Move verifyzone() and its dependencies into lib/dns/zoneverify.c

This commit only moves code around, with the following exceptions:

  - the check_dns_dbiterator_current() macro and functions
    is_delegation() and has_dname() were removed from
    bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
    bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
    functions are used both by the code in bin/dnssec/dnssec-signzone.c
    and verifyzone(), but are not a good fit for being exported by a
    code module responsible for zone verification,

  - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
    as static functions which do not use the "program" variable any more
    (as it is only set by the tools in bin/dnssec/); this is a temporary
    step which only aims to prevent compilation from breaking - these
    duplicate functions will be removed once lib/dns/zoneverify.c is
    refactored not to use them,

  - the list of header files included by lib/dns/zoneverify.c was
    expanded to encompass all header files that are actually used by the
    code in that file,

  - a description of the purpose of the commented out "fields" inside
    struct nsec3_chain_fixed was added.

bin/dnssec/dnssec-signzone.c

@@ -76,6 +76,7 @@
 #include <dns/soa.h>
 #include <dns/time.h>
 #include <dns/update.h>
+#include <dns/zoneverify.h>
 
 #include <dst/dst.h>
 
@@ -96,6 +97,10 @@ typedef struct hashlist hashlist_t;
 
 static int nsec_datatype = dns_rdatatype_nsec;
 
+#define check_dns_dbiterator_current(result) \
+	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
+		     "dns_dbiterator_current()")
+
 #define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
 #define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
 
@@ -1042,6 +1047,47 @@ secure(dns_name_t *name, dns_dbnode_t *node) {
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
+static isc_boolean_t
+is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
+{
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, origin))
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
+				     0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL)
+			*ttlp = nsset.ttl;
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+/*%
+ * Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
+ * 'node'; return ISC_FALSE otherwise.
+ */
+static isc_boolean_t
+has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
+	dns_rdataset_t dnameset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dnameset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
+				     &dnameset, NULL);
+	if (dns_rdataset_isassociated(&dnameset)) {
+		dns_rdataset_disassociate(&dnameset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
 /*%
  * Signs all records at a name.
  */

bin/dnssec/dnssec-verify.c

@@ -58,6 +58,7 @@
 #include <dns/result.h>
 #include <dns/soa.h>
 #include <dns/time.h>
+#include <dns/zoneverify.h>
 
 #include <dst/dst.h>
 

bin/dnssec/dnssectool.h

@@ -18,11 +18,6 @@
 #include <dns/rdatastruct.h>
 #include <dst/dst.h>
 
-#define check_dns_dbiterator_current(result) \
-	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
-		     "dns_dbiterator_current()")
-
-
 typedef void (fatalcallback_t)(void);
 
 ISC_PLATFORM_NORETURN_PRE void
@@ -76,22 +71,6 @@ isc_boolean_t
 key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
 	      isc_mem_t *mctx, isc_boolean_t *exact);
 
-isc_boolean_t
-is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
-
-/*%
- * Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
- * 'node'; return ISC_FALSE otherwise.
- */
-isc_boolean_t
-has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
-
-void
-verifyzone(dns_db_t *db, dns_dbversion_t *ver,
-		   dns_name_t *origin, isc_mem_t *mctx,
-		   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
-
 isc_boolean_t
 isoptarg(const char *arg, char **argv, void (*usage)(void));
 

lib/dns/Makefile.in

@@ -77,7 +77,8 @@ DNSOBJS =	acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
 		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
 		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
-		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
+		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ \
+		zoneverify.@O@ zt.@O@
 PORTDNSOBJS =	client.@O@ ecdb.@O@
 
 OBJS=		@DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
@@ -119,7 +120,8 @@ DNSSRCS =	acl.c adb.c badcache. byaddr.c \
 		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
 		tsec.c tsig.c ttl.c update.c validator.c \
-		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
+		version.c view.c xfrin.c zone.c zoneverify.c \
+		zonekey.c zt.c ${OTHERSRCS}
 PORTDNSSRCS =	client.c ecdb.c
 
 SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIPLINKSRCS@

lib/dns/include/dns/Makefile.in

@@ -31,7 +31,7 @@ HEADERS =	acl.h adb.h badcache.h bit.h byaddr.h \
 		sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
 		tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
 		update.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
+		zone.h zonekey.h zoneverify.h zt.h
 
 GENHEADERS =	@DNSTAP_PB_C_H@ enumclass.h enumtype.h rdatastruct.h
 

lib/dns/include/dns/zoneverify.h

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file dns/zoneverify.h */
+
+#include <dns/types.h>
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Verify that certain things are sane:
+ *
+ *   The apex has a DNSKEY record with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
+ *
+ *   The DNSKEY record was signed with at least one of the KSKs in this
+ *   set.
+ *
+ *   The rest of the zone was signed with at least one of the ZSKs
+ *   present in the DNSKEY RRSET.
+ */
+void
+verifyzone(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	   isc_mem_t *mctx, isc_boolean_t ignore_kskflag,
+	   isc_boolean_t keyset_kskonly);
+
+ISC_LANG_ENDDECLS

lib/dns/win32/libdns.def.in

@@ -1334,6 +1334,7 @@ dns_zonemgr_shutdown
 dns_zonemgr_unreachable
 dns_zonemgr_unreachableadd
 dns_zonemgr_unreachabledel
+verifyzone
 dns_zt_apply
 dns_zt_asyncload
 dns_zt_attach

util/copyrights

@@ -3081,6 +3081,7 @@
 ./lib/dns/include/dns/xfrin.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018
 ./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/dns/include/dns/zonekey.h			C	2001,2004,2005,2006,2007,2016,2018
+./lib/dns/include/dns/zoneverify.h		C	2018
 ./lib/dns/include/dns/zt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018
 ./lib/dns/include/dst/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018
 ./lib/dns/include/dst/dst.h			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
@@ -3421,6 +3422,7 @@
 ./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/dns/zone_p.h				C	2018
 ./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007,2016,2018
+./lib/dns/zoneverify.c				C	2018
 ./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/irs/Atffile				X	2016,2018
 ./lib/irs/Kyuafile				X	2017,2018