_FAILURE;
@@ -8530,9 +8656,9 @@ zone_sign(dns_zone_t *zone) {
result = dns_db_newversion(db, &version);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:dns_db_newversion -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_sign:dns_db_newversion -> %s",
+ dns_result_totext(result));
goto cleanup;
}
@@ -8541,9 +8667,9 @@ zone_sign(dns_zone_t *zone) {
result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:dns__zone_findkeys -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_sign:dns__zone_findkeys -> %s",
+ dns_result_totext(result));
goto cleanup;
}
@@ -8591,8 +8717,9 @@ zone_sign(dns_zone_t *zone) {
&build_nsec, &build_nsec3));
/* If neither chain is found, default to NSEC */
- if (!build_nsec && !build_nsec3)
+ if (!build_nsec && !build_nsec3) {
build_nsec = true;
+ }
while (signing != NULL && nodes-- > 0 && signatures > 0) {
bool has_alg = false;
@@ -8612,8 +8739,9 @@ zone_sign(dns_zone_t *zone) {
}
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (signing->db != db)
+ if (signing->db != db) {
goto next_signing;
+ }
is_bottom_of_zone = false;
@@ -8664,7 +8792,8 @@ zone_sign(dns_zone_t *zone) {
NULL, NULL);
if ((result == DNS_R_DELEGATION ||
result == DNS_R_DNAME) &&
- !dns_name_equal(name, found)) {
+ !dns_name_equal(name, found))
+ {
/*
* Remember the obscuring name so that
* we skip all obscured names.
@@ -8691,13 +8820,15 @@ zone_sign(dns_zone_t *zone) {
/*
* Find the keys we want to sign with.
*/
- if (!dst_key_isprivate(zone_keys[i]))
+ if (!dst_key_isprivate(zone_keys[i])) {
continue;
+ }
/*
* Should be redundant.
*/
- if (dst_key_inactive(zone_keys[i]))
+ if (dst_key_inactive(zone_keys[i])) {
continue;
+ }
/*
* When adding look for the specific key.
@@ -8705,7 +8836,9 @@ zone_sign(dns_zone_t *zone) {
if (!signing->deleteit &&
(dst_key_alg(zone_keys[i]) != signing->algorithm ||
dst_key_id(zone_keys[i]) != signing->keyid))
+ {
continue;
+ }
/*
* When deleting make sure we are properly signed
@@ -8713,7 +8846,9 @@ zone_sign(dns_zone_t *zone) {
*/
if (signing->deleteit &&
ALG(zone_keys[i]) != signing->algorithm)
+ {
continue;
+ }
/*
* Do we do KSK processing?
@@ -8729,31 +8864,39 @@ zone_sign(dns_zone_t *zone) {
}
for (j = 0; j < nkeys; j++) {
if (j == i ||
- ALG(zone_keys[i]) !=
- ALG(zone_keys[j]))
+ (ALG(zone_keys[i]) !=
+ ALG(zone_keys[j])))
+ {
continue;
- if (!dst_key_isprivate(zone_keys[j]))
+ }
+ if (!dst_key_isprivate(zone_keys[j])) {
continue;
+ }
/*
* Should be redundant.
*/
- if (dst_key_inactive(zone_keys[j]))
+ if (dst_key_inactive(zone_keys[j])) {
continue;
- if (REVOKE(zone_keys[j]))
+ }
+ if (REVOKE(zone_keys[j])) {
continue;
- if (KSK(zone_keys[j]))
+ }
+ if (KSK(zone_keys[j])) {
have_ksk = true;
- else
+ } else {
have_nonksk = true;
+ }
both = have_ksk && have_nonksk;
- if (both)
+ if (both) {
break;
+ }
}
}
- if (both || REVOKE(zone_keys[i]))
+ if (both || REVOKE(zone_keys[i])) {
is_ksk = KSK(zone_keys[i]);
- else
+ } else {
is_ksk = false;
+ }
/*
* If deleting signatures, we need to ensure that
@@ -8816,9 +8959,8 @@ zone_sign(dns_zone_t *zone) {
false,
&post_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone,
- ISC_LOG_ERROR,
- "updatesecure -> %s",
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "updatesecure -> %s",
dns_result_totext(result));
goto cleanup;
}
@@ -8829,26 +8971,29 @@ zone_sign(dns_zone_t *zone) {
zone->minimum,
&post_diff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "updatesignwithkey -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "updatesignwithkey -> %s",
+ dns_result_totext(result));
goto cleanup;
}
build_nsec = false;
goto next_signing;
} else if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:dns_dbiterator_next -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_sign:"
+ "dns_dbiterator_next -> %s",
+ dns_result_totext(result));
goto cleanup;
} else if (is_bottom_of_zone) {
dns_dbiterator_current(signing->dbiterator,
&node, nextname);
dns_db_detachnode(db, &node);
- if (!dns_name_issubdomain(nextname, name))
+ if (!dns_name_issubdomain(nextname, name)) {
break;
- } else
+ }
+ } else {
break;
+ }
} while (1);
continue;
@@ -8865,9 +9010,9 @@ zone_sign(dns_zone_t *zone) {
check_ksk, keyset_kskonly,
&zonediff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
- "dns__zone_updatesigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_sign:dns__zone_updatesigs -> %s",
+ dns_result_totext(result));
goto cleanup;
}
}
@@ -8876,8 +9021,9 @@ zone_sign(dns_zone_t *zone) {
* Have we changed anything?
*/
if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
- if (zonediff.offline)
+ if (zonediff.offline) {
commit = true;
+ }
result = ISC_R_SUCCESS;
goto pauseall;
}
@@ -8887,18 +9033,17 @@ zone_sign(dns_zone_t *zone) {
result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
&zonediff, zone_keys, nkeys, now, false);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:del_sigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s",
+ dns_result_totext(result));
goto cleanup;
}
result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
zone->updatemethod);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:update_soa_serial -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_sign:update_soa_serial -> %s",
+ dns_result_totext(result));
goto cleanup;
}
@@ -8910,9 +9055,8 @@ zone_sign(dns_zone_t *zone) {
zonediff.diff, zone_keys, nkeys, zone->mctx,
inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_sign:add_sigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
+ dns_result_totext(result));
goto cleanup;
}
@@ -8928,12 +9072,16 @@ zone_sign(dns_zone_t *zone) {
for (signing = ISC_LIST_HEAD(zone->signing);
signing != NULL;
signing = ISC_LIST_NEXT(signing, link))
+ {
dns_dbiterator_pause(signing->dbiterator);
+ }
for (signing = ISC_LIST_HEAD(cleanup);
signing != NULL;
signing = ISC_LIST_NEXT(signing, link))
+ {
dns_dbiterator_pause(signing->dbiterator);
+ }
/*
* Everything has succeeded. Commit the changes.
@@ -8963,8 +9111,8 @@ zone_sign(dns_zone_t *zone) {
failure:
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
+ dns_result_totext(result));
}
cleanup:
@@ -8974,7 +9122,9 @@ zone_sign(dns_zone_t *zone) {
for (signing = ISC_LIST_HEAD(zone->signing);
signing != NULL;
signing = ISC_LIST_NEXT(signing, link))
+ {
dns_dbiterator_pause(signing->dbiterator);
+ }
/*
* Rollback the cleanup list.
@@ -8990,27 +9140,32 @@ zone_sign(dns_zone_t *zone) {
dns_diff_clear(&_sig_diff);
- for (i = 0; i < nkeys; i++)
+ for (i = 0; i < nkeys; i++) {
dst_key_free(&zone_keys[i]);
+ }
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
+ }
if (version != NULL) {
dns_db_closeversion(db, &version, false);
dns_db_detach(&db);
- } else if (db != NULL)
+ } else if (db != NULL) {
dns_db_detach(&db);
+ }
if (ISC_LIST_HEAD(zone->signing) != NULL) {
isc_interval_t interval;
- if (zone->update_disabled || result != ISC_R_SUCCESS)
+ if (zone->update_disabled || result != ISC_R_SUCCESS) {
isc_interval_set(&interval, 60, 0); /* 1 minute */
- else
+ } else {
isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+ }
isc_time_nowplusinterval(&zone->signingtime, &interval);
- } else
+ } else {
isc_time_settoepoch(&zone->signingtime);
+ }
INSIST(version == NULL);
}
@@ -9242,8 +9397,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
dns_rdata_fromstruct(&rr, keydata->common.rdclass,
dns_rdatatype_dnskey, &dnskey, &keyb);
result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (false);
+ }
/* See if that key generated any of the signatures */
for (result = dns_rdataset_first(&kfetch->dnskeysigset);
@@ -9267,9 +9423,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
&sigrr,
dns_fixedname_name(&fixed));
- dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
- "Confirm revoked DNSKEY is self-signed: "
- "%s", dns_result_totext(result));
+ dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3),
+ "Confirm revoked DNSKEY is self-signed: %s",
+ dns_result_totext(result));
if (result == ISC_R_SUCCESS) {
answer = true;
@@ -9329,16 +9485,19 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
eresult = devent->result;
/* Free resources which are not of interest */
- if (devent->node != NULL)
+ if (devent->node != NULL) {
dns_db_detachnode(devent->db, &devent->node);
- if (devent->db != NULL)
+ }
+ if (devent->db != NULL) {
dns_db_detach(&devent->db);
+ }
isc_event_free(&event);
dns_resolver_destroyfetch(&kfetch->fetch);
LOCK_ZONE(zone);
- if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL)
+ if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) {
goto cleanup;
+ }
isc_stdtime_get(&now);
dns_name_format(keyname, namebuf, sizeof(namebuf));
@@ -9353,28 +9512,30 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
zone->refreshkeycount--;
alldone = (zone->refreshkeycount == 0);
- if (alldone)
+ if (alldone) {
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+ }
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Returned from key fetch in keyfetch_done() for "
- "'%s': %s", namebuf, dns_result_totext(eresult));
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "Returned from key fetch in keyfetch_done() for '%s': %s",
+ namebuf, dns_result_totext(eresult));
/* Fetch failed */
if (eresult != ISC_R_SUCCESS ||
- !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Unable to fetch DNSKEY set "
- "'%s': %s", namebuf, dns_result_totext(eresult));
+ !dns_rdataset_isassociated(&kfetch->dnskeyset))
+ {
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "Unable to fetch DNSKEY set '%s': %s",
+ namebuf, dns_result_totext(eresult));
CHECK(minimal_update(kfetch, ver, &diff));
goto done;
}
/* No RRSIGs found */
if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "No DNSKEY RRSIGs found for "
- "'%s': %s", namebuf, dns_result_totext(eresult));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "No DNSKEY RRSIGs found for '%s': %s",
+ namebuf, dns_result_totext(eresult));
CHECK(minimal_update(kfetch, ver, &diff));
goto done;
}
@@ -9406,8 +9567,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_fixedname_init(&fixed);
dstkey = dns_keynode_key(keynode);
- if (dstkey == NULL) /* fail_secure() was called */
+ if (dstkey == NULL) {
+ /* fail_secure() was called */
break;
+ }
if (dst_key_alg(dstkey) == sig.algorithm &&
dst_key_id(dstkey) == sig.keyid)
@@ -9421,11 +9584,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_fixedname_name(
&fixed));
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Verifying DNSKEY set for zone "
- "'%s' using key %d/%d: %s",
- namebuf, sig.keyid, sig.algorithm,
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "Verifying DNSKEY set for zone "
+ "'%s' using key %d/%d: %s",
+ namebuf, sig.keyid, sig.algorithm,
+ dns_result_totext(result));
if (result == ISC_R_SUCCESS) {
kfetch->dnskeyset.trust =
@@ -9459,9 +9622,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
* trusted keys then all we can do is look at any revoked keys.
*/
if (!secure) {
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "DNSKEY set for zone '%s' could not be verified "
- "with current keys", namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "DNSKEY set for zone '%s' could not be verified "
+ "with current keys", namebuf);
}
/*
@@ -9506,38 +9669,38 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
if (!secure) {
if (keydata.removehd != 0 &&
- keydata.removehd <= now) {
+ keydata.removehd <= now)
+ {
deletekey = true;
}
} else if (keydata.addhd == 0) {
deletekey = true;
} else if (keydata.addhd > now) {
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Pending key %d for zone %s "
- "unexpectedly missing "
- "restarting 30-day acceptance "
- "timer", keytag, namebuf);
- if (keydata.addhd < now + dns_zone_mkey_month)
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Pending key %d for zone %s "
+ "unexpectedly missing "
+ "restarting 30-day acceptance "
+ "timer", keytag, namebuf);
+ if (keydata.addhd < now + dns_zone_mkey_month) {
keydata.addhd =
now + dns_zone_mkey_month;
- keydata.refresh = refresh_time(kfetch,
- false);
+ }
+ keydata.refresh = refresh_time(kfetch, false);
} else if (keydata.removehd == 0) {
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Active key %d for zone %s "
- "unexpectedly missing",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Active key %d for zone %s "
+ "unexpectedly missing",
+ keytag, namebuf);
keydata.refresh = now + dns_zone_mkey_hour;
} else if (keydata.removehd <= now) {
deletekey = true;
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Revoked key %d for zone %s "
- "missing: deleting from "
- "managed keys database",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Revoked key %d for zone %s "
+ "missing: deleting from "
+ "managed keys database",
+ keytag, namebuf);
} else {
- keydata.refresh = refresh_time(kfetch,
- false);
+ keydata.refresh = refresh_time(kfetch, false);
}
if (secure || deletekey) {
@@ -9547,8 +9710,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
&keydatarr));
}
- if (!secure || deletekey)
+ if (!secure || deletekey) {
continue;
+ }
dns_rdata_reset(&keydatarr);
isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
@@ -9620,13 +9784,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
* it's been revoked? Just remove it
*/
deletekey = true;
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Pending key %d "
- "for zone %s is now "
- "revoked: "
- "deleting from the "
- "managed keys database",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Pending key %d for "
+ "zone %s is now revoked: "
+ "deleting from the "
+ "managed keys database",
+ keytag, namebuf);
} else if (keydata.removehd == 0) {
/*
* Remove key from secroots.
@@ -9635,39 +9798,37 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
&dnskey, mctx);
/* If initializing, delete now */
- if (keydata.addhd == 0)
+ if (keydata.addhd == 0) {
deletekey = true;
- else {
+ } else {
keydata.removehd = now +
dns_zone_mkey_month;
keydata.flags |=
DNS_KEYFLAG_REVOKE;
}
- dns_zone_log(zone, ISC_LOG_INFO,
- "Trusted key %d "
- "for zone %s is now "
- "revoked",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Trusted key %d for "
+ "zone %s is now revoked",
+ keytag, namebuf);
} else if (keydata.removehd < now) {
/* Scheduled for removal */
deletekey = true;
- dns_zone_log(zone, ISC_LOG_INFO,
- "Revoked key %d "
- "for zone %s removal "
- "timer complete: "
- "deleting from the "
- "managed keys database",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Revoked key %d for "
+ "zone %s removal timer "
+ "complete: deleting from "
+ "the managed keys database",
+ keytag, namebuf);
}
} else if (revoked && keydata.removehd == 0) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Active key %d for zone "
- "%s is revoked but "
- "did not self-sign; "
- "ignoring", keytag, namebuf);
- continue;
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "Active key %d for zone "
+ "%s is revoked but "
+ "did not self-sign; "
+ "ignoring", keytag, namebuf);
+ continue;
} else if (secure) {
if (keydata.removehd != 0) {
/*
@@ -9683,28 +9844,29 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
keydata.addhd =
now + dns_zone_mkey_month;
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Revoked key %d "
- "for zone %s "
- "has returned: starting "
- "30-day acceptance timer",
- keytag, namebuf);
- } else if (keydata.addhd > now)
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Revoked key %d for "
+ "zone %s has returned: "
+ "starting 30-day "
+ "acceptance timer",
+ keytag, namebuf);
+ } else if (keydata.addhd > now) {
pending++;
- else if (keydata.addhd == 0)
+ } else if (keydata.addhd == 0) {
keydata.addhd = now;
+ }
if (keydata.addhd <= now) {
trustkey = true;
- dns_zone_log(zone, ISC_LOG_INFO,
- "Key %d for zone %s "
- "is now trusted (%s)",
- keytag, namebuf,
- initial
- ? "initializing key "
- "verified"
- : "acceptance timer "
- "complete");
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Key %d for zone %s "
+ "is now trusted (%s)",
+ keytag, namebuf,
+ initial
+ ? "initializing key "
+ "verified"
+ : "acceptance timer "
+ "complete");
}
} else if (keydata.addhd > now) {
/*
@@ -9713,43 +9875,45 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
*/
pending++;
keydata.addhd = now + dns_zone_mkey_month;
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Pending key %d "
- "for zone %s was "
- "not validated: restarting "
- "30-day acceptance timer",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "Pending key %d "
+ "for zone %s was "
+ "not validated: restarting "
+ "30-day acceptance timer",
+ keytag, namebuf);
}
- if (!deletekey && !newkey)
+ if (!deletekey && !newkey) {
updatekey = true;
+ }
} else if (secure) {
/*
* Key wasn't in the key zone but it's
* revoked now anyway, so just skip it
*/
- if (revoked)
+ if (revoked) {
continue;
+ }
/* Key wasn't in the key zone: add it */
newkey = true;
if (initializing) {
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Initializing automatic trust "
- "anchor management for zone '%s'; "
- "DNSKEY ID %d is now trusted, "
- "waiving the normal 30-day "
- "waiting period.",
- namebuf, keytag);
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "Initializing automatic trust "
+ "anchor management for zone '%s'; "
+ "DNSKEY ID %d is now trusted, "
+ "waiving the normal 30-day "
+ "waiting period.",
+ namebuf, keytag);
trustkey = true;
} else {
- dns_zone_log(zone, ISC_LOG_INFO,
- "New key %d observed "
- "for zone '%s': "
- "starting 30-day "
- "acceptance timer",
- keytag, namebuf);
+ dnssec_log(zone, ISC_LOG_INFO,
+ "New key %d observed "
+ "for zone '%s': "
+ "starting 30-day "
+ "acceptance timer",
+ keytag, namebuf);
}
} else {
/*
@@ -9760,10 +9924,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
}
/* Delete old version */
- if (deletekey || !newkey)
+ if (deletekey || !newkey) {
CHECK(update_one_rr(kfetch->db, ver, &diff,
DNS_DIFFOP_DEL, keyname, 0,
&keydatarr));
+ }
if (updatekey) {
/* Set refresh timer */
@@ -9821,8 +9986,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
* see if there's pending keydata. If so, we put a null key in
* the security roots; then all queries to the zone will fail.
*/
- if (pending != 0)
+ if (pending != 0) {
fail_secure(zone, keyname);
+ }
done:
if (!ISC_LIST_EMPTY(diff.tuples)) {
@@ -9849,14 +10015,15 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
failure:
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "error during managed-keys processing (%s): "
- "DNSSEC validation may be at risk",
- isc_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "error during managed-keys processing (%s): "
+ "DNSSEC validation may be at risk",
+ isc_result_totext(result));
}
dns_diff_clear(&diff);
- if (ver != NULL)
+ if (ver != NULL) {
dns_db_closeversion(kfetch->db, &ver, commit);
+ }
cleanup:
dns_db_detach(&kfetch->db);
@@ -9865,24 +10032,29 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
zone->irefs--;
kfetch->zone = NULL;
- if (dns_rdataset_isassociated(&kfetch->keydataset))
+ if (dns_rdataset_isassociated(&kfetch->keydataset)) {
dns_rdataset_disassociate(&kfetch->keydataset);
- if (dns_rdataset_isassociated(&kfetch->dnskeyset))
+ }
+ if (dns_rdataset_isassociated(&kfetch->dnskeyset)) {
dns_rdataset_disassociate(&kfetch->dnskeyset);
- if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
+ }
+ if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
dns_rdataset_disassociate(&kfetch->dnskeysigset);
+ }
dns_name_free(keyname, mctx);
isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
isc_mem_detach(&mctx);
- if (secroots != NULL)
+ if (secroots != NULL) {
dns_keytable_detach(&secroots);
+ }
free_needed = exit_check(zone);
UNLOCK_ZONE(zone);
- if (free_needed)
+ if (free_needed) {
zone_free(zone);
+ }
INSIST(ver == NULL);
}
@@ -9931,7 +10103,8 @@ zone_refreshkeys(dns_zone_t *zone) {
dns_rriterator_init(&rrit, db, ver, 0);
for (result = dns_rriterator_first(&rrit);
result == ISC_R_SUCCESS;
- result = dns_rriterator_nextrrset(&rrit)) {
+ result = dns_rriterator_nextrrset(&rrit))
+ {
isc_stdtime_t timer = 0xffffffff;
dns_name_t *name = NULL, *kname = NULL;
dns_rdataset_t *kdset = NULL;
@@ -9941,7 +10114,9 @@ zone_refreshkeys(dns_zone_t *zone) {
dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
!dns_rdataset_isassociated(kdset))
+ {
continue;
+ }
/*
* Scan the stored keys looking for ones that need
@@ -9949,7 +10124,8 @@ zone_refreshkeys(dns_zone_t *zone) {
*/
for (result = dns_rdataset_first(kdset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(kdset)) {
+ result = dns_rdataset_next(kdset))
+ {
dns_rdata_reset(&rdata);
dns_rdataset_current(kdset, &rdata);
result = dns_rdata_tostruct(&rdata, &kd, NULL);
@@ -9964,19 +10140,22 @@ zone_refreshkeys(dns_zone_t *zone) {
}
/* Acceptance timer expired? */
- if (kd.addhd <= now)
+ if (kd.addhd <= now) {
timer = kd.addhd;
+ }
/* Or do we just need to refresh the keyset? */
- if (timer > kd.refresh)
+ if (timer > kd.refresh) {
timer = kd.refresh;
+ }
set_refreshkeytimer(zone, &kd, now, false);
timerset = true;
}
- if (timer > now)
+ if (timer > now) {
continue;
+ }
kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
if (kfetch == NULL) {
@@ -10002,10 +10181,10 @@ zone_refreshkeys(dns_zone_t *zone) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(kname, namebuf,
sizeof(namebuf));
- dns_zone_log(zone, ISC_LOG_DEBUG(3),
- "Creating key fetch in "
- "zone_refreshkeys() for '%s'",
- namebuf);
+ dnssec_log(zone, ISC_LOG_DEBUG(3),
+ "Creating key fetch in "
+ "zone_refreshkeys() for '%s'",
+ namebuf);
}
/*
@@ -10037,18 +10216,17 @@ zone_refreshkeys(dns_zone_t *zone) {
result = ISC_R_FAILURE;
}
#endif
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
fetching = true;
- else {
+ } else {
zone->refreshkeycount--;
zone->irefs--;
dns_db_detach(&kfetch->db);
dns_rdataset_disassociate(&kfetch->keydataset);
dns_name_free(kname, zone->mctx);
isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
- dns_zone_log(zone, ISC_LOG_WARNING,
- "Failed to create fetch for "
- "DNSKEY update");
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "Failed to create fetch for DNSKEY update");
fetch_err = true;
}
}
@@ -10075,14 +10253,15 @@ zone_refreshkeys(dns_zone_t *zone) {
zone_settimer(zone, &timenow);
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
- timebuf);
+ dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
+ timebuf);
} else if (!timerset) {
isc_time_settoepoch(&zone->refreshkeytime);
}
- if (!fetching)
+ if (!fetching) {
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+ }
dns_diff_clear(&diff);
if (ver != NULL) {
@@ -14008,6 +14187,15 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
va_end(ap);
}
+static void
+dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+ va_list ap;
+
+ va_start(ap, fmt);
+ dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap);
+ va_end(ap);
+}
+
static int
message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
{
@@ -17516,9 +17704,9 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
isc_result_t result;
REQUIRE(DNS_ZONE_VALID(zone));
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
- algorithm, keyid);
+ dnssec_log(zone, ISC_LOG_NOTICE,
+ "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
+ algorithm, keyid);
LOCK_ZONE(zone);
result = zone_signwithkey(zone, algorithm, keyid, deleteit);
UNLOCK_ZONE(zone);
@@ -17541,10 +17729,9 @@ dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_zone_log(zone, ISC_LOG_NOTICE,
- "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
- nsec3param->hash, nsec3param->iterations,
- salt);
+ dnssec_log(zone, ISC_LOG_NOTICE,
+ "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
+ nsec3param->hash, nsec3param->iterations, salt);
LOCK_ZONE(zone);
result = zone_addnsec3chain(zone, nsec3param);
UNLOCK_ZONE(zone);
@@ -17672,15 +17859,6 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
return (result);
}
-static void
-logmsg(const char *format, ...) {
- va_list args;
- va_start(args, format);
- isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
- ISC_LOG_DEBUG(1), format, args);
- va_end(args);
-}
-
static void
clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
dns_dnsseckey_t *key;
@@ -17844,9 +18022,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
DNS_MAXZONEKEYS, zone_keys, &nkeys);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:dns__zone_findkeys -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:dns__zone_findkeys -> %s",
+ dns_result_totext(result));
return (result);
}
@@ -17869,10 +18047,13 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
*/
for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
+ tuple = ISC_LIST_NEXT(tuple, link))
+ {
if (tuple->rdata.type == dns_rdatatype_dnskey &&
dns_name_equal(&tuple->name, &zone->origin))
+ {
break;
+ }
}
if (tuple == NULL) {
@@ -17880,9 +18061,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_rdatatype_dnskey, zonediff,
zone_keys, nkeys, now, false);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:del_sigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:del_sigs -> %s",
+ dns_result_totext(result));
goto failure;
}
result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
@@ -17890,9 +18071,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
inception, keyexpire, check_ksk,
keyset_kskonly);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:add_sigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:add_sigs -> %s",
+ dns_result_totext(result));
goto failure;
}
}
@@ -17902,15 +18083,16 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
check_ksk, keyset_kskonly, zonediff);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "sign_apex:dns__zone_updatesigs -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "sign_apex:dns__zone_updatesigs -> %s",
+ dns_result_totext(result));
goto failure;
}
failure:
- for (i = 0; i < nkeys; i++)
+ for (i = 0; i < nkeys; i++) {
dst_key_free(&zone_keys[i]);
+ }
return (result);
}
@@ -17931,11 +18113,14 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
/* Scan the tuples for an NSEC-only DNSKEY */
for (tuple = ISC_LIST_HEAD(diff->tuples);
tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
+ tuple = ISC_LIST_NEXT(tuple, link))
+ {
uint8_t alg;
if (tuple->rdata.type != dns_rdatatype_dnskey ||
tuple->op != DNS_DIFFOP_ADD)
+ {
continue;
+ }
alg = tuple->rdata.data[3];
if (alg == DST_ALG_RSASHA1) {
@@ -17947,19 +18132,21 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
/* Check existing DB for NSEC-only DNSKEY */
if (!nseconly) {
result = dns_nsec_nseconly(db, ver, &nseconly);
- if (result == ISC_R_NOTFOUND)
+ if (result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
+ }
CHECK(result);
}
/* Check existing DB for NSEC3 */
- if (!nsec3)
+ if (!nsec3) {
CHECK(dns_nsec3_activex(db, ver, false,
privatetype, &nsec3));
+ }
/* Refuse to allow NSEC3 with NSEC-only keys */
if (nseconly && nsec3) {
- dns_zone_log(zone, ISC_LOG_ERROR,
+ dnssec_log(zone, ISC_LOG_ERROR,
"NSEC only DNSKEYs and NSEC3 chains not allowed");
goto failure;
}
@@ -18046,6 +18233,15 @@ add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return (result);
}
+static void
+dnssec_report(const char *format, ...) {
+ va_list args;
+ va_start(args, format);
+ isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE,
+ ISC_LOG_INFO, format, args);
+ va_end(args);
+}
+
static void
zone_rekey(dns_zone_t *zone) {
isc_result_t result;
@@ -18054,15 +18250,15 @@ zone_rekey(dns_zone_t *zone) {
dns_dbversion_t *ver = NULL;
dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset;
dns_dnsseckeylist_t dnskeys, keys, rmkeys;
- dns_dnsseckey_t *key;
+ dns_dnsseckey_t *key = NULL;
dns_diff_t diff, _sig_diff;
dns__zonediff_t zonediff;
bool commit = false, newactive = false;
bool newalg = false;
bool fullsign;
dns_ttl_t ttl = 3600;
- const char *dir;
- isc_mem_t *mctx;
+ const char *dir = NULL;
+ isc_mem_t *mctx = NULL;
isc_stdtime_t now;
isc_time_t timenow;
isc_interval_t ival;
@@ -18092,7 +18288,7 @@ zone_rekey(dns_zone_t *zone) {
TIME_NOW(&timenow);
now = isc_time_seconds(&timenow);
- dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
+ dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
/* Get the SOA record's TTL */
CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
@@ -18110,8 +18306,9 @@ zone_rekey(dns_zone_t *zone) {
&keysigs, &soasigs,
false, false,
&dnskeys));
- } else if (result != ISC_R_NOTFOUND)
+ } else if (result != ISC_R_NOTFOUND) {
goto failure;
+ }
/* Get the CDS rdataset */
@@ -18124,7 +18321,9 @@ zone_rekey(dns_zone_t *zone) {
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey,
dns_rdatatype_none, 0, &cdnskeyset, NULL);
if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset))
+ {
dns_rdataset_disassociate(&cdnskeyset);
+ }
/*
* True when called from "rndc sign". Indicates the zone should be
@@ -18140,16 +18339,16 @@ zone_rekey(dns_zone_t *zone) {
result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
&zone->origin, ttl, &diff,
- !check_ksk,
- mctx, logmsg);
+ !check_ksk, mctx,
+ dnssec_report);
/*
* Keys couldn't be updated for some reason;
* try again later.
*/
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
- "couldn't update zone keys: %s",
- isc_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_rekey:couldn't update zone keys: %s",
+ isc_result_totext(result));
goto failure;
}
@@ -18160,9 +18359,9 @@ zone_rekey(dns_zone_t *zone) {
&cdnskeyset, now, ttl,
&diff, mctx);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
- "couldn't update CDS/CDNSKEY: %s",
- isc_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_rekey:couldn't update CDS/CDNSKEY: %s",
+ isc_result_totext(result));
goto failure;
}
@@ -18175,9 +18374,11 @@ zone_rekey(dns_zone_t *zone) {
*/
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->first_sign)
+ key = ISC_LIST_NEXT(key, link))
+ {
+ if (!key->first_sign) {
continue;
+ }
newactive = true;
@@ -18200,7 +18401,8 @@ zone_rekey(dns_zone_t *zone) {
}
if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
- dnskey_sane(zone, db, ver, &diff)) {
+ dnskey_sane(zone, db, ver, &diff))
+ {
CHECK(dns_diff_apply(&diff, db, ver));
CHECK(clean_nsec3param(zone, db, ver, &diff));
CHECK(add_signing_records(db, zone->privatetype,
@@ -18232,15 +18434,16 @@ zone_rekey(dns_zone_t *zone) {
if (!ISC_LIST_EMPTY(rmkeys)) {
for (key = ISC_LIST_HEAD(rmkeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
+ key = ISC_LIST_NEXT(key, link))
+ {
result = zone_signwithkey(zone,
dst_key_alg(key->key),
dst_key_id(key->key),
true);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_signwithkey failed: %s",
+ dns_result_totext(result));
}
}
}
@@ -18252,18 +18455,20 @@ zone_rekey(dns_zone_t *zone) {
*/
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->force_sign && !key->hint_sign)
+ key = ISC_LIST_NEXT(key, link))
+ {
+ if (!key->force_sign && !key->hint_sign) {
continue;
+ }
result = zone_signwithkey(zone,
dst_key_alg(key->key),
dst_key_id(key->key),
false);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_signwithkey failed: %s",
+ dns_result_totext(result));
}
}
} else if (newalg) {
@@ -18275,18 +18480,20 @@ zone_rekey(dns_zone_t *zone) {
*/
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
- if (!key->first_sign)
+ key = ISC_LIST_NEXT(key, link))
+ {
+ if (!key->first_sign) {
continue;
+ }
result = zone_signwithkey(zone,
dst_key_alg(key->key),
dst_key_id(key->key),
false);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_signwithkey failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_signwithkey failed: %s",
+ dns_result_totext(result));
}
}
}
@@ -18303,28 +18510,35 @@ zone_rekey(dns_zone_t *zone) {
*/
for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples);
tuple != NULL;
- tuple = ISC_LIST_NEXT(tuple, link)) {
+ tuple = ISC_LIST_NEXT(tuple, link))
+ {
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_nsec3param_t nsec3param;
if (tuple->rdata.type != zone->privatetype ||
tuple->op != DNS_DIFFOP_ADD)
+ {
continue;
+ }
if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
buf, sizeof(buf)))
+ {
continue;
+ }
+
result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if (nsec3param.flags == 0)
+ if (nsec3param.flags == 0) {
continue;
+ }
result = zone_addnsec3chain(zone, &nsec3param);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "zone_addnsec3chain failed: %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "zone_addnsec3chain failed: %s",
+ dns_result_totext(result));
}
}
@@ -18332,8 +18546,9 @@ zone_rekey(dns_zone_t *zone) {
* Activate any NSEC3 chain updates that may have
* been scheduled before this rekey.
*/
- if (fullsign || newalg)
+ if (fullsign || newalg) {
resume_addnsec3chain(zone);
+ }
/*
* Schedule the next resigning event
@@ -18361,16 +18576,19 @@ zone_rekey(dns_zone_t *zone) {
for (key = ISC_LIST_HEAD(dnskeys);
key != NULL;
- key = ISC_LIST_NEXT(key, link)) {
+ key = ISC_LIST_NEXT(key, link))
+ {
then = now;
result = next_keyevent(key->key, &then);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
continue;
+ }
DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
LOCK_ZONE(zone);
if (isc_time_compare(&timethen,
- &zone->refreshkeytime) < 0) {
+ &zone->refreshkeytime) < 0)
+ {
zone->refreshkeytime = timethen;
}
UNLOCK_ZONE(zone);
@@ -18379,10 +18597,22 @@ zone_rekey(dns_zone_t *zone) {
zone_settimer(zone, &timenow);
isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
- dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+ dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+ }
+
+ result = ISC_R_SUCCESS;
+
+ failure:
+ if (result != ISC_R_SUCCESS) {
+ /*
+ * Something went wrong; try again in ten minutes or
+ * after a key refresh interval, whichever is shorter.
+ */
+ isc_interval_set(&ival,
+ ISC_MIN(zone->refreshkeyinterval, 600), 0);
+ isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
}
- done:
dns_diff_clear(&diff);
dns_diff_clear(&_sig_diff);
@@ -18390,34 +18620,32 @@ zone_rekey(dns_zone_t *zone) {
clear_keylist(&keys, mctx);
clear_keylist(&rmkeys, mctx);
- if (ver != NULL)
+ if (ver != NULL) {
dns_db_closeversion(db, &ver, false);
- if (dns_rdataset_isassociated(&cdsset))
+ }
+ if (dns_rdataset_isassociated(&cdsset)) {
dns_rdataset_disassociate(&cdsset);
- if (dns_rdataset_isassociated(&keyset))
+ }
+ if (dns_rdataset_isassociated(&keyset)) {
dns_rdataset_disassociate(&keyset);
- if (dns_rdataset_isassociated(&keysigs))
+ }
+ if (dns_rdataset_isassociated(&keysigs)) {
dns_rdataset_disassociate(&keysigs);
- if (dns_rdataset_isassociated(&soasigs))
+ }
+ if (dns_rdataset_isassociated(&soasigs)) {
dns_rdataset_disassociate(&soasigs);
- if (dns_rdataset_isassociated(&cdnskeyset))
+ }
+ if (dns_rdataset_isassociated(&cdnskeyset)) {
dns_rdataset_disassociate(&cdnskeyset);
- if (node != NULL)
+ }
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (db != NULL)
+ }
+ if (db != NULL) {
dns_db_detach(&db);
+ }
INSIST(ver == NULL);
- return;
-
- failure:
- /*
- * Something went wrong; try again in ten minutes or
- * after a key refresh interval, whichever is shorter.
- */
- isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
- isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
- goto done;
}
void
@@ -18825,24 +19053,27 @@ keydone(isc_task_t *task, isc_event_t *event) {
dns_diff_init(zone->mctx, &diff);
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (db == NULL)
+ if (db == NULL) {
goto failure;
+ }
dns_db_currentversion(db, &oldver);
result = dns_db_newversion(db, &newver);
if (result != ISC_R_SUCCESS) {
- dns_zone_log(zone, ISC_LOG_ERROR,
- "keydone:dns_db_newversion -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "keydone:dns_db_newversion -> %s",
+ dns_result_totext(result));
goto failure;
}
result = dns_db_getoriginnode(db, &node);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
goto failure;
+ }
result = dns_db_findrdataset(db, node, newver, zone->privatetype,
dns_rdatatype_none, 0, &rdataset, NULL);
@@ -18857,7 +19088,8 @@ keydone(isc_task_t *task, isc_event_t *event) {
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&rdataset)) {
+ result = dns_rdataset_next(&rdataset))
+ {
bool found = false;
dns_rdataset_current(&rdataset, &rdata);
@@ -18865,20 +19097,25 @@ keydone(isc_task_t *task, isc_event_t *event) {
if (kd->all) {
if (rdata.length == 5 && rdata.data[0] != 0 &&
rdata.data[3] == 0 && rdata.data[4] == 1)
+ {
found = true;
- else if (rdata.data[0] == 0 &&
- (rdata.data[2] & PENDINGFLAGS) != 0) {
+ } else if (rdata.data[0] == 0 &&
+ (rdata.data[2] & PENDINGFLAGS) != 0)
+ {
found = true;
clear_pending = true;
}
} else if (rdata.length == 5 &&
memcmp(rdata.data, kd->data, 5) == 0)
+ {
found = true;
+ }
- if (found)
+ if (found) {
CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
&zone->origin, rdataset.ttl,
&rdata));
+ }
dns_rdata_reset(&rdata);
}
@@ -18890,8 +19127,9 @@ keydone(isc_task_t *task, isc_event_t *event) {
result = dns_update_signatures(&log, zone, db,
oldver, newver, &diff,
zone->sigvalidityinterval);
- if (!clear_pending)
+ if (!clear_pending) {
CHECK(result);
+ }
CHECK(zone_journal(zone, &diff, NULL, "keydone"));
commit = true;
@@ -18903,15 +19141,19 @@ keydone(isc_task_t *task, isc_event_t *event) {
}
failure:
- if (dns_rdataset_isassociated(&rdataset))
+ if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
+ }
if (db != NULL) {
- if (node != NULL)
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (oldver != NULL)
+ }
+ if (oldver != NULL) {
dns_db_closeversion(db, &oldver, false);
- if (newver != NULL)
+ }
+ if (newver != NULL) {
dns_db_closeversion(db, &newver, commit);
+ }
dns_db_detach(&db);
}
dns_diff_clear(&diff);
@@ -18942,9 +19184,9 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
}
kd = (struct keydone *) e;
- if (strcasecmp(keystr, "all") == 0)
+ if (strcasecmp(keystr, "all") == 0) {
kd->all = true;
- else {
+ } else {
isc_textregion_t r;
const char *algstr;
dns_keytag_t keyid;
@@ -18954,14 +19196,16 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
kd->all = false;
n = sscanf(keystr, "%hu/", &keyid);
- if (n == 0U)
+ if (n == 0U) {
CHECK(ISC_R_FAILURE);
+ }
algstr = strchr(keystr, '/');
- if (algstr != NULL)
+ if (algstr != NULL) {
algstr++;
- else
+ } else {
CHECK(ISC_R_FAILURE);
+ }
n = sscanf(algstr, "%hhu", &alg);
if (n == 0U) {
@@ -18983,8 +19227,9 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
isc_task_send(zone->task, &e);
failure:
- if (e != NULL)
+ if (e != NULL) {
isc_event_free(&e);
+ }
UNLOCK_ZONE(zone);
return (result);
}
@@ -19030,19 +19275,21 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
dns_diff_init(zone->mctx, &diff);
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- if (zone->db != NULL)
+ if (zone->db != NULL) {
dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- if (db == NULL)
+ if (db == NULL) {
goto failure;
+ }
dns_db_currentversion(db, &oldver);
result = dns_db_newversion(db, &newver);
if (result != ISC_R_SUCCESS) {
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
- dns_zone_log(zone, ISC_LOG_ERROR,
- "setnsec3param:dns_db_newversion -> %s",
- dns_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR,
+ "setnsec3param:dns_db_newversion -> %s",
+ dns_result_totext(result));
goto failure;
}
@@ -19056,12 +19303,14 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
if (result == ISC_R_SUCCESS) {
for (result = dns_rdataset_first(&prdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&prdataset)) {
+ result = dns_rdataset_next(&prdataset))
+ {
dns_rdata_init(&rdata);
dns_rdataset_current(&prdataset, &rdata);
if (np->length == rdata.length &&
- memcmp(rdata.data, np->data, np->length) == 0) {
+ memcmp(rdata.data, np->data, np->length) == 0)
+ {
exists = true;
break;
}
@@ -19080,7 +19329,8 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
if (result == ISC_R_SUCCESS) {
for (result = dns_rdataset_first(&nrdataset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&nrdataset)) {
+ result = dns_rdataset_next(&nrdataset))
+ {
dns_rdata_init(&rdata);
dns_rdataset_current(&nrdataset, &rdata);
@@ -19103,9 +19353,10 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
* parameters are supposed to replace the current ones or if we are
* switching to NSEC.
*/
- if (!exists && np->replace && (np->length != 0 || np->nsec))
+ if (!exists && np->replace && (np->length != 0 || np->nsec)) {
CHECK(dns_nsec3param_deletechains(db, newver, zone,
!np->nsec, &diff));
+ }
if (!exists && np->length != 0) {
/*
@@ -19122,8 +19373,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
np->data[2] |= DNS_NSEC3FLAG_CREATE;
result = dns_nsec_nseconly(db, newver, &nseconly);
- if (result == ISC_R_NOTFOUND || nseconly)
+ if (result == ISC_R_NOTFOUND || nseconly) {
np->data[2] |= DNS_NSEC3FLAG_INITIAL;
+ }
rdata.length = np->length;
rdata.data = np->data;
@@ -19145,8 +19397,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
result = dns_update_signatures(&log, zone, db,
oldver, newver, &diff,
zone->sigvalidityinterval);
- if (result != ISC_R_NOTFOUND)
+ if (result != ISC_R_NOTFOUND) {
CHECK(result);
+ }
CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
commit = true;
@@ -19157,18 +19410,24 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
}
failure:
- if (dns_rdataset_isassociated(&prdataset))
+ if (dns_rdataset_isassociated(&prdataset)) {
dns_rdataset_disassociate(&prdataset);
- if (dns_rdataset_isassociated(&nrdataset))
+ }
+ if (dns_rdataset_isassociated(&nrdataset)) {
dns_rdataset_disassociate(&nrdataset);
- if (node != NULL)
+ }
+ if (node != NULL) {
dns_db_detachnode(db, &node);
- if (oldver != NULL)
+ }
+ if (oldver != NULL) {
dns_db_closeversion(db, &oldver, false);
- if (newver != NULL)
+ }
+ if (newver != NULL) {
dns_db_closeversion(db, &newver, commit);
- if (db != NULL)
+ }
+ if (db != NULL) {
dns_db_detach(&db);
+ }
if (commit) {
LOCK_ZONE(zone);
resume_addnsec3chain(zone);
@@ -19274,8 +19533,9 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
failure:
- if (e != NULL)
+ if (e != NULL) {
isc_event_free(&e);
+ }
UNLOCK_ZONE(zone);
return (result);
}
@@ -19566,9 +19826,8 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
}
if (result != ISC_R_SUCCESS) {
- dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
- "zone verification failed: %s",
- isc_result_totext(result));
+ dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s",
+ isc_result_totext(result));
result = DNS_R_VERIFYFAILURE;
}