From 308ab1b4a5c5239860ca06c64b0def9b98ae4b17 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 10:13:07 -0800 Subject: [PATCH 1/7] style cleanups --- lib/dns/dnssec.c | 42 ++- lib/dns/zone.c | 831 +++++++++++++++++++++++++++++++---------------- 2 files changed, 573 insertions(+), 300 deletions(-) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 420c93aa05..322a92d524 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -2048,9 +2048,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, */ for (key = ISC_LIST_HEAD(*keys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (key->source == dns_keysource_user && - (key->hint_publish || key->force_publish)) { + (key->hint_publish || key->force_publish)) + { RETERR(publish_key(diff, key, origin, ttl, mctx, allzsk, report)); } @@ -2069,15 +2071,19 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, for (key = ISC_LIST_HEAD(*newkeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { dns_ttl_t thisttl = dst_key_getttl(key->key); if (thisttl != 0 && (shortest == 0 || thisttl < shortest)) + { shortest = thisttl; + } } - if (shortest != 0) + if (shortest != 0) { ttl = shortest; + } } /* @@ -2091,15 +2097,16 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, for (key2 = ISC_LIST_HEAD(*keys); key2 != NULL; - key2 = ISC_LIST_NEXT(key2, link)) { + key2 = ISC_LIST_NEXT(key2, link)) + { int f1 = dst_key_flags(key1->key); int f2 = dst_key_flags(key2->key); int nr1 = f1 & ~DNS_KEYFLAG_REVOKE; int nr2 = f2 & ~DNS_KEYFLAG_REVOKE; if (nr1 == nr2 && dst_key_alg(key1->key) == dst_key_alg(key2->key) && - dst_key_pubcompare(key1->key, key2->key, - true)) { + dst_key_pubcompare(key1->key, key2->key, true)) + { int r1, r2; r1 = dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE; @@ -2116,11 +2123,13 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, ISC_LIST_APPEND(*keys, key1, link); if (key1->source != dns_keysource_zoneapex && - (key1->hint_publish || key1->force_publish)) { + (key1->hint_publish || key1->force_publish)) + { RETERR(publish_key(diff, key1, origin, ttl, mctx, allzsk, report)); - if (key1->hint_sign || key1->force_sign) + if (key1->hint_sign || key1->force_sign) { key1->first_sign = true; + } } continue; @@ -2131,12 +2140,14 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, RETERR(remove_key(diff, key2, origin, ttl, mctx, "expired", report)); ISC_LIST_UNLINK(*keys, key2, link); - if (removed != NULL) + if (removed != NULL) { ISC_LIST_APPEND(*removed, key2, link); - else + } else { dns_dnsseckey_destroy(mctx, &key2); + } } else if (key_revoked && - (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) { + (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) + { /* * A previously valid key has been revoked. @@ -2146,10 +2157,11 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, RETERR(remove_key(diff, key2, origin, ttl, mctx, "revoked", report)); ISC_LIST_UNLINK(*keys, key2, link); - if (removed != NULL) + if (removed != NULL) { ISC_LIST_APPEND(*removed, key2, link); - else + } else { dns_dnsseckey_destroy(mctx, &key2); + } RETERR(publish_key(diff, key1, origin, ttl, mctx, allzsk, report)); @@ -2169,7 +2181,9 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, } else { if (!key2->is_active && (key1->hint_sign || key1->force_sign)) + { key2->first_sign = true; + } key2->hint_sign = key1->hint_sign; key2->hint_publish = key1->hint_publish; } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 385ee31616..ed7c0925d1 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3193,15 +3193,17 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { const char *algorithm; result = dns_db_findnode(db, &zone->origin, false, &node); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } dns_db_currentversion(db, &version); dns_rdataset_init(&rdataset); result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, dns_rdatatype_none, 0, &rdataset, NULL); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; @@ -3248,10 +3250,12 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { dns_rdataset_disassociate(&rdataset); cleanup: - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); - if (version != NULL) + } + if (version != NULL) { dns_db_closeversion(db, &version, false); + } } static void @@ -3264,15 +3268,18 @@ resume_signingwithkey(dns_zone_t *zone) { dns_db_t *db = NULL; ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - if (db == NULL) + if (db == NULL) { goto cleanup; + } result = dns_db_findnode(db, &zone->origin, false, &node); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } dns_db_currentversion(db, &version); dns_rdataset_init(&rdataset); @@ -3291,7 +3298,8 @@ resume_signingwithkey(dns_zone_t *zone) { { dns_rdataset_current(&rdataset, &rdata); if (rdata.length != 5 || - rdata.data[0] == 0 || rdata.data[4] != 0) { + rdata.data[0] == 0 || rdata.data[4] != 0) + { dns_rdata_reset(&rdata); continue; } @@ -3310,10 +3318,12 @@ resume_signingwithkey(dns_zone_t *zone) { cleanup: if (db != NULL) { - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); - if (version != NULL) + } + if (version != NULL) { dns_db_closeversion(db, &version, false); + } dns_db_detach(&db); } } @@ -3337,8 +3347,9 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { dns_db_t *db = NULL; ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); if (db == NULL) { @@ -3390,36 +3401,40 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { /* * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA. */ - if (nsec3param->flags == 0) + if (nsec3param->flags == 0) { strlcpy(flags, "NONE", sizeof(flags)); - else { + } else { flags[0] = '\0'; if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) { strlcat(flags, "REMOVE", sizeof(flags)); } if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) { - if (flags[0] == '\0') + if (flags[0] == '\0') { strlcpy(flags, "INITIAL", sizeof(flags)); - else + } else { strlcat(flags, "|INITIAL", sizeof(flags)); + } } if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) { - if (flags[0] == '\0') + if (flags[0] == '\0') { strlcpy(flags, "CREATE", sizeof(flags)); - else + } else { strlcat(flags, "|CREATE", sizeof(flags)); + } } if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) { - if (flags[0] == '\0') + if (flags[0] == '\0') { strlcpy(flags, "NONSEC", sizeof(flags)); - else + } else { strlcat(flags, "|NONSEC", sizeof(flags)); + } } if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) { - if (flags[0] == '\0') + if (flags[0] == '\0') { strlcpy(flags, "OPTOUT", sizeof(flags)); - else + } else { strlcat(flags, "|OPTOUT", sizeof(flags)); + } } } result = dns_nsec3param_salttotext(nsec3param, saltbuf, @@ -3437,14 +3452,19 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { */ for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL; - current = ISC_LIST_NEXT(current, link)) { - if (current->db == db && - current->nsec3param.hash == nsec3param->hash && - current->nsec3param.iterations == nsec3param->iterations && - current->nsec3param.salt_length == nsec3param->salt_length - && !memcmp(current->nsec3param.salt, nsec3param->salt, - nsec3param->salt_length)) + current = ISC_LIST_NEXT(current, link)) + { + if ((current->db == db) && + (current->nsec3param.hash == nsec3param->hash) && + (current->nsec3param.iterations == + nsec3param->iterations) && + (current->nsec3param.salt_length == + nsec3param->salt_length) && + memcmp(current->nsec3param.salt, nsec3param->salt, + nsec3param->salt_length) == 0) + { current->done = true; + } } /* @@ -3453,12 +3473,14 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { * creating NSEC3 records for NSEC3 records. */ dns_db_attach(db, &nsec3chain->db); - if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) + if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) { options = DNS_DB_NONSEC3; + } result = dns_db_createiterator(nsec3chain->db, options, &nsec3chain->dbiterator); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { result = dns_dbiterator_first(nsec3chain->dbiterator); + } if (result == ISC_R_SUCCESS) { /* * Database iterator initialization succeeded. We are now @@ -3475,22 +3497,26 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { if (isc_time_isepoch(&zone->nsec3chaintime)) { TIME_NOW(&now); zone->nsec3chaintime = now; - if (zone->task != NULL) + if (zone->task != NULL) { zone_settimer(zone, &now); + } } } if (nsec3chain != NULL) { - if (nsec3chain->db != NULL) + if (nsec3chain->db != NULL) { dns_db_detach(&nsec3chain->db); - if (nsec3chain->dbiterator != NULL) + } + if (nsec3chain->dbiterator != NULL) { dns_dbiterator_destroy(&nsec3chain->dbiterator); + } isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain); } cleanup: - if (db != NULL) + if (db != NULL) { dns_db_detach(&db); + } return (result); } @@ -3517,15 +3543,18 @@ resume_addnsec3chain(dns_zone_t *zone) { return; ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - if (db == NULL) + if (db == NULL) { goto cleanup; + } result = dns_db_findnode(db, &zone->origin, false, &node); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } dns_db_currentversion(db, &version); @@ -3564,7 +3593,9 @@ resume_addnsec3chain(dns_zone_t *zone) { */ if (!dns_nsec3param_fromprivate(&private, &rdata, buf, sizeof(buf))) + { continue; + } result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) || @@ -3584,12 +3615,15 @@ resume_addnsec3chain(dns_zone_t *zone) { } } dns_rdataset_disassociate(&rdataset); + cleanup: if (db != NULL) { - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); - if (version != NULL) + } + if (version != NULL) { dns_db_closeversion(db, &version, false); + } dns_db_detach(&db); } } @@ -3649,8 +3683,8 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) { bool ok = false; isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; - bool dynamic = (zone->type == dns_zone_master) ? - dns_zone_isdynamic(zone, false) : false; + bool dynamic = (zone->type == dns_zone_master) + ? dns_zone_isdynamic(zone, false) : false; dns_rdataset_init(&rdataset); result = dns_db_findnode(db, &zone->origin, false, &node); @@ -3712,11 +3746,13 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) { dns_zone_log(zone, ISC_LOG_WARNING, "unsupported nsec3 hash algorithm: %u", nsec3param.hash); - } else + } else { ok = true; + } } - if (result == ISC_R_NOMORE) + if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; + } if (!ok) { result = DNS_R_BADZONE; @@ -3725,8 +3761,9 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) { } cleanup: - if (dns_rdataset_isassociated(&rdataset)) + if (dns_rdataset_isassociated(&rdataset)) { dns_rdataset_disassociate(&rdataset); + } dns_db_closeversion(db, &version, false); dns_db_detachnode(db, &node); return (result); @@ -3979,14 +4016,16 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* Now insert all the accepted trust anchors from this keydata set. */ for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(rdataset)) { + result = dns_rdataset_next(rdataset)) + { dns_rdata_reset(&rdata); dns_rdataset_current(rdataset, &rdata); /* Convert rdata to keydata. */ result = dns_rdata_tostruct(&rdata, &keydata, NULL); - if (result == ISC_R_UNEXPECTEDEND) + if (result == ISC_R_UNEXPECTEDEND) { continue; + } RUNTIME_CHECK(result == ISC_R_SUCCESS); /* Set the key refresh timer to force a fast refresh. */ @@ -4012,8 +4051,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* Add to keytables. */ trusted++; - trust_key(zone, name, &dnskey, - (keydata.addhd == 0), mctx); + trust_key(zone, name, &dnskey, (keydata.addhd == 0), mctx); } if (trusted == 0 && pending != 0) { @@ -4285,7 +4323,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { dns_rriterator_init(&rrit, db, ver, 0); for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS; - result = dns_rriterator_nextrrset(&rrit)) { + result = dns_rriterator_nextrrset(&rrit)) + { dns_rdataset_t *rdataset = NULL; dns_name_t *rrname = NULL; uint32_t ttl; @@ -4296,8 +4335,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { goto failure; } - if (rdataset->type != dns_rdatatype_keydata) + if (rdataset->type != dns_rdatatype_keydata) { continue; + } result = dns_keytable_find(sr, rrname, &keynode); if ((result != ISC_R_SUCCESS && @@ -4311,8 +4351,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { load_secroots(zone, rrname, rdataset); } - if (keynode != NULL) + if (keynode != NULL) { dns_keytable_detachkeynode(sr, &keynode); + } } dns_rriterator_destroy(&rrit); @@ -4341,18 +4382,22 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { failure: if (result != ISC_R_SUCCESS && - !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) { + !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) + { dns_zone_log(zone, ISC_LOG_ERROR, "unable to synchronize managed keys: %s", dns_result_totext(result)); isc_time_settoepoch(&zone->refreshkeytime); } - if (keynode != NULL) + if (keynode != NULL) { dns_keytable_detachkeynode(sr, &keynode); - if (sr != NULL) + } + if (sr != NULL) { dns_keytable_detach(&sr); - if (ver != NULL) + } + if (ver != NULL) { dns_db_closeversion(db, &ver, commit); + } dns_diff_clear(&diff); INSIST(ver == NULL); @@ -4365,8 +4410,9 @@ dns_zone_synckeyzone(dns_zone_t *zone) { isc_result_t result; dns_db_t *db = NULL; - if (zone->type != dns_zone_key) + if (zone->type != dns_zone_key) { return (DNS_R_BADZONE); + } CHECK(dns_zone_getdb(zone, &db)); @@ -4375,8 +4421,9 @@ dns_zone_synckeyzone(dns_zone_t *zone) { UNLOCK_ZONE(zone); failure: - if (db != NULL) + if (db != NULL) { dns_db_detach(&db); + } return (result); } @@ -4399,8 +4446,8 @@ maybe_send_secure(dns_zone_t *zone) { unsigned int soacount; result = zone_get_from_db(zone->raw, zone->raw->db, - NULL, &soacount, &serial, NULL, - NULL, NULL, NULL, NULL); + NULL, &soacount, &serial, + NULL, NULL, NULL, NULL, NULL); if (result == ISC_R_SUCCESS && soacount > 0U) zone_send_secureserial(zone->raw, serial); } else @@ -4445,8 +4492,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_include_t *inc; INSIST(LOCKED_ZONE(zone)); - if (inline_raw(zone)) + if (inline_raw(zone)) { INSIST(LOCKED_ZONE(zone->secure)); + } TIME_NOW(&now); @@ -4460,18 +4508,20 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, zone->type == dns_zone_mirror || zone->type == dns_zone_stub || (zone->type == dns_zone_redirect && - zone->masters == NULL)) { - if (result == ISC_R_FILENOTFOUND) + zone->masters == NULL)) + { + if (result == ISC_R_FILENOTFOUND) { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1), "no master file"); - else if (result != DNS_R_NOMASTERFILE) + } else if (result != DNS_R_NOMASTERFILE) { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, "loading from master file %s " "failed: %s", zone->masterfile, dns_result_totext(result)); + } } else if (zone->type == dns_zone_master && inline_secure(zone) && result == ISC_R_FILENOTFOUND) { @@ -4491,18 +4541,20 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, nomaster = true; } - if (zone->type != dns_zone_key) + if (zone->type != dns_zone_key) { goto cleanup; + } } dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2), "number of nodes in database: %u", dns_db_nodecount(db)); - if (result == DNS_R_SEENINCLUDE) + if (result == DNS_R_SEENINCLUDE) { DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE); - else + } else { DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE); + } /* * If there's no master file for a key zone, then the zone is new: @@ -4512,8 +4564,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, */ if (nomaster && zone->type == dns_zone_key) { result = add_soa(zone, db); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } } /* @@ -4555,8 +4608,9 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, "journal rollforward completed " "successfully: %s", dns_result_totext(result)); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { needdump = true; + } } /* @@ -4577,7 +4631,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, * updates otherwise. */ if (zone->journal != NULL && dns_zone_isdynamic(zone, true) && - ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) { + ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) + { uint32_t jserial; dns_journal_t *journal = NULL; bool empty = false; @@ -4594,11 +4649,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, } if (jserial != serial) { - if (!empty) + if (!empty) { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_INFO, "journal file is out of date: " "removing journal file"); + } if (remove(zone->journal) < 0 && errno != ENOENT) { char strbuf[ISC_STRERRORSIZE]; strerror_r(errno, strbuf, sizeof(strbuf)); @@ -4640,27 +4696,31 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, "has no NS records"); result = DNS_R_BADZONE; } - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } if (zone->type == dns_zone_master && errors != 0) { result = DNS_R_BADZONE; goto cleanup; } if (zone->type != dns_zone_stub && - zone->type != dns_zone_redirect) { + zone->type != dns_zone_redirect) + { result = check_nsec3param(zone, db); if (result != ISC_R_SUCCESS) goto cleanup; } if (zone->type == dns_zone_master && DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) && - !integrity_checks(zone, db)) { + !integrity_checks(zone, db)) + { result = DNS_R_BADZONE; goto cleanup; } if (zone->type == dns_zone_master && DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) && - !zone_check_dup(zone, db)) { + !zone_check_dup(zone, db)) + { result = DNS_R_BADZONE; goto cleanup; } @@ -4712,20 +4772,22 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, serialmax); result = DNS_R_BADZONE; goto cleanup; - } else if (!isc_serial_ge(serial, oldserial)) + } else if (!isc_serial_ge(serial, oldserial)) { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, "zone serial (%u/%u) has gone " "backwards", serial, oldserial); - else if (serial == oldserial && !hasinclude && - strcmp(zone->db_argv[0], "_builtin") != 0) + } else if (serial == oldserial && !hasinclude && + strcmp(zone->db_argv[0], "_builtin") != 0) + { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, "zone serial (%u) unchanged. " "zone may fail to transfer " "to slaves.", serial); + } } if (zone->type == dns_zone_master && @@ -4752,26 +4814,32 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, zone->type == dns_zone_mirror || zone->type == dns_zone_stub || (zone->type == dns_zone_redirect && - zone->masters != NULL)) { + zone->masters != NULL)) + { isc_time_t t; uint32_t delay; result = isc_file_getmodtime(zone->journal, &t); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { result = isc_file_getmodtime(zone->masterfile, &t); - if (result == ISC_R_SUCCESS) + } + if (result == ISC_R_SUCCESS) { DNS_ZONE_TIME_ADD(&t, zone->expire, &zone->expiretime); - else + } else { DNS_ZONE_TIME_ADD(&now, zone->retry, &zone->expiretime); + } - delay = zone->retry - isc_random_uniform((zone->retry * 3) / 4); + delay = (zone->retry - + isc_random_uniform((zone->retry * 3) / 4)); DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime); if (isc_time_compare(&zone->refreshtime, &zone->expiretime) >= 0) + { zone->refreshtime = now; + } } break; @@ -4793,23 +4861,27 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, /* * Check for weak DNSKEY's. */ - if (zone->type == dns_zone_master) + if (zone->type == dns_zone_master) { zone_check_dnskeys(zone, db); + } /* * Schedule DNSSEC key refresh. */ if (zone->type == dns_zone_master && DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) + { zone->refreshkeytime = now; + } ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write); if (zone->db != NULL) { had_db = true; result = zone_replacedb(zone, db, false); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto cleanup; + } } else { zone_attachdb(zone, db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); @@ -4819,10 +4891,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) && inline_raw(zone)) { - if (zone->secure->db == NULL) + if (zone->secure->db == NULL) { zone_send_securedb(zone, db); - else + } else { zone_send_secureserial(zone, serial); + } } } @@ -4830,17 +4903,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, * Finished loading inline-signing zone; need to get status * from the raw side now. */ - if (zone->type == dns_zone_master && inline_secure(zone)) + if (zone->type == dns_zone_master && inline_secure(zone)) { maybe_send_secure(zone); - + } result = ISC_R_SUCCESS; if (needdump) { - if (zone->type == dns_zone_key) + if (zone->type == dns_zone_key) { zone_needdump(zone, 30); - else + } else { zone_needdump(zone, DNS_DUMP_DELAY); + } } if (zone->task != NULL) { @@ -4853,7 +4927,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, if (zone->type == dns_zone_master && !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) && dns_zone_isdynamic(zone, false) && - dns_db_issecure(db)) { + dns_db_issecure(db)) + { dns_name_t *name; dns_fixedname_t fixed; dns_rdataset_t next; @@ -4878,11 +4953,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, next.resign - timenow - zone->sigresigninginterval); dns_rdataset_disassociate(&next); - } else + } else { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_WARNING, "signed dynamic zone has no " "resign event scheduled"); + } } zone_settimer(zone, &now); @@ -4893,7 +4969,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, */ for (inc = ISC_LIST_HEAD(zone->includes); inc != NULL; - inc = ISC_LIST_HEAD(zone->includes)) { + inc = ISC_LIST_HEAD(zone->includes)) + { ISC_LIST_UNLINK(zone->includes, inc, link); isc_mem_free(zone->mctx, inc->name); isc_mem_put(zone->mctx, inc, sizeof(*inc)); @@ -4905,7 +4982,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, */ for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; - inc = ISC_LIST_HEAD(zone->newincludes)) { + inc = ISC_LIST_HEAD(zone->newincludes)) + { ISC_LIST_UNLINK(zone->newincludes, inc, link); ISC_LIST_APPEND(zone->includes, inc, link); zone->nincludes++; @@ -4945,29 +5023,35 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, zone->type == dns_zone_mirror || zone->type == dns_zone_stub || zone->type == dns_zone_key || - (zone->type == dns_zone_redirect && zone->masters != NULL)) { + (zone->type == dns_zone_redirect && zone->masters != NULL)) + { if (result != ISC_R_NOMEMORY) { - if (zone->journal != NULL) + if (zone->journal != NULL) { zone_saveunique(zone, zone->journal, "jn-XXXXXXXX"); - if (zone->masterfile != NULL) + } + if (zone->masterfile != NULL) { zone_saveunique(zone, zone->masterfile, "db-XXXXXXXX"); + } } /* Mark the zone for immediate refresh. */ zone->refreshtime = now; - if (zone->task != NULL) + if (zone->task != NULL) { zone_settimer(zone, &now); + } result = ISC_R_SUCCESS; } else if (zone->type == dns_zone_master || - zone->type == dns_zone_redirect) { - if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND)) + zone->type == dns_zone_redirect) + { + if (! (inline_secure(zone) && result == ISC_R_FILENOTFOUND)) { dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, "not loaded due to errors."); - else if (zone->type == dns_zone_master) + } else if (zone->type == dns_zone_master) { result = ISC_R_SUCCESS; + } } done: @@ -7653,8 +7737,9 @@ zone_nsec3chain(dns_zone_t *zone) { UNLOCK_ZONE(zone); first = true; - if (nsec3chain != NULL) + if (nsec3chain != NULL) { nsec3chain->save_delete_nsec = nsec3chain->delete_nsec; + } /* * Generate new NSEC3 chains first. * @@ -7740,40 +7825,47 @@ zone_nsec3chain(dns_zone_t *zone) { * Check to see if this is a bottom of zone node. */ result = dns_db_allrdatasets(db, node, version, 0, &iterator); - if (result == ISC_R_NOTFOUND) /* Empty node? */ + if (result == ISC_R_NOTFOUND) { + /* Empty node? */ goto next_addnode; - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { goto failure; + } - seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = - false; + seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec = false; for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iterator)) { + result = dns_rdatasetiter_next(iterator)) + { dns_rdatasetiter_current(iterator, &rdataset); INSIST(rdataset.type != dns_rdatatype_nsec3); - if (rdataset.type == dns_rdatatype_soa) + if (rdataset.type == dns_rdatatype_soa) { seen_soa = true; - else if (rdataset.type == dns_rdatatype_ns) + } else if (rdataset.type == dns_rdatatype_ns) { seen_ns = true; - else if (rdataset.type == dns_rdatatype_dname) + } else if (rdataset.type == dns_rdatatype_dname) { seen_dname = true; - else if (rdataset.type == dns_rdatatype_ds) + } else if (rdataset.type == dns_rdatatype_ds) { seen_ds = true; - else if (rdataset.type == dns_rdatatype_nsec) + } else if (rdataset.type == dns_rdatatype_nsec) { seen_nsec = true; + } dns_rdataset_disassociate(&rdataset); } dns_rdatasetiter_destroy(&iterator); /* * Is there a NSEC chain than needs to be cleaned up? */ - if (seen_nsec) + if (seen_nsec) { nsec3chain->seen_nsec = true; - if (seen_ns && !seen_soa && !seen_ds) + } + if (seen_ns && !seen_soa && !seen_ds) { unsecure = true; - if ((seen_ns && !seen_soa) || seen_dname) + } + if ((seen_ns && !seen_soa) || seen_dname) { delegation = true; + } /* * Process one node. @@ -7853,8 +7945,9 @@ zone_nsec3chain(dns_zone_t *zone) { dns_db_detachnode(db, &node); if (!dns_name_issubdomain(nextname, name)) break; - } else + } else { break; + } } while (1); continue; @@ -7867,12 +7960,14 @@ zone_nsec3chain(dns_zone_t *zone) { dns_dbiterator_pause(nsec3chain->dbiterator); nsec3chain = nextnsec3chain; first = true; - if (nsec3chain != NULL) + if (nsec3chain != NULL) { nsec3chain->save_delete_nsec = nsec3chain->delete_nsec; + } } - if (nsec3chain != NULL) + if (nsec3chain != NULL) { goto skip_removals; + } /* * Process removals. @@ -7897,11 +7992,13 @@ zone_nsec3chain(dns_zone_t *zone) { nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link); UNLOCK_ZONE(zone); - if (nsec3chain->db != db) + if (nsec3chain->db != db) { goto next_removechain; + } - if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) + if (!NSEC3REMOVE(nsec3chain->nsec3param.flags)) { goto next_removechain; + } /* * Work out if we need to build a NSEC chain as a consequence @@ -7922,9 +8019,10 @@ zone_nsec3chain(dns_zone_t *zone) { } } - if (first) + if (first) { dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:" "buildnsecchain = %u\n", buildnsecchain); + } dns_dbiterator_current(nsec3chain->dbiterator, &node, name); delegation = false; @@ -7973,7 +8071,8 @@ zone_nsec3chain(dns_zone_t *zone) { NULL, NULL); if ((result == DNS_R_DELEGATION || result == DNS_R_DNAME) && - !dns_name_equal(name, found)) { + !dns_name_equal(name, found)) + { /* * Remember the obscuring name so that * we skip all obscured names. @@ -7988,37 +8087,44 @@ zone_nsec3chain(dns_zone_t *zone) { * Check to see if this is a bottom of zone node. */ result = dns_db_allrdatasets(db, node, version, 0, &iterator); - if (result == ISC_R_NOTFOUND) /* Empty node? */ + if (result == ISC_R_NOTFOUND) { + /* Empty node? */ goto next_removenode; - if (result != ISC_R_SUCCESS) + } + if (result != ISC_R_SUCCESS) { goto failure; + } - seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec = - seen_rr = false; + seen_soa = seen_ns = seen_dname = seen_nsec3 = + seen_nsec = seen_rr = false; for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iterator)) { + result = dns_rdatasetiter_next(iterator)) + { dns_rdatasetiter_current(iterator, &rdataset); - if (rdataset.type == dns_rdatatype_soa) + if (rdataset.type == dns_rdatatype_soa) { seen_soa = true; - else if (rdataset.type == dns_rdatatype_ns) + } else if (rdataset.type == dns_rdatatype_ns) { seen_ns = true; - else if (rdataset.type == dns_rdatatype_dname) + } else if (rdataset.type == dns_rdatatype_dname) { seen_dname = true; - else if (rdataset.type == dns_rdatatype_nsec) + } else if (rdataset.type == dns_rdatatype_nsec) { seen_nsec = true; - else if (rdataset.type == dns_rdatatype_nsec3) + } else if (rdataset.type == dns_rdatatype_nsec3) { seen_nsec3 = true; - if (rdataset.type != dns_rdatatype_rrsig) + } else if (rdataset.type != dns_rdatatype_rrsig) { seen_rr = true; + } dns_rdataset_disassociate(&rdataset); } dns_rdatasetiter_destroy(&iterator); - if (!seen_rr || seen_nsec3 || seen_nsec) + if (!seen_rr || seen_nsec3 || seen_nsec) { goto next_removenode; - if ((seen_ns && !seen_soa) || seen_dname) + } + if ((seen_ns && !seen_soa) || seen_dname) { delegation = true; + } /* * Add a NSEC record except at the origin. @@ -8073,9 +8179,12 @@ zone_nsec3chain(dns_zone_t *zone) { &node, nextname); dns_db_detachnode(db, &node); if (!dns_name_issubdomain(nextname, name)) + { break; - } else + } + } else { break; + } } while (1); continue; @@ -8109,20 +8218,23 @@ zone_nsec3chain(dns_zone_t *zone) { } for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(iterator)) { + result = dns_rdatasetiter_next(iterator)) + { dns_rdatasetiter_current(iterator, &rdataset); - if (rdataset.type == dns_rdatatype_nsec) + if (rdataset.type == dns_rdatatype_nsec) { rebuild_nsec = true; - if (rdataset.type == dns_rdatatype_nsec3param) + } else if (rdataset.type == dns_rdatatype_nsec3param) { rebuild_nsec3 = true; + } dns_rdataset_disassociate(&rdataset); } dns_rdatasetiter_destroy(&iterator); dns_db_detachnode(db, &node); if (rebuild_nsec) { - if (nsec3chain != NULL) + if (nsec3chain != NULL) { dns_dbiterator_pause(nsec3chain->dbiterator); + } result = updatesecure(db, version, &zone->origin, zone->minimum, true, @@ -8137,8 +8249,9 @@ zone_nsec3chain(dns_zone_t *zone) { } if (rebuild_nsec3) { - if (nsec3chain != NULL) + if (nsec3chain != NULL) { dns_dbiterator_pause(nsec3chain->dbiterator); + } result = dns_nsec3_addnsec3s(db, version, dns_db_origin(db), @@ -8157,8 +8270,9 @@ zone_nsec3chain(dns_zone_t *zone) { /* * Add / update signatures for the NSEC3 records. */ - if (nsec3chain != NULL) + if (nsec3chain != NULL) { dns_dbiterator_pause(nsec3chain->dbiterator); + } result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys, nkeys, zone, inception, expire, 0, now, check_ksk, keyset_kskonly, &zonediff); @@ -8258,7 +8372,9 @@ zone_nsec3chain(dns_zone_t *zone) { for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL; nsec3chain = ISC_LIST_NEXT(nsec3chain, link)) + { dns_dbiterator_pause(nsec3chain->dbiterator); + } UNLOCK_ZONE(zone); /* @@ -8282,9 +8398,11 @@ zone_nsec3chain(dns_zone_t *zone) { set_resigntime(zone); failure: - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s", dns_result_totext(result)); + } + /* * On error roll back the current nsec3chain. */ @@ -8327,7 +8445,9 @@ zone_nsec3chain(dns_zone_t *zone) { for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL; nsec3chain = ISC_LIST_NEXT(nsec3chain, link)) + { dns_dbiterator_pause(nsec3chain->dbiterator); + } UNLOCK_ZONE(zone); dns_diff_clear(¶m_diff); @@ -8335,30 +8455,36 @@ zone_nsec3chain(dns_zone_t *zone) { dns_diff_clear(&nsec_diff); dns_diff_clear(&_sig_diff); - if (iterator != NULL) + if (iterator != NULL) { dns_rdatasetiter_destroy(&iterator); + } - for (i = 0; i < nkeys; i++) + for (i = 0; i < nkeys; i++) { dst_key_free(&zone_keys[i]); + } - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); + } if (version != NULL) { dns_db_closeversion(db, &version, false); dns_db_detach(&db); - } else if (db != NULL) + } else if (db != NULL) { dns_db_detach(&db); + } LOCK_ZONE(zone); if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) { isc_interval_t interval; - if (zone->update_disabled || result != ISC_R_SUCCESS) + if (zone->update_disabled || result != ISC_R_SUCCESS) { isc_interval_set(&interval, 60, 0); /* 1 minute */ - else + } else { isc_interval_set(&interval, 0, 10000000); /* 10 ms */ + } isc_time_nowplusinterval(&zone->nsec3chaintime, &interval); - } else + } else { isc_time_settoepoch(&zone->nsec3chaintime); + } UNLOCK_ZONE(zone); INSIST(version == NULL); @@ -8520,8 +8646,9 @@ zone_sign(dns_zone_t *zone) { } ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); if (db == NULL) { result = ISC_R_FAILURE; @@ -8591,8 +8718,9 @@ zone_sign(dns_zone_t *zone) { &build_nsec, &build_nsec3)); /* If neither chain is found, default to NSEC */ - if (!build_nsec && !build_nsec3) + if (!build_nsec && !build_nsec3) { build_nsec = true; + } while (signing != NULL && nodes-- > 0 && signatures > 0) { bool has_alg = false; @@ -8612,8 +8740,9 @@ zone_sign(dns_zone_t *zone) { } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - if (signing->db != db) + if (signing->db != db) { goto next_signing; + } is_bottom_of_zone = false; @@ -8664,7 +8793,8 @@ zone_sign(dns_zone_t *zone) { NULL, NULL); if ((result == DNS_R_DELEGATION || result == DNS_R_DNAME) && - !dns_name_equal(name, found)) { + !dns_name_equal(name, found)) + { /* * Remember the obscuring name so that * we skip all obscured names. @@ -8691,13 +8821,15 @@ zone_sign(dns_zone_t *zone) { /* * Find the keys we want to sign with. */ - if (!dst_key_isprivate(zone_keys[i])) + if (!dst_key_isprivate(zone_keys[i])) { continue; + } /* * Should be redundant. */ - if (dst_key_inactive(zone_keys[i])) + if (dst_key_inactive(zone_keys[i])) { continue; + } /* * When adding look for the specific key. @@ -8705,7 +8837,9 @@ zone_sign(dns_zone_t *zone) { if (!signing->deleteit && (dst_key_alg(zone_keys[i]) != signing->algorithm || dst_key_id(zone_keys[i]) != signing->keyid)) + { continue; + } /* * When deleting make sure we are properly signed @@ -8713,7 +8847,9 @@ zone_sign(dns_zone_t *zone) { */ if (signing->deleteit && ALG(zone_keys[i]) != signing->algorithm) + { continue; + } /* * Do we do KSK processing? @@ -8729,31 +8865,39 @@ zone_sign(dns_zone_t *zone) { } for (j = 0; j < nkeys; j++) { if (j == i || - ALG(zone_keys[i]) != - ALG(zone_keys[j])) + (ALG(zone_keys[i]) != + ALG(zone_keys[j]))) + { continue; - if (!dst_key_isprivate(zone_keys[j])) + } + if (!dst_key_isprivate(zone_keys[j])) { continue; + } /* * Should be redundant. */ - if (dst_key_inactive(zone_keys[j])) + if (dst_key_inactive(zone_keys[j])) { continue; - if (REVOKE(zone_keys[j])) + } + if (REVOKE(zone_keys[j])) { continue; - if (KSK(zone_keys[j])) + } + if (KSK(zone_keys[j])) { have_ksk = true; - else + } else { have_nonksk = true; + } both = have_ksk && have_nonksk; - if (both) + if (both) { break; + } } } - if (both || REVOKE(zone_keys[i])) + if (both || REVOKE(zone_keys[i])) { is_ksk = KSK(zone_keys[i]); - else + } else { is_ksk = false; + } /* * If deleting signatures, we need to ensure that @@ -8845,10 +8989,12 @@ zone_sign(dns_zone_t *zone) { dns_dbiterator_current(signing->dbiterator, &node, nextname); dns_db_detachnode(db, &node); - if (!dns_name_issubdomain(nextname, name)) + if (!dns_name_issubdomain(nextname, name)) { break; - } else + } + } else { break; + } } while (1); continue; @@ -8876,8 +9022,9 @@ zone_sign(dns_zone_t *zone) { * Have we changed anything? */ if (ISC_LIST_EMPTY(zonediff.diff->tuples)) { - if (zonediff.offline) + if (zonediff.offline) { commit = true; + } result = ISC_R_SUCCESS; goto pauseall; } @@ -8928,12 +9075,16 @@ zone_sign(dns_zone_t *zone) { for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL; signing = ISC_LIST_NEXT(signing, link)) + { dns_dbiterator_pause(signing->dbiterator); + } for (signing = ISC_LIST_HEAD(cleanup); signing != NULL; signing = ISC_LIST_NEXT(signing, link)) + { dns_dbiterator_pause(signing->dbiterator); + } /* * Everything has succeeded. Commit the changes. @@ -8974,7 +9125,9 @@ zone_sign(dns_zone_t *zone) { for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL; signing = ISC_LIST_NEXT(signing, link)) + { dns_dbiterator_pause(signing->dbiterator); + } /* * Rollback the cleanup list. @@ -8990,27 +9143,32 @@ zone_sign(dns_zone_t *zone) { dns_diff_clear(&_sig_diff); - for (i = 0; i < nkeys; i++) + for (i = 0; i < nkeys; i++) { dst_key_free(&zone_keys[i]); + } - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); + } if (version != NULL) { dns_db_closeversion(db, &version, false); dns_db_detach(&db); - } else if (db != NULL) + } else if (db != NULL) { dns_db_detach(&db); + } if (ISC_LIST_HEAD(zone->signing) != NULL) { isc_interval_t interval; - if (zone->update_disabled || result != ISC_R_SUCCESS) + if (zone->update_disabled || result != ISC_R_SUCCESS) { isc_interval_set(&interval, 60, 0); /* 1 minute */ - else + } else { isc_interval_set(&interval, 0, 10000000); /* 10 ms */ + } isc_time_nowplusinterval(&zone->signingtime, &interval); - } else + } else { isc_time_settoepoch(&zone->signingtime); + } INSIST(version == NULL); } @@ -9242,8 +9400,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey, &dnskey, &keyb); result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (false); + } /* See if that key generated any of the signatures */ for (result = dns_rdataset_first(&kfetch->dnskeysigset); @@ -9329,16 +9488,19 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { eresult = devent->result; /* Free resources which are not of interest */ - if (devent->node != NULL) + if (devent->node != NULL) { dns_db_detachnode(devent->db, &devent->node); - if (devent->db != NULL) + } + if (devent->db != NULL) { dns_db_detach(&devent->db); + } isc_event_free(&event); dns_resolver_destroyfetch(&kfetch->fetch); LOCK_ZONE(zone); - if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) { goto cleanup; + } isc_stdtime_get(&now); dns_name_format(keyname, namebuf, sizeof(namebuf)); @@ -9353,8 +9515,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { zone->refreshkeycount--; alldone = (zone->refreshkeycount == 0); - if (alldone) + if (alldone) { DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); + } dns_zone_log(zone, ISC_LOG_DEBUG(3), "Returned from key fetch in keyfetch_done() for " @@ -9362,7 +9525,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { /* Fetch failed */ if (eresult != ISC_R_SUCCESS || - !dns_rdataset_isassociated(&kfetch->dnskeyset)) { + !dns_rdataset_isassociated(&kfetch->dnskeyset)) + { dns_zone_log(zone, ISC_LOG_WARNING, "Unable to fetch DNSKEY set " "'%s': %s", namebuf, dns_result_totext(eresult)); @@ -9406,8 +9570,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_fixedname_init(&fixed); dstkey = dns_keynode_key(keynode); - if (dstkey == NULL) /* fail_secure() was called */ + if (dstkey == NULL) { + /* fail_secure() was called */ break; + } if (dst_key_alg(dstkey) == sig.algorithm && dst_key_id(dstkey) == sig.keyid) @@ -9506,7 +9672,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (!secure) { if (keydata.removehd != 0 && - keydata.removehd <= now) { + keydata.removehd <= now) + { deletekey = true; } } else if (keydata.addhd == 0) { @@ -9517,11 +9684,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { "unexpectedly missing " "restarting 30-day acceptance " "timer", keytag, namebuf); - if (keydata.addhd < now + dns_zone_mkey_month) + if (keydata.addhd < now + dns_zone_mkey_month) { keydata.addhd = now + dns_zone_mkey_month; - keydata.refresh = refresh_time(kfetch, - false); + } + keydata.refresh = refresh_time(kfetch, false); } else if (keydata.removehd == 0) { dns_zone_log(zone, ISC_LOG_DEBUG(3), "Active key %d for zone %s " @@ -9536,8 +9703,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { "managed keys database", keytag, namebuf); } else { - keydata.refresh = refresh_time(kfetch, - false); + keydata.refresh = refresh_time(kfetch, false); } if (secure || deletekey) { @@ -9547,8 +9713,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { &keydatarr)); } - if (!secure || deletekey) + if (!secure || deletekey) { continue; + } dns_rdata_reset(&keydatarr); isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); @@ -9635,9 +9802,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { &dnskey, mctx); /* If initializing, delete now */ - if (keydata.addhd == 0) + if (keydata.addhd == 0) { deletekey = true; - else { + } else { keydata.removehd = now + dns_zone_mkey_month; keydata.flags |= @@ -9689,10 +9856,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { "has returned: starting " "30-day acceptance timer", keytag, namebuf); - } else if (keydata.addhd > now) + } else if (keydata.addhd > now) { pending++; - else if (keydata.addhd == 0) + } else if (keydata.addhd == 0) { keydata.addhd = now; + } if (keydata.addhd <= now) { trustkey = true; @@ -9721,15 +9889,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { keytag, namebuf); } - if (!deletekey && !newkey) + if (!deletekey && !newkey) { updatekey = true; + } } else if (secure) { /* * Key wasn't in the key zone but it's * revoked now anyway, so just skip it */ - if (revoked) + if (revoked) { continue; + } /* Key wasn't in the key zone: add it */ newkey = true; @@ -9760,10 +9930,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } /* Delete old version */ - if (deletekey || !newkey) + if (deletekey || !newkey) { CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_DEL, keyname, 0, &keydatarr)); + } if (updatekey) { /* Set refresh timer */ @@ -9821,8 +9992,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * see if there's pending keydata. If so, we put a null key in * the security roots; then all queries to the zone will fail. */ - if (pending != 0) + if (pending != 0) { fail_secure(zone, keyname); + } done: if (!ISC_LIST_EMPTY(diff.tuples)) { @@ -9855,8 +10027,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { isc_result_totext(result)); } dns_diff_clear(&diff); - if (ver != NULL) + if (ver != NULL) { dns_db_closeversion(kfetch->db, &ver, commit); + } cleanup: dns_db_detach(&kfetch->db); @@ -9865,24 +10038,29 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { zone->irefs--; kfetch->zone = NULL; - if (dns_rdataset_isassociated(&kfetch->keydataset)) + if (dns_rdataset_isassociated(&kfetch->keydataset)) { dns_rdataset_disassociate(&kfetch->keydataset); - if (dns_rdataset_isassociated(&kfetch->dnskeyset)) + } + if (dns_rdataset_isassociated(&kfetch->dnskeyset)) { dns_rdataset_disassociate(&kfetch->dnskeyset); - if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) + } + if (dns_rdataset_isassociated(&kfetch->dnskeysigset)) { dns_rdataset_disassociate(&kfetch->dnskeysigset); + } dns_name_free(keyname, mctx); isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t)); isc_mem_detach(&mctx); - if (secroots != NULL) + if (secroots != NULL) { dns_keytable_detach(&secroots); + } free_needed = exit_check(zone); UNLOCK_ZONE(zone); - if (free_needed) + if (free_needed) { zone_free(zone); + } INSIST(ver == NULL); } @@ -9931,7 +10109,8 @@ zone_refreshkeys(dns_zone_t *zone) { dns_rriterator_init(&rrit, db, ver, 0); for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS; - result = dns_rriterator_nextrrset(&rrit)) { + result = dns_rriterator_nextrrset(&rrit)) + { isc_stdtime_t timer = 0xffffffff; dns_name_t *name = NULL, *kname = NULL; dns_rdataset_t *kdset = NULL; @@ -9941,7 +10120,9 @@ zone_refreshkeys(dns_zone_t *zone) { dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL); if (kdset == NULL || kdset->type != dns_rdatatype_keydata || !dns_rdataset_isassociated(kdset)) + { continue; + } /* * Scan the stored keys looking for ones that need @@ -9949,7 +10130,8 @@ zone_refreshkeys(dns_zone_t *zone) { */ for (result = dns_rdataset_first(kdset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(kdset)) { + result = dns_rdataset_next(kdset)) + { dns_rdata_reset(&rdata); dns_rdataset_current(kdset, &rdata); result = dns_rdata_tostruct(&rdata, &kd, NULL); @@ -9964,19 +10146,22 @@ zone_refreshkeys(dns_zone_t *zone) { } /* Acceptance timer expired? */ - if (kd.addhd <= now) + if (kd.addhd <= now) { timer = kd.addhd; + } /* Or do we just need to refresh the keyset? */ - if (timer > kd.refresh) + if (timer > kd.refresh) { timer = kd.refresh; + } set_refreshkeytimer(zone, &kd, now, false); timerset = true; } - if (timer > now) + if (timer > now) { continue; + } kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t)); if (kfetch == NULL) { @@ -10037,9 +10222,9 @@ zone_refreshkeys(dns_zone_t *zone) { result = ISC_R_FAILURE; } #endif - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { fetching = true; - else { + } else { zone->refreshkeycount--; zone->irefs--; dns_db_detach(&kfetch->db); @@ -10081,8 +10266,9 @@ zone_refreshkeys(dns_zone_t *zone) { isc_time_settoepoch(&zone->refreshkeytime); } - if (!fetching) + if (!fetching) { DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); + } dns_diff_clear(&diff); if (ver != NULL) { @@ -17869,10 +18055,13 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, */ for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; - tuple = ISC_LIST_NEXT(tuple, link)) { + tuple = ISC_LIST_NEXT(tuple, link)) + { if (tuple->rdata.type == dns_rdatatype_dnskey && dns_name_equal(&tuple->name, &zone->origin)) + { break; + } } if (tuple == NULL) { @@ -17909,8 +18098,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, } failure: - for (i = 0; i < nkeys; i++) + for (i = 0; i < nkeys; i++) { dst_key_free(&zone_keys[i]); + } return (result); } @@ -17931,11 +18121,14 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, /* Scan the tuples for an NSEC-only DNSKEY */ for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; - tuple = ISC_LIST_NEXT(tuple, link)) { + tuple = ISC_LIST_NEXT(tuple, link)) + { uint8_t alg; if (tuple->rdata.type != dns_rdatatype_dnskey || tuple->op != DNS_DIFFOP_ADD) + { continue; + } alg = tuple->rdata.data[3]; if (alg == DST_ALG_RSASHA1) { @@ -17947,15 +18140,17 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, /* Check existing DB for NSEC-only DNSKEY */ if (!nseconly) { result = dns_nsec_nseconly(db, ver, &nseconly); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND) { result = ISC_R_SUCCESS; + } CHECK(result); } /* Check existing DB for NSEC3 */ - if (!nsec3) + if (!nsec3) { CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3)); + } /* Refuse to allow NSEC3 with NSEC-only keys */ if (nseconly && nsec3) { @@ -18054,15 +18249,15 @@ zone_rekey(dns_zone_t *zone) { dns_dbversion_t *ver = NULL; dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset; dns_dnsseckeylist_t dnskeys, keys, rmkeys; - dns_dnsseckey_t *key; + dns_dnsseckey_t *key = NULL; dns_diff_t diff, _sig_diff; dns__zonediff_t zonediff; bool commit = false, newactive = false; bool newalg = false; bool fullsign; dns_ttl_t ttl = 3600; - const char *dir; - isc_mem_t *mctx; + const char *dir = NULL; + isc_mem_t *mctx = NULL; isc_stdtime_t now; isc_time_t timenow; isc_interval_t ival; @@ -18110,8 +18305,9 @@ zone_rekey(dns_zone_t *zone) { &keysigs, &soasigs, false, false, &dnskeys)); - } else if (result != ISC_R_NOTFOUND) + } else if (result != ISC_R_NOTFOUND) { goto failure; + } /* Get the CDS rdataset */ @@ -18124,7 +18320,9 @@ zone_rekey(dns_zone_t *zone) { result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey, dns_rdatatype_none, 0, &cdnskeyset, NULL); if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset)) + { dns_rdataset_disassociate(&cdnskeyset); + } /* * True when called from "rndc sign". Indicates the zone should be @@ -18175,9 +18373,11 @@ zone_rekey(dns_zone_t *zone) { */ for (key = ISC_LIST_HEAD(dnskeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { - if (!key->first_sign) + key = ISC_LIST_NEXT(key, link)) + { + if (!key->first_sign) { continue; + } newactive = true; @@ -18200,7 +18400,8 @@ zone_rekey(dns_zone_t *zone) { } if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) && - dnskey_sane(zone, db, ver, &diff)) { + dnskey_sane(zone, db, ver, &diff)) + { CHECK(dns_diff_apply(&diff, db, ver)); CHECK(clean_nsec3param(zone, db, ver, &diff)); CHECK(add_signing_records(db, zone->privatetype, @@ -18232,7 +18433,8 @@ zone_rekey(dns_zone_t *zone) { if (!ISC_LIST_EMPTY(rmkeys)) { for (key = ISC_LIST_HEAD(rmkeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { result = zone_signwithkey(zone, dst_key_alg(key->key), dst_key_id(key->key), @@ -18252,9 +18454,11 @@ zone_rekey(dns_zone_t *zone) { */ for (key = ISC_LIST_HEAD(dnskeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { - if (!key->force_sign && !key->hint_sign) + key = ISC_LIST_NEXT(key, link)) + { + if (!key->force_sign && !key->hint_sign) { continue; + } result = zone_signwithkey(zone, dst_key_alg(key->key), @@ -18275,9 +18479,11 @@ zone_rekey(dns_zone_t *zone) { */ for (key = ISC_LIST_HEAD(dnskeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { - if (!key->first_sign) + key = ISC_LIST_NEXT(key, link)) + { + if (!key->first_sign) { continue; + } result = zone_signwithkey(zone, dst_key_alg(key->key), @@ -18303,22 +18509,29 @@ zone_rekey(dns_zone_t *zone) { */ for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples); tuple != NULL; - tuple = ISC_LIST_NEXT(tuple, link)) { + tuple = ISC_LIST_NEXT(tuple, link)) + { unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE]; dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_nsec3param_t nsec3param; if (tuple->rdata.type != zone->privatetype || tuple->op != DNS_DIFFOP_ADD) + { continue; + } if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata, buf, sizeof(buf))) + { continue; + } + result = dns_rdata_tostruct(&rdata, &nsec3param, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (nsec3param.flags == 0) + if (nsec3param.flags == 0) { continue; + } result = zone_addnsec3chain(zone, &nsec3param); if (result != ISC_R_SUCCESS) { @@ -18332,8 +18545,9 @@ zone_rekey(dns_zone_t *zone) { * Activate any NSEC3 chain updates that may have * been scheduled before this rekey. */ - if (fullsign || newalg) + if (fullsign || newalg) { resume_addnsec3chain(zone); + } /* * Schedule the next resigning event @@ -18361,16 +18575,19 @@ zone_rekey(dns_zone_t *zone) { for (key = ISC_LIST_HEAD(dnskeys); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { then = now; result = next_keyevent(key->key, &then); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { continue; + } DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); LOCK_ZONE(zone); if (isc_time_compare(&timethen, - &zone->refreshkeytime) < 0) { + &zone->refreshkeytime) < 0) + { zone->refreshkeytime = timethen; } UNLOCK_ZONE(zone); @@ -18382,7 +18599,19 @@ zone_rekey(dns_zone_t *zone) { dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); } - done: + result = ISC_R_SUCCESS; + + failure: + if (result != ISC_R_SUCCESS) { + /* + * Something went wrong; try again in ten minutes or + * after a key refresh interval, whichever is shorter. + */ + isc_interval_set(&ival, + ISC_MIN(zone->refreshkeyinterval, 600), 0); + isc_time_nowplusinterval(&zone->refreshkeytime, &ival); + } + dns_diff_clear(&diff); dns_diff_clear(&_sig_diff); @@ -18390,34 +18619,32 @@ zone_rekey(dns_zone_t *zone) { clear_keylist(&keys, mctx); clear_keylist(&rmkeys, mctx); - if (ver != NULL) + if (ver != NULL) { dns_db_closeversion(db, &ver, false); - if (dns_rdataset_isassociated(&cdsset)) + } + if (dns_rdataset_isassociated(&cdsset)) { dns_rdataset_disassociate(&cdsset); - if (dns_rdataset_isassociated(&keyset)) + } + if (dns_rdataset_isassociated(&keyset)) { dns_rdataset_disassociate(&keyset); - if (dns_rdataset_isassociated(&keysigs)) + } + if (dns_rdataset_isassociated(&keysigs)) { dns_rdataset_disassociate(&keysigs); - if (dns_rdataset_isassociated(&soasigs)) + } + if (dns_rdataset_isassociated(&soasigs)) { dns_rdataset_disassociate(&soasigs); - if (dns_rdataset_isassociated(&cdnskeyset)) + } + if (dns_rdataset_isassociated(&cdnskeyset)) { dns_rdataset_disassociate(&cdnskeyset); - if (node != NULL) + } + if (node != NULL) { dns_db_detachnode(db, &node); - if (db != NULL) + } + if (db != NULL) { dns_db_detach(&db); + } INSIST(ver == NULL); - return; - - failure: - /* - * Something went wrong; try again in ten minutes or - * after a key refresh interval, whichever is shorter. - */ - isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0); - isc_time_nowplusinterval(&zone->refreshkeytime, &ival); - goto done; } void @@ -18825,11 +19052,13 @@ keydone(isc_task_t *task, isc_event_t *event) { dns_diff_init(zone->mctx, &diff); ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - if (db == NULL) + if (db == NULL) { goto failure; + } dns_db_currentversion(db, &oldver); result = dns_db_newversion(db, &newver); @@ -18841,8 +19070,9 @@ keydone(isc_task_t *task, isc_event_t *event) { } result = dns_db_getoriginnode(db, &node); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { goto failure; + } result = dns_db_findrdataset(db, node, newver, zone->privatetype, dns_rdatatype_none, 0, &rdataset, NULL); @@ -18857,7 +19087,8 @@ keydone(isc_task_t *task, isc_event_t *event) { for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(&rdataset)) { + result = dns_rdataset_next(&rdataset)) + { bool found = false; dns_rdataset_current(&rdataset, &rdata); @@ -18865,20 +19096,25 @@ keydone(isc_task_t *task, isc_event_t *event) { if (kd->all) { if (rdata.length == 5 && rdata.data[0] != 0 && rdata.data[3] == 0 && rdata.data[4] == 1) + { found = true; - else if (rdata.data[0] == 0 && - (rdata.data[2] & PENDINGFLAGS) != 0) { + } else if (rdata.data[0] == 0 && + (rdata.data[2] & PENDINGFLAGS) != 0) + { found = true; clear_pending = true; } } else if (rdata.length == 5 && memcmp(rdata.data, kd->data, 5) == 0) + { found = true; + } - if (found) + if (found) { CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL, &zone->origin, rdataset.ttl, &rdata)); + } dns_rdata_reset(&rdata); } @@ -18890,8 +19126,9 @@ keydone(isc_task_t *task, isc_event_t *event) { result = dns_update_signatures(&log, zone, db, oldver, newver, &diff, zone->sigvalidityinterval); - if (!clear_pending) + if (!clear_pending) { CHECK(result); + } CHECK(zone_journal(zone, &diff, NULL, "keydone")); commit = true; @@ -18903,15 +19140,19 @@ keydone(isc_task_t *task, isc_event_t *event) { } failure: - if (dns_rdataset_isassociated(&rdataset)) + if (dns_rdataset_isassociated(&rdataset)) { dns_rdataset_disassociate(&rdataset); + } if (db != NULL) { - if (node != NULL) + if (node != NULL) { dns_db_detachnode(db, &node); - if (oldver != NULL) + } + if (oldver != NULL) { dns_db_closeversion(db, &oldver, false); - if (newver != NULL) + } + if (newver != NULL) { dns_db_closeversion(db, &newver, commit); + } dns_db_detach(&db); } dns_diff_clear(&diff); @@ -18942,9 +19183,9 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) { } kd = (struct keydone *) e; - if (strcasecmp(keystr, "all") == 0) + if (strcasecmp(keystr, "all") == 0) { kd->all = true; - else { + } else { isc_textregion_t r; const char *algstr; dns_keytag_t keyid; @@ -18954,14 +19195,16 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) { kd->all = false; n = sscanf(keystr, "%hu/", &keyid); - if (n == 0U) + if (n == 0U) { CHECK(ISC_R_FAILURE); + } algstr = strchr(keystr, '/'); - if (algstr != NULL) + if (algstr != NULL) { algstr++; - else + } else { CHECK(ISC_R_FAILURE); + } n = sscanf(algstr, "%hhu", &alg); if (n == 0U) { @@ -18983,8 +19226,9 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) { isc_task_send(zone->task, &e); failure: - if (e != NULL) + if (e != NULL) { isc_event_free(&e); + } UNLOCK_ZONE(zone); return (result); } @@ -19030,11 +19274,13 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { dns_diff_init(zone->mctx, &diff); ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - if (zone->db != NULL) + if (zone->db != NULL) { dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - if (db == NULL) + if (db == NULL) { goto failure; + } dns_db_currentversion(db, &oldver); result = dns_db_newversion(db, &newver); @@ -19056,12 +19302,14 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(&prdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(&prdataset)) { + result = dns_rdataset_next(&prdataset)) + { dns_rdata_init(&rdata); dns_rdataset_current(&prdataset, &rdata); if (np->length == rdata.length && - memcmp(rdata.data, np->data, np->length) == 0) { + memcmp(rdata.data, np->data, np->length) == 0) + { exists = true; break; } @@ -19080,7 +19328,8 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { if (result == ISC_R_SUCCESS) { for (result = dns_rdataset_first(&nrdataset); result == ISC_R_SUCCESS; - result = dns_rdataset_next(&nrdataset)) { + result = dns_rdataset_next(&nrdataset)) + { dns_rdata_init(&rdata); dns_rdataset_current(&nrdataset, &rdata); @@ -19103,9 +19352,10 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { * parameters are supposed to replace the current ones or if we are * switching to NSEC. */ - if (!exists && np->replace && (np->length != 0 || np->nsec)) + if (!exists && np->replace && (np->length != 0 || np->nsec)) { CHECK(dns_nsec3param_deletechains(db, newver, zone, !np->nsec, &diff)); + } if (!exists && np->length != 0) { /* @@ -19122,8 +19372,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { np->data[2] |= DNS_NSEC3FLAG_CREATE; result = dns_nsec_nseconly(db, newver, &nseconly); - if (result == ISC_R_NOTFOUND || nseconly) + if (result == ISC_R_NOTFOUND || nseconly) { np->data[2] |= DNS_NSEC3FLAG_INITIAL; + } rdata.length = np->length; rdata.data = np->data; @@ -19145,8 +19396,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { result = dns_update_signatures(&log, zone, db, oldver, newver, &diff, zone->sigvalidityinterval); - if (result != ISC_R_NOTFOUND) + if (result != ISC_R_NOTFOUND) { CHECK(result); + } CHECK(zone_journal(zone, &diff, NULL, "setnsec3param")); commit = true; @@ -19157,18 +19409,24 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { } failure: - if (dns_rdataset_isassociated(&prdataset)) + if (dns_rdataset_isassociated(&prdataset)) { dns_rdataset_disassociate(&prdataset); - if (dns_rdataset_isassociated(&nrdataset)) + } + if (dns_rdataset_isassociated(&nrdataset)) { dns_rdataset_disassociate(&nrdataset); - if (node != NULL) + } + if (node != NULL) { dns_db_detachnode(db, &node); - if (oldver != NULL) + } + if (oldver != NULL) { dns_db_closeversion(db, &oldver, false); - if (newver != NULL) + } + if (newver != NULL) { dns_db_closeversion(db, &newver, commit); - if (db != NULL) + } + if (db != NULL) { dns_db_detach(&db); + } if (commit) { LOCK_ZONE(zone); resume_addnsec3chain(zone); @@ -19274,8 +19532,9 @@ dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags, ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); failure: - if (e != NULL) + if (e != NULL) { isc_event_free(&e); + } UNLOCK_ZONE(zone); return (result); } From a7cadde982054a439abfe44bc650fc3d3041d772 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 10:25:20 -0800 Subject: [PATCH 2/7] use log category "dnssec" instead of "zone" for DNSSEC-related events use "dnssec" log category for: - managed key zone events - DNSSEC key status changes (activation, deletion, etc) - zone signing status --- lib/dns/zone.c | 610 ++++++++++++++++++++++++------------------------- 1 file changed, 305 insertions(+), 305 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ed7c0925d1..e69e4f55d8 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -736,6 +736,8 @@ static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg, ...) ISC_FORMAT_PRINTF(4, 5); static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4); +static void dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) + ISC_FORMAT_PRINTF(3, 4); static void queue_xfrin(dns_zone_t *zone); static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_diffop_t op, @@ -3239,10 +3241,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) { algorithm = "RSASHA1"; } if (logit) { - dns_zone_log(zone, ISC_LOG_WARNING, - "weak %s (%u) key found " - "(exponent=3)", algorithm, - dnskey.algorithm); + dnssec_log(zone, ISC_LOG_WARNING, + "weak %s (%u) key found " + "(exponent=3)", algorithm, + dnskey.algorithm); } } dns_rdata_reset(&rdata); @@ -3308,9 +3310,9 @@ resume_signingwithkey(dns_zone_t *zone) { (rdata.data[1] << 8) | rdata.data[2], rdata.data[3]); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_signwithkey failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_signwithkey failed: %s", + dns_result_totext(result)); } dns_rdata_reset(&rdata); } @@ -3440,10 +3442,8 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { result = dns_nsec3param_salttotext(nsec3param, saltbuf, sizeof(saltbuf)); RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_zone_log(zone, ISC_LOG_INFO, - "zone_addnsec3chain(%u,%s,%u,%s)", - nsec3param->hash, flags, nsec3param->iterations, - saltbuf); + dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)", + nsec3param->hash, flags, nsec3param->iterations, saltbuf); /* * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is @@ -3608,9 +3608,9 @@ resume_addnsec3chain(dns_zone_t *zone) { */ result = zone_addnsec3chain(zone, &nsec3param); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_addnsec3chain failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_addnsec3chain failed: %s", + dns_result_totext(result)); } } } @@ -4057,13 +4057,13 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { if (trusted == 0 && pending != 0) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(name, namebuf, sizeof namebuf); - dns_zone_log(zone, ISC_LOG_ERROR, - "No valid trust anchors for '%s'!", namebuf); - dns_zone_log(zone, ISC_LOG_ERROR, - "%d key(s) revoked, %d still pending", + dnssec_log(zone, ISC_LOG_ERROR, + "No valid trust anchors for '%s'!", namebuf); + dnssec_log(zone, ISC_LOG_ERROR, + "%d key(s) revoked, %d still pending", revoked, pending); - dns_zone_log(zone, ISC_LOG_ERROR, - "All queries to '%s' will fail", namebuf); + dnssec_log(zone, ISC_LOG_ERROR, + "All queries to '%s' will fail", namebuf); fail_secure(zone, name); } } @@ -4307,9 +4307,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { result = dns_db_newversion(db, &ver); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sync_keyzone:dns_db_newversion -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "sync_keyzone:dns_db_newversion -> %s", + dns_result_totext(result)); goto failure; } @@ -4384,9 +4384,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { if (result != ISC_R_SUCCESS && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) { - dns_zone_log(zone, ISC_LOG_ERROR, - "unable to synchronize managed keys: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "unable to synchronize managed keys: %s", + dns_result_totext(result)); isc_time_settoepoch(&zone->refreshkeytime); } if (keynode != NULL) { @@ -4946,18 +4946,16 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_name_format(name, namebuf, sizeof(namebuf)); dns_rdatatype_format(next.covers, typebuf, sizeof(typebuf)); - dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, - ISC_LOG_DEBUG(3), - "next resign: %s/%s " - "in %d seconds", namebuf, typebuf, - next.resign - timenow - - zone->sigresigninginterval); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "next resign: %s/%s " + "in %d seconds", namebuf, typebuf, + next.resign - timenow - + zone->sigresigninginterval); dns_rdataset_disassociate(&next); } else { - dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, - ISC_LOG_WARNING, - "signed dynamic zone has no " - "resign event scheduled"); + dnssec_log(zone, ISC_LOG_WARNING, + "signed dynamic zone has no " + "resign event scheduled"); } } @@ -5005,10 +5003,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, cleanup: if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "failed to initialize managed-keys (%s): " - "DNSSEC validation is at risk", - isc_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "failed to initialize managed-keys (%s): " + "DNSSEC validation is at risk", + isc_result_totext(result)); } for (inc = ISC_LIST_HEAD(zone->newincludes); @@ -7685,9 +7683,9 @@ zone_nsec3chain(dns_zone_t *zone) { result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:dns_db_newversion -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns_db_newversion -> %s", + dns_result_totext(result)); goto failure; } @@ -7696,9 +7694,9 @@ zone_nsec3chain(dns_zone_t *zone) { result = dns__zone_findkeys(zone, db, version, now, zone->mctx, DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:dns__zone_findkeys -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns__zone_findkeys -> %s", + dns_result_totext(result)); goto failure; } @@ -7876,9 +7874,9 @@ zone_nsec3chain(dns_zone_t *zone) { zone->minimum, unsecure, &nsec3_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_nsec3_addnsec3 -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" + "dns_nsec3_addnsec3 -> %s", + dns_result_totext(result)); goto failure; } @@ -7934,10 +7932,10 @@ zone_nsec3chain(dns_zone_t *zone) { ISC_LIST_APPEND(cleanup, nsec3chain, link); goto next_addchain; } else if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "dns_dbiterator_next -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "dns_dbiterator_next -> %s", + dns_result_totext(result)); goto failure; } else if (delegation) { dns_dbiterator_current(nsec3chain->dbiterator, @@ -8011,17 +8009,18 @@ zone_nsec3chain(dns_zone_t *zone) { &nsec3chain->nsec3param, &buildnsecchain); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "need_nsec_chain -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "need_nsec_chain -> %s", + dns_result_totext(result)); goto failure; } } if (first) { - dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:" - "buildnsecchain = %u\n", buildnsecchain); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "zone_nsec3chain:buildnsecchain = %u\n", + buildnsecchain); } dns_dbiterator_current(nsec3chain->dbiterator, &node, name); @@ -8037,10 +8036,10 @@ zone_nsec3chain(dns_zone_t *zone) { true, privatetype, ¶m_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "fixup_nsec3param -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "fixup_nsec3param -> %s", + dns_result_totext(result)); goto failure; } } @@ -8052,10 +8051,10 @@ zone_nsec3chain(dns_zone_t *zone) { &nsec3chain->nsec3param, &nsec3_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "deletematchingnsec3 -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "deletematchingnsec3 -> %s", + dns_result_totext(result)); goto failure; } goto next_removenode; @@ -8161,27 +8160,26 @@ zone_nsec3chain(dns_zone_t *zone) { privatetype, ¶m_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "fixup_nsec3param -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "fixup_nsec3param -> %s", + dns_result_totext(result)); goto failure; } goto next_removechain; } else if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "dns_dbiterator_next -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "dns_dbiterator_next -> %s", + dns_result_totext(result)); goto failure; } else if (delegation) { dns_dbiterator_current(nsec3chain->dbiterator, &node, nextname); dns_db_detachnode(db, &node); - if (!dns_name_issubdomain(nextname, name)) - { + if (!dns_name_issubdomain(nextname, name)) { break; - } + } } else { break; } @@ -8211,9 +8209,9 @@ zone_nsec3chain(dns_zone_t *zone) { RUNTIME_CHECK(result == ISC_R_SUCCESS); result = dns_db_allrdatasets(db, node, version, 0, &iterator); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns_db_allrdatasets -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns_db_allrdatasets -> %s", + dns_result_totext(result)); goto failure; } for (result = dns_rdatasetiter_first(iterator); @@ -8240,10 +8238,9 @@ zone_nsec3chain(dns_zone_t *zone) { zone->minimum, true, &nsec_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "updatesecure -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:updatesecure -> %s", + dns_result_totext(result)); goto failure; } } @@ -8258,10 +8255,10 @@ zone_nsec3chain(dns_zone_t *zone) { zone->minimum, false, &nsec3_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_nsec3chain:" - "dns_nsec3_addnsec3s -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:" + "dns_nsec3_addnsec3s -> %s", + dns_result_totext(result)); goto failure; } } @@ -8277,9 +8274,9 @@ zone_nsec3chain(dns_zone_t *zone) { nkeys, zone, inception, expire, 0, now, check_ksk, keyset_kskonly, &zonediff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns__zone_updatesigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns__zone_updatesigs -> %s", + dns_result_totext(result)); goto failure; } @@ -8291,9 +8288,9 @@ zone_nsec3chain(dns_zone_t *zone) { nkeys, zone, inception, expire, 0, now, check_ksk, keyset_kskonly, &zonediff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns__zone_updatesigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns__zone_updatesigs -> %s", + dns_result_totext(result)); goto failure; } @@ -8301,9 +8298,9 @@ zone_nsec3chain(dns_zone_t *zone) { result = updatesecure(db, version, &zone->origin, zone->minimum, false, &nsec_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "updatesecure -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:updatesecure -> %s", + dns_result_totext(result)); goto failure; } } @@ -8312,9 +8309,9 @@ zone_nsec3chain(dns_zone_t *zone) { nkeys, zone, inception, expire, 0, now, check_ksk, keyset_kskonly, &zonediff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "dns__zone_updatesigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:dns__zone_updatesigs -> %s", + dns_result_totext(result)); goto failure; } @@ -8333,17 +8330,18 @@ zone_nsec3chain(dns_zone_t *zone) { result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, &zonediff, zone_keys, nkeys, now, false); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "del_sigs -> %s", dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:del_sigs -> %s", + dns_result_totext(result)); goto failure; } result = update_soa_serial(db, version, zonediff.diff, zone->mctx, zone->updatemethod); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "update_soa_serial -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:update_soa_serial -> %s", + dns_result_totext(result)); goto failure; } @@ -8351,8 +8349,9 @@ zone_nsec3chain(dns_zone_t *zone) { zonediff.diff, zone_keys, nkeys, zone->mctx, inception, soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" - "add_sigs -> %s", dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_nsec3chain:add_sigs -> %s", + dns_result_totext(result)); goto failure; } @@ -8399,8 +8398,8 @@ zone_nsec3chain(dns_zone_t *zone) { failure: if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s", + dns_result_totext(result)); } /* @@ -8657,9 +8656,9 @@ zone_sign(dns_zone_t *zone) { result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:dns_db_newversion -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_sign:dns_db_newversion -> %s", + dns_result_totext(result)); goto cleanup; } @@ -8668,9 +8667,9 @@ zone_sign(dns_zone_t *zone) { result = dns__zone_findkeys(zone, db, version, now, zone->mctx, DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:dns__zone_findkeys -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_sign:dns__zone_findkeys -> %s", + dns_result_totext(result)); goto cleanup; } @@ -8960,9 +8959,8 @@ zone_sign(dns_zone_t *zone) { false, &post_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, - ISC_LOG_ERROR, - "updatesecure -> %s", + dnssec_log(zone, ISC_LOG_ERROR, + "updatesecure -> %s", dns_result_totext(result)); goto cleanup; } @@ -8973,17 +8971,18 @@ zone_sign(dns_zone_t *zone) { zone->minimum, &post_diff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "updatesignwithkey -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "updatesignwithkey -> %s", + dns_result_totext(result)); goto cleanup; } build_nsec = false; goto next_signing; } else if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:dns_dbiterator_next -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_sign:" + "dns_dbiterator_next -> %s", + dns_result_totext(result)); goto cleanup; } else if (is_bottom_of_zone) { dns_dbiterator_current(signing->dbiterator, @@ -9011,9 +9010,9 @@ zone_sign(dns_zone_t *zone) { check_ksk, keyset_kskonly, &zonediff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:" - "dns__zone_updatesigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_sign:dns__zone_updatesigs -> %s", + dns_result_totext(result)); goto cleanup; } } @@ -9034,18 +9033,17 @@ zone_sign(dns_zone_t *zone) { result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, &zonediff, zone_keys, nkeys, now, false); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:del_sigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s", + dns_result_totext(result)); goto cleanup; } result = update_soa_serial(db, version, zonediff.diff, zone->mctx, zone->updatemethod); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:update_soa_serial -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_sign:update_soa_serial -> %s", + dns_result_totext(result)); goto cleanup; } @@ -9057,9 +9055,8 @@ zone_sign(dns_zone_t *zone) { zonediff.diff, zone_keys, nkeys, zone->mctx, inception, soaexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_sign:add_sigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s", + dns_result_totext(result)); goto cleanup; } @@ -9114,8 +9111,8 @@ zone_sign(dns_zone_t *zone) { failure: if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s", + dns_result_totext(result)); } cleanup: @@ -9426,9 +9423,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) { &sigrr, dns_fixedname_name(&fixed)); - dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3), - "Confirm revoked DNSKEY is self-signed: " - "%s", dns_result_totext(result)); + dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3), + "Confirm revoked DNSKEY is self-signed: %s", + dns_result_totext(result)); if (result == ISC_R_SUCCESS) { answer = true; @@ -9519,26 +9516,26 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING); } - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Returned from key fetch in keyfetch_done() for " - "'%s': %s", namebuf, dns_result_totext(eresult)); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Returned from key fetch in keyfetch_done() for '%s': %s", + namebuf, dns_result_totext(eresult)); /* Fetch failed */ if (eresult != ISC_R_SUCCESS || !dns_rdataset_isassociated(&kfetch->dnskeyset)) { - dns_zone_log(zone, ISC_LOG_WARNING, - "Unable to fetch DNSKEY set " - "'%s': %s", namebuf, dns_result_totext(eresult)); + dnssec_log(zone, ISC_LOG_WARNING, + "Unable to fetch DNSKEY set '%s': %s", + namebuf, dns_result_totext(eresult)); CHECK(minimal_update(kfetch, ver, &diff)); goto done; } /* No RRSIGs found */ if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) { - dns_zone_log(zone, ISC_LOG_WARNING, - "No DNSKEY RRSIGs found for " - "'%s': %s", namebuf, dns_result_totext(eresult)); + dnssec_log(zone, ISC_LOG_WARNING, + "No DNSKEY RRSIGs found for '%s': %s", + namebuf, dns_result_totext(eresult)); CHECK(minimal_update(kfetch, ver, &diff)); goto done; } @@ -9587,11 +9584,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_fixedname_name( &fixed)); - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Verifying DNSKEY set for zone " - "'%s' using key %d/%d: %s", - namebuf, sig.keyid, sig.algorithm, - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Verifying DNSKEY set for zone " + "'%s' using key %d/%d: %s", + namebuf, sig.keyid, sig.algorithm, + dns_result_totext(result)); if (result == ISC_R_SUCCESS) { kfetch->dnskeyset.trust = @@ -9625,9 +9622,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * trusted keys then all we can do is look at any revoked keys. */ if (!secure) { - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "DNSKEY set for zone '%s' could not be verified " - "with current keys", namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "DNSKEY set for zone '%s' could not be verified " + "with current keys", namebuf); } /* @@ -9679,29 +9676,29 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } else if (keydata.addhd == 0) { deletekey = true; } else if (keydata.addhd > now) { - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Pending key %d for zone %s " - "unexpectedly missing " - "restarting 30-day acceptance " - "timer", keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Pending key %d for zone %s " + "unexpectedly missing " + "restarting 30-day acceptance " + "timer", keytag, namebuf); if (keydata.addhd < now + dns_zone_mkey_month) { keydata.addhd = now + dns_zone_mkey_month; } keydata.refresh = refresh_time(kfetch, false); } else if (keydata.removehd == 0) { - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Active key %d for zone %s " - "unexpectedly missing", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Active key %d for zone %s " + "unexpectedly missing", + keytag, namebuf); keydata.refresh = now + dns_zone_mkey_hour; } else if (keydata.removehd <= now) { deletekey = true; - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Revoked key %d for zone %s " - "missing: deleting from " - "managed keys database", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Revoked key %d for zone %s " + "missing: deleting from " + "managed keys database", + keytag, namebuf); } else { keydata.refresh = refresh_time(kfetch, false); } @@ -9787,13 +9784,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * it's been revoked? Just remove it */ deletekey = true; - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Pending key %d " - "for zone %s is now " - "revoked: " - "deleting from the " - "managed keys database", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Pending key %d for " + "zone %s is now revoked: " + "deleting from the " + "managed keys database", + keytag, namebuf); } else if (keydata.removehd == 0) { /* * Remove key from secroots. @@ -9811,30 +9807,28 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { DNS_KEYFLAG_REVOKE; } - dns_zone_log(zone, ISC_LOG_INFO, - "Trusted key %d " - "for zone %s is now " - "revoked", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_INFO, + "Trusted key %d for " + "zone %s is now revoked", + keytag, namebuf); } else if (keydata.removehd < now) { /* Scheduled for removal */ deletekey = true; - dns_zone_log(zone, ISC_LOG_INFO, - "Revoked key %d " - "for zone %s removal " - "timer complete: " - "deleting from the " - "managed keys database", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_INFO, + "Revoked key %d for " + "zone %s removal timer " + "complete: deleting from " + "the managed keys database", + keytag, namebuf); } } else if (revoked && keydata.removehd == 0) { - dns_zone_log(zone, ISC_LOG_WARNING, - "Active key %d for zone " - "%s is revoked but " - "did not self-sign; " - "ignoring", keytag, namebuf); - continue; + dnssec_log(zone, ISC_LOG_WARNING, + "Active key %d for zone " + "%s is revoked but " + "did not self-sign; " + "ignoring", keytag, namebuf); + continue; } else if (secure) { if (keydata.removehd != 0) { /* @@ -9850,12 +9844,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { keydata.addhd = now + dns_zone_mkey_month; - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Revoked key %d " - "for zone %s " - "has returned: starting " - "30-day acceptance timer", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Revoked key %d for " + "zone %s has returned: " + "starting 30-day " + "acceptance timer", + keytag, namebuf); } else if (keydata.addhd > now) { pending++; } else if (keydata.addhd == 0) { @@ -9864,15 +9858,15 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (keydata.addhd <= now) { trustkey = true; - dns_zone_log(zone, ISC_LOG_INFO, - "Key %d for zone %s " - "is now trusted (%s)", - keytag, namebuf, - initial - ? "initializing key " - "verified" - : "acceptance timer " - "complete"); + dnssec_log(zone, ISC_LOG_INFO, + "Key %d for zone %s " + "is now trusted (%s)", + keytag, namebuf, + initial + ? "initializing key " + "verified" + : "acceptance timer " + "complete"); } } else if (keydata.addhd > now) { /* @@ -9881,12 +9875,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { */ pending++; keydata.addhd = now + dns_zone_mkey_month; - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Pending key %d " - "for zone %s was " - "not validated: restarting " - "30-day acceptance timer", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Pending key %d " + "for zone %s was " + "not validated: restarting " + "30-day acceptance timer", + keytag, namebuf); } if (!deletekey && !newkey) { @@ -9905,21 +9899,21 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { newkey = true; if (initializing) { - dns_zone_log(zone, ISC_LOG_WARNING, - "Initializing automatic trust " - "anchor management for zone '%s'; " - "DNSKEY ID %d is now trusted, " - "waiving the normal 30-day " - "waiting period.", - namebuf, keytag); + dnssec_log(zone, ISC_LOG_WARNING, + "Initializing automatic trust " + "anchor management for zone '%s'; " + "DNSKEY ID %d is now trusted, " + "waiving the normal 30-day " + "waiting period.", + namebuf, keytag); trustkey = true; } else { - dns_zone_log(zone, ISC_LOG_INFO, - "New key %d observed " - "for zone '%s': " - "starting 30-day " - "acceptance timer", - keytag, namebuf); + dnssec_log(zone, ISC_LOG_INFO, + "New key %d observed " + "for zone '%s': " + "starting 30-day " + "acceptance timer", + keytag, namebuf); } } else { /* @@ -10021,10 +10015,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { failure: if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "error during managed-keys processing (%s): " - "DNSSEC validation may be at risk", - isc_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "error during managed-keys processing (%s): " + "DNSSEC validation may be at risk", + isc_result_totext(result)); } dns_diff_clear(&diff); if (ver != NULL) { @@ -10187,10 +10181,10 @@ zone_refreshkeys(dns_zone_t *zone) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(kname, namebuf, sizeof(namebuf)); - dns_zone_log(zone, ISC_LOG_DEBUG(3), - "Creating key fetch in " - "zone_refreshkeys() for '%s'", - namebuf); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "Creating key fetch in " + "zone_refreshkeys() for '%s'", + namebuf); } /* @@ -10231,9 +10225,8 @@ zone_refreshkeys(dns_zone_t *zone) { dns_rdataset_disassociate(&kfetch->keydataset); dns_name_free(kname, zone->mctx); isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t)); - dns_zone_log(zone, ISC_LOG_WARNING, - "Failed to create fetch for " - "DNSKEY update"); + dnssec_log(zone, ISC_LOG_WARNING, + "Failed to create fetch for DNSKEY update"); fetch_err = true; } } @@ -10260,8 +10253,8 @@ zone_refreshkeys(dns_zone_t *zone) { zone_settimer(zone, &timenow); isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); - dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s", - timebuf); + dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s", + timebuf); } else if (!timerset) { isc_time_settoepoch(&zone->refreshkeytime); } @@ -14194,6 +14187,15 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel, va_end(ap); } +static void +dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) { + va_list ap; + + va_start(ap, fmt); + dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap); + va_end(ap); +} + static int message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type) { @@ -17702,9 +17704,9 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_result_t result; REQUIRE(DNS_ZONE_VALID(zone)); - dns_zone_log(zone, ISC_LOG_NOTICE, - "dns_zone_signwithkey(algorithm=%u, keyid=%u)", - algorithm, keyid); + dnssec_log(zone, ISC_LOG_NOTICE, + "dns_zone_signwithkey(algorithm=%u, keyid=%u)", + algorithm, keyid); LOCK_ZONE(zone); result = zone_signwithkey(zone, algorithm, keyid, deleteit); UNLOCK_ZONE(zone); @@ -17727,10 +17729,9 @@ dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) { result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt)); RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_zone_log(zone, ISC_LOG_NOTICE, - "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)", - nsec3param->hash, nsec3param->iterations, - salt); + dnssec_log(zone, ISC_LOG_NOTICE, + "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)", + nsec3param->hash, nsec3param->iterations, salt); LOCK_ZONE(zone); result = zone_addnsec3chain(zone, nsec3param); UNLOCK_ZONE(zone); @@ -17858,15 +17859,6 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid, return (result); } -static void -logmsg(const char *format, ...) { - va_list args; - va_start(args, format); - isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE, - ISC_LOG_DEBUG(1), format, args); - va_end(args); -} - static void clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) { dns_dnsseckey_t *key; @@ -18030,9 +18022,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, result = dns__zone_findkeys(zone, db, ver, now, zone->mctx, DNS_MAXZONEKEYS, zone_keys, &nkeys); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:dns__zone_findkeys -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "sign_apex:dns__zone_findkeys -> %s", + dns_result_totext(result)); return (result); } @@ -18069,9 +18061,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_dnskey, zonediff, zone_keys, nkeys, now, false); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:del_sigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "sign_apex:del_sigs -> %s", + dns_result_totext(result)); goto failure; } result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey, @@ -18079,9 +18071,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, inception, keyexpire, check_ksk, keyset_kskonly); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:add_sigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "sign_apex:add_sigs -> %s", + dns_result_totext(result)); goto failure; } } @@ -18091,9 +18083,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, check_ksk, keyset_kskonly, zonediff); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "sign_apex:dns__zone_updatesigs -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "sign_apex:dns__zone_updatesigs -> %s", + dns_result_totext(result)); goto failure; } @@ -18154,7 +18146,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, /* Refuse to allow NSEC3 with NSEC-only keys */ if (nseconly && nsec3) { - dns_zone_log(zone, ISC_LOG_ERROR, + dnssec_log(zone, ISC_LOG_ERROR, "NSEC only DNSKEYs and NSEC3 chains not allowed"); goto failure; } @@ -18241,6 +18233,15 @@ add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, return (result); } +static void +dnssec_report(const char *format, ...) { + va_list args; + va_start(args, format); + isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE, + ISC_LOG_DEBUG(1), format, args); + va_end(args); +} + static void zone_rekey(dns_zone_t *zone) { isc_result_t result; @@ -18287,7 +18288,7 @@ zone_rekey(dns_zone_t *zone) { TIME_NOW(&timenow); now = isc_time_seconds(&timenow); - dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys"); + dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys"); /* Get the SOA record's TTL */ CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, @@ -18338,16 +18339,16 @@ zone_rekey(dns_zone_t *zone) { result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys, &zone->origin, ttl, &diff, - !check_ksk, - mctx, logmsg); + !check_ksk, mctx, + dnssec_report); /* * Keys couldn't be updated for some reason; * try again later. */ if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:" - "couldn't update zone keys: %s", - isc_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_rekey:couldn't update zone keys: %s", + isc_result_totext(result)); goto failure; } @@ -18358,9 +18359,9 @@ zone_rekey(dns_zone_t *zone) { &cdnskeyset, now, ttl, &diff, mctx); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:" - "couldn't update CDS/CDNSKEY: %s", - isc_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_rekey:couldn't update CDS/CDNSKEY: %s", + isc_result_totext(result)); goto failure; } @@ -18440,9 +18441,9 @@ zone_rekey(dns_zone_t *zone) { dst_key_id(key->key), true); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_signwithkey failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_signwithkey failed: %s", + dns_result_totext(result)); } } } @@ -18465,9 +18466,9 @@ zone_rekey(dns_zone_t *zone) { dst_key_id(key->key), false); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_signwithkey failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_signwithkey failed: %s", + dns_result_totext(result)); } } } else if (newalg) { @@ -18490,9 +18491,9 @@ zone_rekey(dns_zone_t *zone) { dst_key_id(key->key), false); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_signwithkey failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_signwithkey failed: %s", + dns_result_totext(result)); } } } @@ -18535,9 +18536,9 @@ zone_rekey(dns_zone_t *zone) { result = zone_addnsec3chain(zone, &nsec3param); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "zone_addnsec3chain failed: %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "zone_addnsec3chain failed: %s", + dns_result_totext(result)); } } @@ -18596,7 +18597,7 @@ zone_rekey(dns_zone_t *zone) { zone_settimer(zone, &timenow); isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); - dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); + dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); } result = ISC_R_SUCCESS; @@ -19063,9 +19064,9 @@ keydone(isc_task_t *task, isc_event_t *event) { dns_db_currentversion(db, &oldver); result = dns_db_newversion(db, &newver); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_ERROR, - "keydone:dns_db_newversion -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "keydone:dns_db_newversion -> %s", + dns_result_totext(result)); goto failure; } @@ -19286,9 +19287,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) { result = dns_db_newversion(db, &newver); if (result != ISC_R_SUCCESS) { ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - dns_zone_log(zone, ISC_LOG_ERROR, - "setnsec3param:dns_db_newversion -> %s", - dns_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, + "setnsec3param:dns_db_newversion -> %s", + dns_result_totext(result)); goto failure; } @@ -19825,9 +19826,8 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) { } if (result != ISC_R_SUCCESS) { - dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR, - "zone verification failed: %s", - isc_result_totext(result)); + dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s", + isc_result_totext(result)); result = DNS_R_VERIFYFAILURE; } From e3fe19df552fb9f94102727ae0fcb9fccbadb3bc Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 17:31:28 -0800 Subject: [PATCH 3/7] increase the log level for some key status and managed-key events some key-related events were logged at DEBUG(3) but seem likely to be relevant to a typical operator's interests during key rollovers. --- lib/dns/zone.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index e69e4f55d8..7e6eaf9bf4 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9622,7 +9622,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * trusted keys then all we can do is look at any revoked keys. */ if (!secure) { - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "DNSKEY set for zone '%s' could not be verified " "with current keys", namebuf); } @@ -9676,7 +9676,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } else if (keydata.addhd == 0) { deletekey = true; } else if (keydata.addhd > now) { - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Pending key %d for zone %s " "unexpectedly missing " "restarting 30-day acceptance " @@ -9687,14 +9687,14 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } keydata.refresh = refresh_time(kfetch, false); } else if (keydata.removehd == 0) { - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Active key %d for zone %s " "unexpectedly missing", keytag, namebuf); keydata.refresh = now + dns_zone_mkey_hour; } else if (keydata.removehd <= now) { deletekey = true; - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Revoked key %d for zone %s " "missing: deleting from " "managed keys database", @@ -9784,7 +9784,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * it's been revoked? Just remove it */ deletekey = true; - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Pending key %d for " "zone %s is now revoked: " "deleting from the " @@ -9844,7 +9844,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { keydata.addhd = now + dns_zone_mkey_month; - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Revoked key %d for " "zone %s has returned: " "starting 30-day " @@ -9875,7 +9875,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { */ pending++; keydata.addhd = now + dns_zone_mkey_month; - dnssec_log(zone, ISC_LOG_DEBUG(3), + dnssec_log(zone, ISC_LOG_INFO, "Pending key %d " "for zone %s was " "not validated: restarting " @@ -18238,7 +18238,7 @@ dnssec_report(const char *format, ...) { va_list args; va_start(args, format); isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE, - ISC_LOG_DEBUG(1), format, args); + ISC_LOG_INFO, format, args); va_end(args); } From 7fa6b88d9bf13125e23cca8b3db6b9890b1e223a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 19:37:40 -0800 Subject: [PATCH 4/7] include the name when logging that a key is being fetched from key repostitory --- lib/dns/dnssec.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 322a92d524..6dd7a9e37f 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1818,23 +1818,20 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin, isc_result_t result; dns_difftuple_t *tuple = NULL; unsigned char buf[DST_KEY_MAXSIZE]; + char keystr[DST_KEY_FORMATSIZE]; dns_rdata_t dnskey = DNS_RDATA_INIT; - char alg[80]; dns_rdata_reset(&dnskey); RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey)); + dst_key_format(key->key, keystr, sizeof(keystr)); - dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg)); - report("Fetching %s %d/%s from key %s.", - key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK", - dst_key_id(key->key), alg, + report("Fetching %s (%s) from key %s.", + keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK", key->source == dns_keysource_user ? "file" : "repository"); if (key->prepublish && ttl > key->prepublish) { - char keystr[DST_KEY_FORMATSIZE]; isc_stdtime_t now; - dst_key_format(key->key, keystr, sizeof(keystr)); report("Key %s: Delaying activation to match the DNSKEY TTL.\n", keystr, ttl); From 3c75d5d7c5139d47e731b912e11c45bf22ad6e0a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 20:05:58 -0800 Subject: [PATCH 5/7] add more key maintenance event logging log when a key is: - published in the DNSKEY rrset - activated - deactivated - unpublished from the DNSKEY rrset - revoked --- lib/dns/dnssec.c | 62 +++++++++++++++++++++++++++++++++++- lib/dns/include/dns/dnssec.h | 32 +++++++++---------- 2 files changed, 77 insertions(+), 17 deletions(-) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 6dd7a9e37f..437778460b 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1826,7 +1826,7 @@ publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin, dst_key_format(key->key, keystr, sizeof(keystr)); report("Fetching %s (%s) from key %s.", - keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK", + keystr, key->ksk ? (allzsk ? "KSK/ZSK" : "KSK") : "ZSK", key->source == dns_keysource_user ? "file" : "repository"); if (key->prepublish && ttl > key->prepublish) { @@ -2089,6 +2089,8 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, */ for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) { bool key_revoked = false; + char keystr1[DST_KEY_FORMATSIZE]; + char keystr2[DST_KEY_FORMATSIZE]; next = ISC_LIST_NEXT(key1, link); @@ -2114,6 +2116,9 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, } } + /* Printable version of key1 (the newly aquired key) */ + dst_key_format(key1->key, keystr1, sizeof(keystr1)); + /* No match found in keys; add the new key. */ if (key2 == NULL) { ISC_LIST_UNLINK(*newkeys, key1, link); @@ -2124,21 +2129,49 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, { RETERR(publish_key(diff, key1, origin, ttl, mctx, allzsk, report)); + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now published", + keystr1, key1->ksk ? + (allzsk ? "KSK/ZSK" : "KSK") : + "ZSK"); if (key1->hint_sign || key1->force_sign) { key1->first_sign = true; + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now " + "active", + keystr1, key1->ksk ? + (allzsk ? "KSK/ZSK" : + "KSK") : "ZSK"); } } continue; } + /* Printable version of key2 (the old key, if any) */ + dst_key_format(key2->key, keystr2, sizeof(keystr2)); + /* Match found: remove or update it as needed */ if (key1->hint_remove) { RETERR(remove_key(diff, key2, origin, ttl, mctx, "expired", report)); ISC_LIST_UNLINK(*keys, key2, link); + if (removed != NULL) { ISC_LIST_APPEND(*removed, key2, link); + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now deleted", + keystr2, key2->ksk ? (allzsk ? + "KSK/ZSK" : "KSK") : "ZSK"); } else { dns_dnsseckey_destroy(mctx, &key2); } @@ -2156,6 +2189,15 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, ISC_LIST_UNLINK(*keys, key2, link); if (removed != NULL) { ISC_LIST_APPEND(*removed, key2, link); + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now revoked; " + "new ID is %05d", + keystr2, key2->ksk ? (allzsk ? + "KSK/ZSK" : "KSK") : "ZSK", + dst_key_id(key1->key)); } else { dns_dnsseckey_destroy(mctx, &key2); } @@ -2180,7 +2222,25 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, (key1->hint_sign || key1->force_sign)) { key2->first_sign = true; + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now active", + keystr1, key1->ksk ? (allzsk ? + "KSK/ZSK" : "KSK") : "ZSK"); + } else if (key2->is_active && + !key1->hint_sign && !key1->force_sign) + { + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_INFO, + "DNSKEY %s (%s) is now inactive", + keystr1, key1->ksk ? (allzsk ? + "KSK/ZSK" : "KSK") : "ZSK"); } + key2->hint_sign = key1->hint_sign; key2->hint_publish = key1->hint_publish; } diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index e60375e039..a03b3e3af5 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -49,22 +49,22 @@ typedef enum { */ struct dns_dnsseckey { dst_key_t *key; - bool hint_publish; /*% metadata says to publish */ - bool force_publish; /*% publish regardless of metadata */ - bool hint_sign; /*% metadata says to sign with this key */ - bool force_sign; /*% sign with key regardless of metadata */ - bool hint_remove; /*% metadata says *don't* publish */ - bool is_active; /*% key is already active */ - bool first_sign; /*% key is newly becoming active */ - unsigned int prepublish; /*% how long until active? */ - dns_keysource_t source; /*% how the key was found */ - bool ksk; /*% this is a key-signing key */ - bool legacy; /*% this is old-style key with no - metadata (possibly generated by - an older version of BIND9) and - should be ignored when searching - for keys to import into the zone */ - unsigned int index; /*% position in list */ + bool hint_publish; /*% metadata says to publish */ + bool force_publish; /*% publish regardless of metadata */ + bool hint_sign; /*% metadata says to sign with this key */ + bool force_sign; /*% sign with key regardless of metadata */ + bool hint_remove; /*% metadata says *don't* publish */ + bool is_active; /*% key is already active */ + bool first_sign; /*% key is newly becoming active */ + unsigned int prepublish; /*% how long until active? */ + dns_keysource_t source; /*% how the key was found */ + bool ksk; /*% this is a key-signing key */ + bool legacy; /*% this is old-style key with no + metadata (possibly generated by + an older version of BIND9) and + should be ignored when searching + for keys to import into the zone */ + unsigned int index; /*% position in list */ ISC_LINK(dns_dnsseckey_t) link; }; From 5c1c2853703fdb1e378c360ef260424cbeb15f4e Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 22:21:16 -0800 Subject: [PATCH 6/7] test logging of key maintenance events --- bin/tests/system/autosign/tests.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index cf14a00de4..69798cb5d3 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1467,5 +1467,20 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking key maintenance events were logged correctly ($n)" +ret=0 +pub=`grep "DNSKEY .* is now published" ns1/named.run | wc -l` +[ "$pub" -eq 6 ] || ret=1 +act=`grep "DNSKEY .* is now active" ns1/named.run | wc -l` +[ "$act" -eq 5 ] || ret=1 +rev=`grep "DNSKEY .* is now revoked" ns1/named.run | wc -l` +[ "$rev" -eq 1 ] || ret=1 +inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l` +[ "$inac" -eq 1 ] || ret=1 +del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l` +[ "$del" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 33f181ac93da0b9559716b20a168beb101d2485c Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 20 Jan 2019 21:56:14 -0800 Subject: [PATCH 7/7] CHANGES and release note --- CHANGES | 8 ++++++++ doc/arm/notes.xml | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/CHANGES b/CHANGES index 2b646b0583..83846d3877 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +5152. [func] Improved logging of DNSSEC key events: + - Zone signing and DNSKEY maintenance events are + now logged to the "dnssec" category + - Messages are now logged when DNSSEC keys are + pubished, activated, inactivated, deleted, + or revoked. + [GL #714] + 5151. [func] Options that have been been marked as obsolete in named.conf for a very long time are now fatal configuration errors. [GL #358] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index baf98b9bd5..83cdfc2bae 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -597,6 +597,13 @@ disables reading of the file $HOME/.digrc. + + + Zone signing and key maintenance events are now logged to the + dnssec category rather than + zone. + +