upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 07:52:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

2349. [func] Provide incremental re-signing support for secure

Browse source 
dynamic zones. [RT #1091]

back out incorrect branch rt1091 and apply correct branch rt1091a.
This commit is contained in:
Mark Andrews 2008-04-02 02:37:42 +00:00
parent 60318da786
commit 3f42cf2f3e
24 changed files with 713 additions and 329 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
bin/named/config.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.84 2008/01/22 23:28:04 tbox Exp $ */
/* $Id: config.c,v 1.85 2008/04/02 02:37:41 marka Exp $ */
/*! \file */
@ -172,6 +172,9 @@ options {\n\
min-refresh-time 300;\n\
multi-master no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65535;\n\
zone-statistics false;\n\
max-journal-size unlimited;\n\
ixfr-from-differences false;\n\

7
bin/named/named.conf.docbook
View file

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.36 2008/01/02 23:47:01 tbox Exp $ -->
<!-- $Id: named.conf.docbook,v 1.37 2008/04/02 02:37:41 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
@ -316,7 +316,12 @@ options {
max-refresh-time <replaceable>integer</replaceable>;
min-refresh-time <replaceable>integer</replaceable>;
multi-master <replaceable>boolean</replaceable>;
sig-validity-interval <replaceable>integer</replaceable>;
sig-re-signing-interval <replaceable>integer</replaceable>;
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
transfer-source ( <replaceable>ipv4_address</replaceable> | * )
<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

24
bin/named/update.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.144 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: update.c,v 1.145 2008/04/02 02:37:41 marka Exp $ */
#include <config.h>
@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdata_rrsig_t rrsig;
isc_boolean_t found;
fprintf(stderr, "del_keysigs\n");
dns_rdataset_init(&rdataset);
result = dns_db_findnode(db, name, ISC_FALSE, &node);
@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(client->mctx, &affected);
dns_diff_init(client->mctx, &sig_diff);
sig_diff.resign = dns_zone_getsigresigninginterval(zone);
dns_diff_init(client->mctx, &nsec_diff);
dns_diff_init(client->mctx, &nsec_mindiff);
@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
* Special case changes to the zone's DNSKEY records
* to support offline KSKs.
*/
fprintf(stderr, "delete signatures %u\n", type);
if (type == dns_rdatatype_dnskey)
del_keysigs(db, newver, name, &sig_diff,
zone_keys, nkeys);
@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
static isc_result_t
add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
dns_diff_t *diff)
dns_rdatatype_t privatetype, dns_diff_t *diff)
{
isc_result_t result = ISC_R_SUCCESS;
dns_difftuple_t *tuple, *newtuple = NULL;
@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
buf[3] = 0;
rdata.data = buf;
rdata.length = sizeof(buf);
rdata.type = 0xFFFF; /* XXXMPA make user settable */
rdata.type = privatetype;
rdata.rdclass = tuple->rdata.rdclass;
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
* "Unlike traditional dynamic update, the client
* is forbidden from updating NSEC records."
*/
if (dns_db_isdnssec(db)) {
if (dns_db_issecure(db)) {
if (rdata.type == dns_rdatatype_nsec) {
FAILC(DNS_R_REFUSED,
"explicit NSEC updates are not allowed "
"in secure zones");
}
else if (rdata.type == dns_rdatatype_rrsig &&
!dns_name_equal(name, zonename)) {
} else if (rdata.type == dns_rdatatype_rrsig &&
!dns_name_equal(name, zonename)) {
FAILC(DNS_R_REFUSED,
"explicit RRSIG updates are currently "
"not supported in secure zones except "
"at the apex.");
"at the apex");
}
}
@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
CHECK(remove_orphaned_ds(db, ver, &diff));
CHECK(add_signing_records(db, zonename, ver, &diff));
CHECK(add_signing_records(db, zonename, ver,
dns_zone_getprivatetype(zone),
&diff));
CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
0, &has_dnskey));

111
bin/named/zoneconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.142 2008/01/18 23:46:57 tbox Exp $ */
/* $Id: zoneconf.c,v 1.143 2008/04/02 02:37:41 marka Exp $ */
/*% */
@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
isc_boolean_t ixfrdiff;
dns_masterformat_t masterformat;
int seconds;
i = 0;
if (zconfig != NULL) {
@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
{
const cfg_obj_t *validity, *resign;
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity) * 86400;
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else {
if (seconds > 7 * 86400)
seconds = cfg_obj_asuint32(resign) *
86400;
else
seconds = cfg_obj_asuint32(resign) *
3600;
}
dns_zone_setsigresigninginterval(zone, seconds);
}
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
RETERR(dns_zone_setkeydirectory(zone, filename));
}
obj = NULL;
result = ns_config_get(maps, "sig-signing-signatures", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-nodes", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-type", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
}
/*%
* Primary master functionality.
*/
if (ztype == dns_zone_master) {
obj = NULL;
result = ns_config_get(maps, "check-wildcard", &obj);
if (result == ISC_R_SUCCESS)
@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
}
/*
* Configure update-related options. These apply to
* primary masters only.
*/
if (ztype == dns_zone_master) {
dns_acl_t *updateacl;
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update", ac, zone,
dns_zone_setupdateacl,
dns_zone_clearupdateacl));
updateacl = dns_zone_getupdateacl(zone);
if (updateacl != NULL && dns_acl_isinsecure(updateacl))
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"zone '%s' allows updates by IP "
"address, which is insecure",
zname);
RETERR(configure_zone_ssutable(zoptions, zone));
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
if (result == ISC_R_SUCCESS) {
filename = cfg_obj_asstring(obj);
if (!isc_file_isabsolute(filename)) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
"key-directory '%s' "
"is not absolute", filename);
return (ISC_R_FAILURE);
}
RETERR(dns_zone_setkeydirectory(zone, filename));
}
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
}
/*

10
bin/nsupdate/nsupdate.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.158 2008/04/01 01:37:24 marka Exp $ */
/* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
/*! \file */
@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata");
rdata->data = NULL;
rdata->length = 0;
dns_rdata_init(rdata);
if (isrrset && ispositive) {
retval = parse_rdata(&cmdline, rdataclass, rdatatype,
@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata");
rdata->rdclass = 0;
rdata->type = 0;
rdata->data = NULL;
rdata->length = 0;
dns_rdata_init(rdata);
/*
* If this is an add, read the TTL and verify that it's in range.

4
bin/tests/system/lwresd/lwtest.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: lwtest.c,v 1.31 2008/01/14 23:46:56 tbox Exp $ */
/* $Id: lwtest.c,v 1.32 2008/04/02 02:37:42 marka Exp $ */
#include <config.h>
@ -764,7 +764,7 @@ main(void) {
test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1);
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0);
if (fails == 0)

54
bin/tests/system/lwresd/ns1/e.example1.db Normal file
View file

@ -0,0 +1,54 @@
; File written on Wed Mar 5 10:20:40 2008
; dnssec_signzone version 9.3.4-P1
e.example1. 300 IN SOA mname1. . (
2002082210 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
300 RRSIG SOA 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
n7/Rp07xIyURqw== )
300 NS ns.e.example1.
300 RRSIG NS 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
MrjN3+XgpkdgIw== )
300 A 10.0.1.1
300 RRSIG A 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
ALkRNhqL7frnig== )
3600 NSEC ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 5 2 3600 20010101000000 (
20000101000000 14043 e.example1.
azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
2lmdntld7GORrQ== )
300 DNSKEY 256 3 5 (
AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
we+Nyv2kRWDeLl6nhGk=
) ; key id = 14043
300 RRSIG DNSKEY 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
1gUhzEEti440/g== )
ns.e.example1. 300 IN A 10.53.0.1
300 RRSIG A 5 3 300 20010101000000 (
20000101000000 14043 e.example1.
cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
TMoC604cNdFzIw== )
3600 NSEC e.example1. A RRSIG NSEC
3600 RRSIG NSEC 5 3 3600 20010101000000 (
20000101000000 14043 e.example1.
J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
QROz/WJ3GLwOWw== )

7
bin/tests/system/lwresd/ns1/example1.db
View file

@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example1.db,v 1.17 2007/06/19 23:47:04 tbox Exp $
; $Id: example1.db,v 1.18 2008/04/02 02:37:42 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
@ -32,7 +32,4 @@ a3 CNAME nowhere
b AAAA eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
8.8.7.7 DNAME net
0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR dname
e A 10.0.1.1
RRSIG A 1 1 300 20001202003412 (
20001102003412 1 example. abcd )
e NS ns.e

7
bin/tests/system/lwresd/ns1/named.conf
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.19 2007/06/19 23:47:04 tbox Exp $ */
/* $Id: named.conf,v 1.20 2008/04/02 02:37:42 marka Exp $ */
controls { /* empty */ };
@ -43,6 +43,11 @@ zone "example1." {
file "example1.db";
};
zone "e.example1." {
type master;
file "e.example1.db";
};
zone "example2." {
type master;
file "example2.db";

136
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.347 2008/03/31 14:42:50 fdupont Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.348 2008/04/02 02:37:42 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -4553,6 +4553,10 @@ category notify { null; };
<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
<optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> min-roots <replaceable>number</replaceable>; </optional>
<optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-validity-interval</command></term>
<listitem>
<para>
Specifies the number of days into the
future when DNSSEC signatures automatically generated as a
result
of dynamic updates (<xref linkend="dynamic_update"/>)
will expire. The default is <literal>30</literal> days.
The maximum value is 10 years (3660 days). The signature
inception time is unconditionally set to one hour before the
current time
to allow for a limited amount of clock skew.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-validity-interval</command></term>
<listitem>
<para>
Specifies the number of days into the future when
DNSSEC signatures automatically generated as a
result of dynamic updates (<xref
linkend="dynamic_update"/>) will expire. There
is a optional second field which specifies how
long before expiry that the signatures will be
regenerated. If not specified the signatures will
be regenerated at 1/4 of base interval. The second
field is specified in days if the base interval is
greater than 7 days otherwise it is specified in hours.
The default base interval is <literal>30</literal> days
giving a re-signing interval of 7 1/2 days . The maximum
values are 10 years (3660 days).
</para>
<para>
The signature inception time is unconditionally
set to one hour before the current time to allow
for a limited amount of clock skew.
</para>
<para>
The <command>sig-validity-interval</command>
should be, at least, several multiples of the SOA
expire interval to allow for reasonable interaction
between the various timer and expiry dates.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-nodes</command></term>
<listitem>
<para>
Specify the number of maximum number nodes to be
examined in each quantum when signing a zone with
a new DNSKEY. The default is
<literal>100</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-signatures</command></term>
<listitem>
<para>
Specify a threshold number of signatures that
will terminate processing a quantum when signing
a zone with a new DNSKEY. The default is
<literal>10</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-type</command></term>
<listitem>
<para>
Specify a private rdata type to be used when generating
key signing records. The default is
<literal>65535</literal>.
</para>
<para>
It is expected that this parameter may be removed
in a future version once there is a standard type.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>min-refresh-time</command></term>
@ -8384,6 +8442,10 @@ view "external" {
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> database <replaceable>string</replaceable> ; </optional>
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@ -9131,6 +9193,46 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-re-signing-interval</command></term>
<listitem>
<para>
See the description of
<command>sig-re-signing-interval</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-nodes</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-signatures</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-type</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-type</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>transfer-source</command></term>
<listitem>

59
lib/bind9/check.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.90 2008/04/01 01:37:24 marka Exp $ */
/* $Id: check.c,v 1.91 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -508,6 +508,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
isc_result_t tresult;
unsigned int i;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
dns_fixedname_t fixed;
@ -523,7 +524,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
{ "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-in", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */
{ "sig-validity-interval", 86400, 10 * 366 }, /* 10 years */
{ "statistics-interval", 60, 28 * 24 * 60 }, /* 28 days */
};
@ -551,6 +551,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
result = ISC_R_RANGE;
}
}
obj = NULL;
cfg_map_get(options, "sig-validity-interval", &obj);
if (obj != NULL) {
isc_uint32_t validity, resign = 0;
validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
resignobj = cfg_tuple_get(obj, "re-sign");
if (!cfg_obj_isvoid(resignobj))
resign = cfg_obj_asuint32(resignobj);
if (validity > 3660 || validity == 0) { /* 10 years */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s '%u' is out of range (1..3660)",
"sig-validity-interval", validity);
result = ISC_R_RANGE;
}
if (!cfg_obj_isvoid(resignobj)) {
if (resign > 3660 || resign == 0) { /* 10 years */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s '%u' is out of range (1..3660)",
"sig-validity-interval (re-sign)",
validity);
result = ISC_R_RANGE;
} else if ((validity > 7 && validity < resign) ||
(validity <= 7 && validity * 24 < resign)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"validity interval (%u days) "
"less than re-signing interval "
"(%u %s)", validity, resign,
(validity > 7) ? "days" : "hours");
result = ISC_R_RANGE;
}
}
}
obj = NULL;
(void)cfg_map_get(options, "preferred-glue", &obj);
if (obj != NULL) {
@ -563,6 +600,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
"preferred-glue unexpected value '%s'",
str);
}
obj = NULL;
(void)cfg_map_get(options, "root-delegation-only", &obj);
if (obj != NULL) {
@ -654,7 +692,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
if (tresult != ISC_R_SUCCESS &&
result == ISC_R_SUCCESS)
result = tresult;
goto trust_anchor;
}
/*
* XXXMPA to be removed when multiple lookaside
@ -667,7 +704,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
if (result == ISC_R_SUCCESS)
result = ISC_R_FAILURE;
}
trust_anchor:
dlv = cfg_obj_asstring(cfg_tuple_get(obj,
"trust-anchor"));
isc_buffer_init(&b, dlv, strlen(dlv));
@ -1018,6 +1054,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "max-refresh-time", SLAVEZONE | STUBZONE },
{ "min-refresh-time", SLAVEZONE | STUBZONE },
{ "sig-validity-interval", MASTERZONE },
{ "sig-re-signing-interval", MASTERZONE },
{ "sig-signing-nodes", MASTERZONE },
{ "sig-signing-type", MASTERZONE },
{ "sig-signing-signatures", MASTERZONE },
{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
{ "allow-update", MASTERZONE | CHECKACL },
{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
@ -1208,6 +1248,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
} else if (res2 == ISC_R_SUCCESS &&
check_update_policy(obj, logctx) != ISC_R_SUCCESS)
result = ISC_R_FAILURE;
obj = NULL;
res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
if (res1 == ISC_R_SUCCESS) {
isc_uint32_t type = cfg_obj_asuint32(obj);
if (type < 0xff00U || type > 0xffffU)
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"sig-signing-type: %u out of "
"range [%u..%u]", type,
0xff00U, 0xffffU);
result = ISC_R_FAILURE;
}
}
/*

36
lib/dns/diff.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: diff.c,v 1.16 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: diff.c,v 1.17 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -121,6 +121,7 @@ dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
void
dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
diff->mctx = mctx;
diff->resign = 0;
ISC_LIST_INIT(diff->tuples);
diff->magic = DNS_DIFF_MAGIC;
}
@ -194,23 +195,20 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
}
static isc_stdtime_t
setresign(dns_rdataset_t *modified, dns_diffop_t op) {
setresign(dns_rdataset_t *modified, isc_uint32_t delta) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_rrsig_t sig;
isc_stdtime_t when;
unsigned int delta;
isc_result_t result;
result = dns_rdataset_first(modified);
INSIST(result == ISC_R_SUCCESS);
dns_rdataset_current(modified, &rdata);
(void)dns_rdata_tostruct(&rdata, &sig, NULL);
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
when = 0;
} else {
delta = (sig.timeexpire - sig.timesigned) * 3 / 4;
when = sig.timesigned + delta;
}
else
when = sig.timeexpire - delta;
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
@ -220,22 +218,13 @@ setresign(dns_rdataset_t *modified, dns_diffop_t op) {
if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
goto next_rr;
}
delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
switch (op) {
case DNS_DIFFOP_ADDRESIGN:
case DNS_DIFFOP_DELRESIGN:
if (when == 0 || sig.timesigned + delta < when)
when = sig.timesigned + delta;
break;
default:
INSIST(0);
}
if (when == 0 || sig.timeexpire - delta < when)
when = sig.timeexpire - delta;
next_rr:
dns_rdata_reset(&rdata);
result = dns_rdataset_next(modified);
}
INSIST(result == ISC_R_NOMORE);
fprintf(stderr, "setresign %u %u\n", modified->covers, when);
return (when);
}
@ -327,10 +316,8 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
namebuf, typebuf, classbuf,
(unsigned long) t->ttl,
(unsigned long) rdl.ttl);
if (t->rdata.flags &DNS_RDATA_OFFLINE) {
fprintf(stderr, "diff_apply offline\n");
if (t->rdata.flags & DNS_RDATA_OFFLINE)
offline = ISC_TRUE;
}
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
@ -379,7 +366,8 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
if (result == ISC_R_SUCCESS) {
if (modified != NULL) {
isc_stdtime_t resign;
resign = setresign(modified, op);
resign = setresign(modified,
diff->resign);
dns_db_setsigningtime(db, modified,
resign);
}
@ -409,8 +397,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
if (modified != NULL &&
dns_rdataset_isassociated(modified))
dns_rdataset_disassociate(modified);
if (offline)
fprintf(stderr, "end offline\n");
}
dns_db_detachnode(db, &node);
}

11
lib/dns/include/dns/diff.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: diff.h,v 1.14 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: diff.h,v 1.15 2008/04/02 02:37:42 marka Exp $ */
#ifndef DNS_DIFF_H
#define DNS_DIFF_H 1
@ -60,7 +60,9 @@
* prerequisite set. In this case, op==DNS_DIFFOP_EXISTS,
* and the TTL is ignored.
*
* DNS_DIFFOP_*RESIGN will cause the 'resign' attribute to be recomputed.
* DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
* RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
* timeexpire.
*/
typedef enum {
@ -100,6 +102,11 @@ typedef struct dns_diff dns_diff_t;
struct dns_diff {
unsigned int magic;
isc_mem_t * mctx;
/*
* Set the 'resign' attribute to this many second before the
* earliest RRSIG timeexpire.
*/
isc_uint32_t resign;
ISC_LIST(dns_difftuple_t) tuples;
};

29
lib/dns/include/dns/master.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: master.h,v 1.50 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: master.h,v 1.51 2008/04/02 02:37:42 marka Exp $ */
#ifndef DNS_MASTER_H
#define DNS_MASTER_H 1
@ -114,6 +114,17 @@ dns_master_loadfile2(const char *master_file,
isc_mem_t *mctx,
dns_masterformat_t format);
isc_result_t
dns_master_loadfile3(const char *master_file,
dns_name_t *top,
dns_name_t *origin,
dns_rdataclass_t zclass,
unsigned int options,
isc_uint32_t resign,
dns_rdatacallbacks_t *callbacks,
isc_mem_t *mctx,
dns_masterformat_t format);
isc_result_t
dns_master_loadstream(FILE *stream,
dns_name_t *top,
@ -164,6 +175,19 @@ dns_master_loadfileinc2(const char *master_file,
dns_loadctx_t **ctxp, isc_mem_t *mctx,
dns_masterformat_t format);
isc_result_t
dns_master_loadfileinc3(const char *master_file,
dns_name_t *top,
dns_name_t *origin,
dns_rdataclass_t zclass,
unsigned int options,
isc_uint32_t resign,
dns_rdatacallbacks_t *callbacks,
isc_task_t *task,
dns_loaddonefunc_t done, void *done_arg,
dns_loadctx_t **ctxp, isc_mem_t *mctx,
dns_masterformat_t format);
isc_result_t
dns_master_loadstreaminc(FILE *stream,
dns_name_t *top,
@ -214,6 +238,9 @@ dns_master_loadlexerinc(isc_lex_t *lex,
* is completed or has failed. If the initial setup fails 'done' is
* not called.
*
* 'resign' the number of seconds before a RRSIG expires that it should
* be re-signed. 0 is used if not provided.
*
* Requires:
*\li 'master_file' points to a valid string.
*\li 'lexer' points to a valid lexer.

7
lib/dns/include/dns/rdata.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rdata.h,v 1.69 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: rdata.h,v 1.70 2008/04/02 02:37:42 marka Exp $ */
#ifndef DNS_RDATA_H
#define DNS_RDATA_H 1
@ -126,11 +126,6 @@ struct dns_rdata {
#define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record. */
#define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */
#define DNS_RDATA_WARNMASK 0x001c /*%< RRSIG(DNSKEY) expired
warnings number mask. */
#define DNS_RDATA_WARNSHIFT 2 /*%< How many bits to shift
to find remaining
expired warning number. */
/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000

52
lib/dns/include/dns/zone.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.157 2008/04/02 01:48:32 marka Exp $ */
/* $Id: zone.h,v 1.158 2008/04/02 02:37:42 marka Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
@ -1173,7 +1173,7 @@ dns_zone_getmgr(dns_zone_t *zone);
void
dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
/*%<
* Set the zone's SIG validity interval. This is the length of time
* Set the zone's RRSIG validity interval. This is the length of time
* for which DNSSEC signatures created as a result of dynamic updates
* to secure zones will remain valid, in seconds.
*
@ -1184,7 +1184,26 @@ dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
isc_uint32_t
dns_zone_getsigvalidityinterval(dns_zone_t *zone);
/*%<
* Get the zone's SIG validity interval.
* Get the zone's RRSIG validity interval.
*
* Requires:
* \li 'zone' to be a valid zone.
*/
void
dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval);
/*%<
* Set the zone's RRSIG re-signing interval. A dynamic zone's RRSIG's
* will be re-signed 'interval' amount of time before they expire.
*
* Requires:
* \li 'zone' to be a valid zone.
*/
isc_uint32_t
dns_zone_getsigresigninginterval(dns_zone_t *zone);
/*%<
* Get the zone's RRSIG re-signing interval.
*
* Requires:
* \li 'zone' to be a valid zone.
@ -1640,9 +1659,34 @@ dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
* delivered to 'myview'.
*/
void
dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes);
/*
* Set the number of nodes that will be checked per quantum.
*/
void
dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures);
/*
* Set the number of signatures that will be generated per quantum.
*/
isc_result_t
dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
isc_uint16_t keyid);
isc_uint16_t keyid);
/*
* Initiate/resume signing of the entire zone with the zone DNSKEY(s)
* that match the given algorithm and keyid.
*/
void
dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
dns_rdatatype_t
dns_zone_getprivatetype(dns_zone_t *zone);
/*
* Get/Set the private record type. It is expected that these interfaces
* will not be permanent.
*/
#ifdef HAVE_LIBXML2

75
lib/dns/master.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: master.c,v 1.170 2008/04/01 01:37:24 marka Exp $ */
/* $Id: master.c,v 1.171 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -139,6 +139,7 @@ struct dns_loadctx {
/* locked by lock */
isc_uint32_t references;
dns_incctx_t *inc;
isc_uint32_t resign;
};
struct dns_incctx {
@ -503,7 +504,7 @@ incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
static isc_result_t
loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
unsigned int options, dns_name_t *top,
unsigned int options, isc_uint32_t resign, dns_name_t *top,
dns_rdataclass_t zclass, dns_name_t *origin,
dns_rdatacallbacks_t *callbacks, isc_task_t *task,
dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
@ -580,6 +581,7 @@ loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
lctx->options = options;
lctx->seen_include = ISC_FALSE;
lctx->zclass = zclass;
lctx->resign = resign;
lctx->result = ISC_R_SUCCESS;
dns_fixedname_init(&lctx->fixed_top);
@ -2323,8 +2325,8 @@ dns_master_loadfile(const char *master_file, dns_name_t *top,
dns_rdataclass_t zclass, unsigned int options,
dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
{
return (dns_master_loadfile2(master_file, top, origin, zclass, options,
callbacks, mctx, dns_masterformat_text));
return (dns_master_loadfile3(master_file, top, origin, zclass, options,
0, callbacks, mctx, dns_masterformat_text));
}
isc_result_t
@ -2333,12 +2335,24 @@ dns_master_loadfile2(const char *master_file, dns_name_t *top,
dns_rdataclass_t zclass, unsigned int options,
dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
dns_masterformat_t format)
{
return (dns_master_loadfile3(master_file, top, origin, zclass, options,
0, callbacks, mctx, format));
}
isc_result_t
dns_master_loadfile3(const char *master_file, dns_name_t *top,
dns_name_t *origin, dns_rdataclass_t zclass,
unsigned int options, isc_uint32_t resign,
dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
dns_masterformat_t format)
{
dns_loadctx_t *lctx = NULL;
isc_result_t result;
result = loadctx_create(format, mctx, options, top, zclass, origin,
callbacks, NULL, NULL, NULL, NULL, &lctx);
result = loadctx_create(format, mctx, options, resign, top, zclass,
origin, callbacks, NULL, NULL, NULL, NULL,
&lctx);
if (result != ISC_R_SUCCESS)
return (result);
@ -2361,8 +2375,8 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top,
isc_task_t *task, dns_loaddonefunc_t done,
void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
{
return (dns_master_loadfileinc2(master_file, top, origin, zclass,
options, callbacks, task, done,
return (dns_master_loadfileinc3(master_file, top, origin, zclass,
options, 0, callbacks, task, done,
done_arg, lctxp, mctx,
dns_masterformat_text));
}
@ -2374,6 +2388,20 @@ dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
isc_task_t *task, dns_loaddonefunc_t done,
void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
dns_masterformat_t format)
{
return (dns_master_loadfileinc3(master_file, top, origin, zclass,
options, 0, callbacks, task, done,
done_arg, lctxp, mctx, format));
}
isc_result_t
dns_master_loadfileinc3(const char *master_file, dns_name_t *top,
dns_name_t *origin, dns_rdataclass_t zclass,
unsigned int options, isc_uint32_t resign,
dns_rdatacallbacks_t *callbacks, isc_task_t *task,
dns_loaddonefunc_t done, void *done_arg,
dns_loadctx_t **lctxp, isc_mem_t *mctx,
dns_masterformat_t format)
{
dns_loadctx_t *lctx = NULL;
isc_result_t result;
@ -2381,8 +2409,9 @@ dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
REQUIRE(task != NULL);
REQUIRE(done != NULL);
result = loadctx_create(format, mctx, options, top, zclass, origin,
callbacks, task, done, done_arg, NULL, &lctx);
result = loadctx_create(format, mctx, options, resign, top, zclass,
origin, callbacks, task, done, done_arg, NULL,
&lctx);
if (result != ISC_R_SUCCESS)
return (result);
@ -2411,7 +2440,7 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
REQUIRE(stream != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, NULL, NULL, NULL,
NULL, &lctx);
if (result != ISC_R_SUCCESS)
@ -2444,7 +2473,7 @@ dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
REQUIRE(task != NULL);
REQUIRE(done != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, task, done,
done_arg, NULL, &lctx);
if (result != ISC_R_SUCCESS)
@ -2477,7 +2506,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
REQUIRE(buffer != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, NULL, NULL, NULL,
NULL, &lctx);
if (result != ISC_R_SUCCESS)
@ -2510,7 +2539,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
REQUIRE(task != NULL);
REQUIRE(done != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, task, done,
done_arg, NULL, &lctx);
if (result != ISC_R_SUCCESS)
@ -2542,7 +2571,7 @@ dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
REQUIRE(lex != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, NULL, NULL, NULL,
lex, &lctx);
if (result != ISC_R_SUCCESS)
@ -2570,7 +2599,7 @@ dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
REQUIRE(task != NULL);
REQUIRE(done != NULL);
result = loadctx_create(dns_masterformat_text, mctx, options, top,
result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
zclass, origin, callbacks, task, done,
done_arg, lex, &lctx);
if (result != ISC_R_SUCCESS)
@ -2700,23 +2729,21 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
}
static isc_uint32_t
resign_fromlist(dns_rdatalist_t *this) {
resign_fromlist(dns_rdatalist_t *this, isc_uint32_t resign) {
dns_rdata_t *rdata;
dns_rdata_rrsig_t sig;
isc_uint32_t when, delta;
isc_uint32_t when;
rdata = ISC_LIST_HEAD(this->rdata);
INSIST(rdata != NULL);
(void)dns_rdata_tostruct(rdata, &sig, NULL);
delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
when = sig.timesigned + delta;
when = sig.timeexpire - resign;
rdata = ISC_LIST_NEXT(rdata, link);
while (rdata != NULL) {
(void)dns_rdata_tostruct(rdata, &sig, NULL);
delta = (sig.timeexpire - sig.timesigned)* 3 / 4;
if (sig.timesigned + delta < when)
when = sig.timesigned + delta;
if (sig.timeexpire - resign < when)
when = sig.timeexpire - resign;
rdata = ISC_LIST_NEXT(rdata, link);
}
return (when);
@ -2755,7 +2782,7 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
(lctx->options & DNS_MASTER_RESIGN) != 0) {
dataset.attributes |= DNS_RDATASETATTR_RESIGN;
dns_name_format(owner, namebuf, sizeof(namebuf));
dataset.resign = resign_fromlist(this);
dataset.resign = resign_fromlist(this, lctx->resign);
}
result = ((*callbacks->add)(callbacks->add_private, owner,
&dataset));

3
lib/dns/message.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: message.c,v 1.240 2008/01/18 23:46:58 tbox Exp $ */
/* $Id: message.c,v 1.241 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -3022,6 +3022,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
{
dst_key_t *key = NULL;
dns_rdata_reset(&rdata);
dns_rdataset_current(&keyset, &rdata);
isc_buffer_init(&b, rdata.data, rdata.length);
isc_buffer_add(&b, rdata.length);

39
lib/dns/rbtdb.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rbtdb.c,v 1.254 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: rbtdb.c,v 1.255 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -25,6 +25,8 @@
#include <config.h>
#define inline
#include <isc/event.h>
#include <isc/heap.h>
#include <isc/mem.h>
@ -690,7 +692,7 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
}
/*%
* These functions allows the heap code to rank the priority of each
* These functions allow the heap code to rank the priority of each
* element. It returns ISC_TRUE if v1 happens "sooner" than v2.
*/
static isc_boolean_t
@ -5357,12 +5359,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
#endif
} else if (RESIGN(newheader))
resign_insert(rbtdb, idx, newheader);
}
} else {
/*
* No non-IGNORED rdatasets of the given type exist at
* this node.
*/
}
} else {
/*
* No non-IGNORED rdatasets of the given type exist at
* this node.
*/
/*
* If we're trying to delete the type, don't bother.
@ -6363,6 +6365,7 @@ dns_rbtdb_create
isc_result_t result;
int i;
dns_name_t name;
isc_boolean_t (*sooner)(void *, void *);
/* Keep the compiler happy. */
UNUSED(argc);
@ -6418,9 +6421,8 @@ dns_rbtdb_create
}
for (i = 0; i < (int)rbtdb->node_lock_count; i++)
ISC_LIST_INIT(rbtdb->rdatasets[i]);
} else {
} else
rbtdb->rdatasets = NULL;
}
/*
* Create the heaps.
@ -6433,19 +6435,17 @@ dns_rbtdb_create
}
for (i = 0; i < (int)rbtdb->node_lock_count; i++)
rbtdb->heaps[i] = NULL;
sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
if (IS_CACHE(rbtdb))
result = isc_heap_create(mctx, ttl_sooner, set_index,
0, &rbtdb->heaps[i]);
else
result = isc_heap_create(mctx, resign_sooner,
set_index, 0,
&rbtdb->heaps[i]);
result = isc_heap_create(mctx, sooner, set_index, 0,
&rbtdb->heaps[i]);
if (result != ISC_R_SUCCESS)
goto cleanup_heaps;
}
/*
* Create deadnode lists.
*/
rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
sizeof(rbtnodelist_t));
if (rbtdb->deadnodes == NULL) {
@ -6725,9 +6725,6 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
raw += 2;
#endif
if (rdataset->type == dns_rdatatype_rrsig) {
flags = ((*raw & DNS_RDATASLAB_WARNMASK)
>> DNS_RDATASLAB_WARNSHIFT)
<< DNS_RDATA_WARNSHIFT;
if (*raw & DNS_RDATASLAB_OFFLINE)
flags |= DNS_RDATA_OFFLINE;
length--;

16
lib/dns/rdataslab.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rdataslab.c,v 1.45 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: rdataslab.c,v 1.46 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -171,8 +171,6 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
#if DNS_RDATASET_FIXED
x[i].order = i;
#endif
if (x[i].rdata.flags & DNS_RDATA_OFFLINE)
fprintf(stderr, "OFFLINE\n");
result = dns_rdataset_next(rdataset);
}
if (result != ISC_R_NOMORE)
@ -307,13 +305,8 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
* Store the per RR meta data.
*/
if (rdataset->type == dns_rdatatype_rrsig) {
*rawbuf = ((x[i].rdata.flags & DNS_RDATA_WARNMASK)
>> DNS_RDATA_WARNSHIFT)
<< DNS_RDATASLAB_WARNSHIFT;
*rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
DNS_RDATASLAB_OFFLINE : 0;
if (x[i].rdata.flags & DNS_RDATA_OFFLINE)
fprintf(stderr, "set DNS_RDATASLAB_OFFLINE\n");
}
memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
rawbuf += x[i].rdata.length;
@ -402,9 +395,6 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
raw += 2;
#endif
if (rdataset->type == dns_rdatatype_rrsig) {
flags = ((*raw & DNS_RDATASLAB_WARNMASK)
>> DNS_RDATASLAB_WARNSHIFT)
<< DNS_RDATA_WARNSHIFT;
if (*raw & DNS_RDATASLAB_OFFLINE)
flags |= DNS_RDATA_OFFLINE;
length--;
@ -536,10 +526,8 @@ rdata_from_slab(unsigned char **current,
region.base = tcurrent;
tcurrent += region.length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
if (offline) {
if (offline)
rdata->flags |= DNS_RDATA_OFFLINE;
fprintf(stderr, "rdata_from_slab: DNS_RDATA_OFFLINE\n");
}
*current = tcurrent;
}

4
lib/dns/tsig.c
View file

@ -16,7 +16,7 @@
*/
/*
* $Id: tsig.c,v 1.134 2008/04/01 01:37:25 marka Exp $
* $Id: tsig.c,v 1.135 2008/04/02 02:37:42 marka Exp $
*/
/*! \file */
#include <config.h>
@ -445,7 +445,7 @@ cleanup_ring(dns_tsig_keyring_t *ring)
dns_rbtnodechain_current(&chain, &foundname, origin, &node);
tkey = node->data;
if (tkey != NULL) {
tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire);
tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d)", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire);
if (tkey->generated
&& isc_refcount_current(&tkey->refs) == 1
&& tkey->inception != tkey->expire

140
lib/dns/zone.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.475 2008/04/02 01:48:32 marka Exp $ */
/* $Id: zone.c,v 1.476 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -248,6 +248,7 @@ struct dns_zone {
isc_event_t ctlevent;
dns_ssutable_t *ssutable;
isc_uint32_t sigvalidityinterval;
isc_uint32_t sigresigninginterval;
dns_view_t *view;
dns_acache_t *acache;
dns_checkmxfunc_t checkmx;
@ -283,6 +284,12 @@ struct dns_zone {
* Keys that are signing the zone for the first time.
*/
ISC_LIST(dns_signing_t) signing;
/*%
* Signing / re-signing quantum stopping parameters.
*/
isc_uint32_t signatures;
isc_uint32_t nodes;
dns_rdatatype_t privatetype;
};
#define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@ -456,7 +463,7 @@ struct dns_io {
/*%
* Hold state for when we are signing a zone with a new
* DNSKEY as result of a update.
* DNSKEY as result of an update.
*/
struct dns_signing {
unsigned int magic;
@ -631,7 +638,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
zone->strrdclass = NULL;
zone->strviewname = NULL;
zone->masterfile = NULL;
zone->masterformat = dns_masterformat_none;
zone->masterformat = dns_masterformat_none;
zone->keydirectory = NULL;
zone->journalsize = -1;
zone->journal = NULL;
@ -697,7 +704,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
zone->maxxfrout = MAX_XFER_TIME;
zone->ssutable = NULL;
zone->sigvalidityinterval = 30 * 24 * 3600;
zone->sigvalidityinterval = 3600; /* XXMPA */
zone->sigresigninginterval = 7 * 24 * 3600;
zone->view = NULL;
zone->acache = NULL;
zone->checkmx = NULL;
@ -710,6 +717,9 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
zone->isself = NULL;
zone->isselfarg = NULL;
ISC_LIST_INIT(zone->signing);
zone->signatures = 10;
zone->nodes = 100;
zone->privatetype = (dns_rdatatype_t)0xffffU;
zone->magic = ZONE_MAGIC;
@ -1414,11 +1424,12 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
options = get_master_options(load->zone);
result = dns_master_loadfileinc2(load->zone->masterfile,
result = dns_master_loadfileinc3(load->zone->masterfile,
dns_db_origin(load->db),
dns_db_origin(load->db),
load->zone->rdclass,
options,
load->zone->sigresigninginterval,
&load->callbacks, task,
zone_loaddone, load,
&load->zone->lctx, load->zone->mctx,
@ -1519,9 +1530,10 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
&callbacks.add_private);
if (result != ISC_R_SUCCESS)
return (result);
result = dns_master_loadfile2(zone->masterfile, &zone->origin,
result = dns_master_loadfile3(zone->masterfile, &zone->origin,
&zone->origin, zone->rdclass,
options, &callbacks, zone->mctx,
options, zone->sigresigninginterval,
&callbacks, zone->mctx,
zone->masterformat);
tresult = dns_db_endload(db, &callbacks.add_private);
if (result == ISC_R_SUCCESS)
@ -2028,7 +2040,7 @@ set_signingtime(dns_zone_t *zone) {
dns_db_currentversion(zone->db, &version);
dns_rdataset_init(&rdataset);
result = dns_db_findrdataset(zone->db, node, version,
(dns_rdatatype_t)0xffff,
zone->privatetype,
dns_rdatatype_none, 0,
&rdataset, NULL);
if (result != ISC_R_SUCCESS)
@ -2048,7 +2060,7 @@ set_signingtime(dns_zone_t *zone) {
(rdata.data[1] << 8) | rdata.data[2]);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"dns_zone_signwithkey failed: %s",
"zone_signwithkey failed: %s",
dns_result_totext(result));
}
dns_rdata_reset(&rdata);
@ -2081,7 +2093,6 @@ set_resigntime(dns_zone_t *zone) {
return;
}
resign = rdataset.resign;
fprintf(stderr, "set_resigntime %u\n", resign);
dns_name_format(dns_fixedname_name(&fixed), namebuf, sizeof(namebuf));
dns_rdataset_disassociate(&rdataset);
isc_random_get(&nanosecs);
@ -2254,11 +2265,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
if (zone->type == dns_zone_master &&
(zone->update_acl != NULL || zone->ssutable != NULL) &&
(zone->sigvalidityinterval / 4) < (3 * refresh) &&
zone->sigresigninginterval < (3 * refresh) &&
dns_db_issecure(db))
{
dns_zone_log(zone, ISC_LOG_WARNING,
"1/4 sig-validity-interval less than "
"sig-re-signing-interval less than "
"3 * refresh.");
}
@ -3168,6 +3179,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
@ -3302,11 +3314,8 @@ offline(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_name_t *name,
{
isc_result_t result;
if ((rdata->flags & DNS_RDATA_OFFLINE) != 0) {
fprintf(stderr, "rdata is already marked as offline\n");
if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
return (ISC_R_SUCCESS);
}
fprintf(stderr, "mark as offline\n");
result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN,
name, ttl, rdata);
if (result != ISC_R_SUCCESS)
@ -3400,7 +3409,8 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
*/
found = ISC_FALSE;
for (i = 0; i < nkeys; i++) {
if (rrsig.keyid == dst_key_id(keys[i])) {
if (rrsig.algorithm == dst_key_alg(keys[i]) &&
rrsig.keyid == dst_key_id(keys[i])) {
found = ISC_TRUE;
/*
* Mark offline RRSIG(DNSKEY).
@ -3450,7 +3460,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
result = ISC_R_SUCCESS;
if (warn != 0)
set_key_expiry_warning(zone, warn, now);
failure:
failure:
if (node != NULL)
dns_db_detachnode(db, &node);
return (result);
@ -3533,6 +3543,7 @@ zone_resigninc(dns_zone_t *zone) {
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed);
dns_diff_init(zone->mctx, &sig_diff);
sig_diff.resign = zone->sigresigninginterval;
/*
* Updates are disabled. Pause for 5 minutes.
@ -3565,7 +3576,6 @@ zone_resigninc(dns_zone_t *zone) {
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
inception = now - 4; /* XXXMPA */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
/*
* Spread out signatures over time if they happen to be
@ -3574,7 +3584,6 @@ zone_resigninc(dns_zone_t *zone) {
*/
isc_random_get(&jitter);
expire = soaexpire - jitter % 3600;
expire = soaexpire; /* XXXMPA */
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@ -3599,7 +3608,8 @@ zone_resigninc(dns_zone_t *zone) {
* recent signature.
*/
/* XXXMPA increase number of RRsets signed pre call */
if (covers == dns_rdatatype_soa || i++ > 3 || resign > stop) {
if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
resign > stop) {
/*
* Ensure that we don't loop resigning the SOA.
*/
@ -3813,7 +3823,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
isc_stdtime_t inception, isc_stdtime_t expire,
unsigned int minimum,
isc_boolean_t is_ksk, isc_boolean_t *delegation,
dns_diff_t *diff, int *signatures, isc_mem_t *mctx)
dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
{
isc_result_t result;
dns_rdatasetiter_t *iterator = NULL;
@ -3977,7 +3987,8 @@ updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
static isc_result_t
updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
dns_name_t *name, dns_diff_t *diff)
dns_name_t *name, dns_rdatatype_t privatetype,
dns_diff_t *diff)
{
isc_result_t result;
dns_dbnode_t *node = NULL;
@ -3990,7 +4001,7 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
if (result != ISC_R_SUCCESS)
goto failure;
result = dns_db_findrdataset(signing->db, node, version, 0xffff,
result = dns_db_findrdataset(signing->db, node, version, privatetype,
dns_rdatatype_none, 0, &rdataset, NULL);
if (result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
@ -4047,7 +4058,7 @@ zone_sign(dns_zone_t *zone) {
dns_signing_t *signing, *nextsigning;
dns_signinglist_t cleanup;
dst_key_t *zone_keys[MAXZONEKEYS];
int signatures;
isc_int32_t signatures;
isc_boolean_t check_ksk, is_ksk;
isc_boolean_t delegation;
isc_boolean_t finishedakey = ISC_FALSE;
@ -4058,7 +4069,7 @@ zone_sign(dns_zone_t *zone) {
isc_uint32_t jitter;
unsigned int i;
unsigned int nkeys = 0;
unsigned int nodes;
isc_uint32_t nodes;
dns_rdataset_init(&rdataset);
dns_fixedname_init(&fixed);
@ -4066,10 +4077,9 @@ zone_sign(dns_zone_t *zone) {
dns_fixedname_init(&nextfixed);
nextname = dns_fixedname_name(&nextfixed);
dns_diff_init(zone->mctx, &sig_diff);
sig_diff.resign = zone->sigresigninginterval;
ISC_LIST_INIT(cleanup);
fprintf(stderr, "zone_sign\n");
/*
* Updates are disabled. Pause for 5 minutes.
*/
@ -4101,7 +4111,6 @@ fprintf(stderr, "zone_sign\n");
isc_stdtime_get(&now);
inception = now - 3600; /* Allow for clock skew. */
inception = now - 4; /* XXXMPA */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
/*
* Spread out signatures over time if they happen to be
@ -4110,7 +4119,6 @@ fprintf(stderr, "zone_sign\n");
*/
isc_random_get(&jitter);
expire = soaexpire - jitter % 3600;
expire = soaexpire; /* XXXMPA */
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@ -4122,8 +4130,8 @@ fprintf(stderr, "zone_sign\n");
* we have no more noded to pull off or we reach the limits
* for this quantum.
*/
nodes = 10;
signatures = 3;
nodes = zone->nodes;
signatures = zone->signatures;
signing = ISC_LIST_HEAD(zone->signing);
first = ISC_TRUE;
while (signing != NULL && nodes-- > 0 && signatures > 0) {
@ -4235,6 +4243,7 @@ fprintf(stderr, "zone_sign\n");
}
result = updatesignwithkey(signing, version,
&zone->origin,
zone->privatetype,
&sig_diff);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
@ -4296,8 +4305,8 @@ fprintf(stderr, "zone_sign\n");
* the signatures.
*/
result = del_sigs(zone, db, version, &zone->origin,
(dns_rdatatype_t)0xffff, &sig_diff,
zone_keys, nkeys, now);
zone->privatetype, &sig_diff,
zone_keys, nkeys, now);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"zone_sign:del_sigs -> %s\n",
@ -4305,7 +4314,7 @@ fprintf(stderr, "zone_sign\n");
goto failure;
}
result = add_sigs(db, version, &zone->origin,
(dns_rdatatype_t)0xffff, &sig_diff,
zone->privatetype, &sig_diff,
zone_keys, nkeys, zone->mctx, inception,
soaexpire, check_ksk);
if (result != ISC_R_SUCCESS) {
@ -4416,12 +4425,9 @@ fprintf(stderr, "zone_sign\n");
isc_interval_set(&i, 60, 0); /* 1 minute */
else
isc_interval_set(&i, 0, 10000000); /* 10 ms */
isc_interval_set(&i, 120, 0); /* XXXMPA */
isc_time_nowplusinterval(&zone->signingtime, &i);
} else {
fprintf(stderr, "sign_zone done\n");
} else
isc_time_settoepoch(&zone->signingtime);
}
}
static void
@ -8378,7 +8384,6 @@ dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
REQUIRE(DNS_ZONE_VALID(zone));
zone->sigvalidityinterval = interval;
zone->sigvalidityinterval = 3600; /* XXXMPA */
}
isc_uint32_t
@ -8388,6 +8393,20 @@ dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
return (zone->sigvalidityinterval);
}
void
dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
REQUIRE(DNS_ZONE_VALID(zone));
zone->sigresigninginterval = interval;
}
isc_uint32_t
dns_zone_getsigresigninginterval(dns_zone_t *zone) {
REQUIRE(DNS_ZONE_VALID(zone));
return (zone->sigresigninginterval);
}
static void
queue_xfrin(dns_zone_t *zone) {
const char me[] = "queue_xfrin";
@ -9776,7 +9795,8 @@ dns_zone_getnotifydelay(dns_zone_t *zone) {
isc_result_t
dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
isc_uint16_t keyid) {
isc_uint16_t keyid)
{
isc_result_t result;
REQUIRE(DNS_ZONE_VALID(zone));
@ -9790,8 +9810,44 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
return (result);
}
void
dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes) {
REQUIRE(DNS_ZONE_VALID(zone));
if (nodes == 0)
nodes = 1;
zone->nodes = nodes;
}
void
dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures) {
REQUIRE(DNS_ZONE_VALID(zone));
/*
* We treat signatures as a signed value so explicitly
* limit its range here.
*/
if (signatures > ISC_INT32_MAX)
signatures = ISC_INT32_MAX;
else if (signatures == 0)
signatures = 1;
zone->signatures = signatures;
}
void
dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
REQUIRE(DNS_ZONE_VALID(zone));
zone->privatetype = type;
}
dns_rdatatype_t
dns_zone_getprivatetype(dns_zone_t *zone) {
REQUIRE(DNS_ZONE_VALID(zone));
return (zone->privatetype);
}
static isc_result_t
zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid) {
zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid) {
dns_signing_t *signing;
isc_result_t result;
isc_time_t now;

158
lib/isc/mem.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: mem.c,v 1.144 2008/04/01 01:37:25 marka Exp $ */
/* $Id: mem.c,v 1.145 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -112,7 +112,7 @@ typedef ISC_LIST(debuglink_t) debuglist_t;
static ISC_LIST(isc_mem_t) contexts;
static isc_once_t once = ISC_ONCE_INIT;
static isc_mutex_t contextlock;
static isc_mutex_t lock;
/*%
* Total size of lost memory due to a bug of external library.
@ -124,7 +124,7 @@ struct isc_mem {
unsigned int magic;
isc_ondestroy_t ondestroy;
unsigned int flags;
isc_mutex_t memlock;
isc_mutex_t lock;
isc_memalloc_t memalloc;
isc_memfree_t memfree;
void * arg;
@ -702,7 +702,7 @@ default_memfree(void *arg, void *ptr) {
static void
initialize_action(void) {
RUNTIME_CHECK(isc_mutex_init(&contextlock) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
ISC_LIST_INIT(contexts);
totallost = 0;
}
@ -742,7 +742,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
return (ISC_R_NOMEMORY);
if ((flags & ISC_MEMFLAG_NOLOCK) == 0) {
result = isc_mutex_init(&ctx->memlock);
result = isc_mutex_init(&ctx->lock);
if (result != ISC_R_SUCCESS) {
(memfree)(arg, ctx);
return (result);
@ -827,9 +827,9 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
ctx->memalloc_failures = 0;
LOCK(&contextlock);
LOCK(&lock);
ISC_LIST_INITANDAPPEND(contexts, ctx, link);
UNLOCK(&contextlock);
UNLOCK(&lock);
*ctxp = ctx;
return (ISC_R_SUCCESS);
@ -845,7 +845,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
(ctx->memfree)(ctx->arg, ctx->debuglist);
#endif /* ISC_MEM_TRACKLINES */
if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
DESTROYLOCK(&ctx->memlock);
DESTROYLOCK(&ctx->lock);
(memfree)(arg, ctx);
}
@ -877,10 +877,10 @@ destroy(isc_mem_t *ctx) {
ctx->magic = 0;
LOCK(&contextlock);
LOCK(&lock);
ISC_LIST_UNLINK(contexts, ctx, link);
totallost += ctx->inuse;
UNLOCK(&contextlock);
UNLOCK(&lock);
INSIST(ISC_LIST_EMPTY(ctx->pools));
@ -932,7 +932,7 @@ destroy(isc_mem_t *ctx) {
ondest = ctx->ondestroy;
if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
DESTROYLOCK(&ctx->memlock);
DESTROYLOCK(&ctx->lock);
(ctx->memfree)(ctx->arg, ctx);
isc_ondestroy_notify(&ondest, ctx);
@ -943,9 +943,9 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
REQUIRE(VALID_CONTEXT(source));
REQUIRE(targetp != NULL && *targetp == NULL);
MCTXLOCK(source, &source->memlock);
MCTXLOCK(source, &source->lock);
source->references++;
MCTXUNLOCK(source, &source->memlock);
MCTXUNLOCK(source, &source->lock);
*targetp = source;
}
@ -959,12 +959,12 @@ isc_mem_detach(isc_mem_t **ctxp) {
ctx = *ctxp;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
INSIST(ctx->references > 0);
ctx->references--;
if (ctx->references == 0)
want_destroy = ISC_TRUE;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (want_destroy)
destroy(ctx);
@ -1010,11 +1010,11 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
}
isc__mem_free(ctx, ptr FLARG_PASS);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
ctx->references--;
if (ctx->references == 0)
want_destroy = ISC_TRUE;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (want_destroy)
destroy(ctx);
@ -1022,11 +1022,11 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
}
if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putunlocked(ctx, ptr, size);
} else {
mem_put(ctx, ptr, size);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putstats(ctx, ptr, size);
}
@ -1036,7 +1036,7 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
if (ctx->references == 0)
want_destroy = ISC_TRUE;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (want_destroy)
destroy(ctx);
@ -1055,14 +1055,14 @@ isc_mem_destroy(isc_mem_t **ctxp) {
ctx = *ctxp;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
#if ISC_MEM_TRACKLINES
if (ctx->references != 1)
print_active(ctx, stderr);
#endif
REQUIRE(ctx->references == 1);
ctx->references--;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
destroy(ctx);
@ -1073,9 +1073,9 @@ isc_result_t
isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
isc_result_t res;
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
res = isc_ondestroy_register(&ctx->ondestroy, task, event);
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
return (res);
}
@ -1092,11 +1092,11 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
return (isc__mem_allocate(ctx, size FLARG_PASS));
if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
ptr = mem_getunlocked(ctx, size);
} else {
ptr = mem_get(ctx, size);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
if (ptr != NULL)
mem_getstats(ctx, size);
}
@ -1113,7 +1113,7 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
fprintf(stderr, "maxinuse = %lu\n",
(unsigned long)ctx->inuse);
}
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (call_water)
(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
@ -1144,11 +1144,11 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
}
if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putunlocked(ctx, ptr, size);
} else {
mem_put(ctx, ptr, size);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putstats(ctx, ptr, size);
}
@ -1164,7 +1164,7 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
if (ctx->water != NULL)
call_water = ISC_TRUE;
}
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (call_water)
(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
@ -1174,12 +1174,12 @@ void
isc_mem_waterack(isc_mem_t *ctx, int flag) {
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
if (flag == ISC_MEM_LOWATER)
ctx->hi_called = ISC_FALSE;
else if (flag == ISC_MEM_HIWATER)
ctx->hi_called = ISC_TRUE;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
}
#if ISC_MEM_TRACKLINES
@ -1233,7 +1233,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
const isc_mempool_t *pool;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
for (i = 0; i <= ctx->max_size; i++) {
s = &ctx->stats[i];
@ -1254,7 +1254,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
* Note that since a pool can be locked now, these stats might be
* somewhat off if the pool is in active use at the time the stats
* are dumped. The link fields are protected by the isc_mem_t's
* contextlock, however, so walking this list and extracting integers from
* lock, however, so walking this list and extracting integers from
* stats fields is always safe.
*/
pool = ISC_LIST_HEAD(ctx->pools);
@ -1294,7 +1294,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
print_active(ctx, out);
#endif
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
}
/*
@ -1333,11 +1333,11 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
REQUIRE(VALID_CONTEXT(ctx));
if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
si = isc__mem_allocateunlocked(ctx, size);
} else {
si = isc__mem_allocateunlocked(ctx, size);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
if (si != NULL)
mem_getstats(ctx, si[-1].u.size);
}
@ -1357,7 +1357,7 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
fprintf(stderr, "maxinuse = %lu\n",
(unsigned long)ctx->inuse);
}
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (call_water)
(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
@ -1384,11 +1384,11 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
}
if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putunlocked(ctx, si, size);
} else {
mem_put(ctx, si, size);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
mem_putstats(ctx, si, size);
}
@ -1406,7 +1406,7 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
if (ctx->water != NULL)
call_water = ISC_TRUE;
}
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (call_water)
(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
@ -1438,11 +1438,11 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
void
isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
ctx->checkfree = flag;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
}
/*
@ -1452,11 +1452,11 @@ isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
void
isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
ctx->quota = quota;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
}
size_t
@ -1464,11 +1464,11 @@ isc_mem_getquota(isc_mem_t *ctx) {
size_t quota;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
quota = ctx->quota;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
return (quota);
}
@ -1478,11 +1478,11 @@ isc_mem_inuse(isc_mem_t *ctx) {
size_t inuse;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
inuse = ctx->inuse;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
return (inuse);
}
@ -1498,7 +1498,7 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
REQUIRE(VALID_CONTEXT(ctx));
REQUIRE(hiwater >= lowater);
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
oldwater = ctx->water;
oldwater_arg = ctx->water_arg;
if (water == NULL) {
@ -1519,7 +1519,7 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
ctx->lo_water = lowater;
ctx->hi_called = ISC_FALSE;
}
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
if (callwater && oldwater != NULL)
(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
@ -1529,11 +1529,11 @@ void
isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
REQUIRE(VALID_CONTEXT(ctx));
LOCK(&ctx->memlock);
LOCK(&ctx->lock);
memset(ctx->name, 0, sizeof(ctx->name));
strncpy(ctx->name, name, sizeof(ctx->name) - 1);
ctx->tag = tag;
UNLOCK(&ctx->memlock);
UNLOCK(&ctx->lock);
}
const char *
@ -1587,10 +1587,10 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
*mpctxp = mpctx;
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
mctx->poolcnt++;
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
return (ISC_R_SUCCESS);
}
@ -1643,7 +1643,7 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
/*
* Return any items on the free list
*/
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
while (mpctx->items != NULL) {
INSIST(mpctx->freecount > 0);
mpctx->freecount--;
@ -1657,15 +1657,15 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
mem_putstats(mctx, item, mpctx->size);
}
}
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
/*
* Remove our linked list entry from the memory context.
*/
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
ISC_LIST_UNLINK(mctx->pools, mpctx, link);
mctx->poolcnt--;
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
mpctx->magic = 0;
@ -1724,7 +1724,7 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
* We need to dip into the well. Lock the memory context here and
* fill up our free list.
*/
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
for (i = 0; i < mpctx->fillcount; i++) {
if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
item = mem_getunlocked(mctx, mpctx->size);
@ -1739,7 +1739,7 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
mpctx->items = item;
mpctx->freecount++;
}
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
/*
* If we didn't get any items, return NULL.
@ -1759,9 +1759,9 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
#if ISC_MEM_TRACKLINES
if (item != NULL) {
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
ADD_TRACE(mctx, item, mpctx->size, file, line);
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
}
#endif /* ISC_MEM_TRACKLINES */
@ -1785,9 +1785,9 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
mpctx->allocated--;
#if ISC_MEM_TRACKLINES
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
DELETE_TRACE(mctx, mem, mpctx->size, file, line);
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
#endif /* ISC_MEM_TRACKLINES */
/*
@ -1795,14 +1795,14 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
*/
if (mpctx->freecount >= mpctx->freemax) {
if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
mem_putunlocked(mctx, mem, mpctx->size);
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
} else {
mem_put(mctx, mem, mpctx->size);
MCTXLOCK(mctx, &mctx->memlock);
MCTXLOCK(mctx, &mctx->lock);
mem_putstats(mctx, mem, mpctx->size);
MCTXUNLOCK(mctx, &mctx->memlock);
MCTXUNLOCK(mctx, &mctx->lock);
}
if (mpctx->lock != NULL)
UNLOCK(mpctx->lock);
@ -1975,14 +1975,14 @@ isc_mem_printallactive(FILE *file) {
RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
LOCK(&contextlock);
LOCK(&lock);
for (ctx = ISC_LIST_HEAD(contexts);
ctx != NULL;
ctx = ISC_LIST_NEXT(ctx, link)) {
fprintf(file, "context: %p\n", ctx);
print_active(ctx, file);
}
UNLOCK(&contextlock);
UNLOCK(&lock);
#endif
}
@ -1991,7 +1991,7 @@ isc_mem_checkdestroyed(FILE *file) {
RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
LOCK(&contextlock);
LOCK(&lock);
if (!ISC_LIST_EMPTY(contexts)) {
#if ISC_MEM_TRACKLINES
isc_mem_t *ctx;
@ -2006,7 +2006,7 @@ isc_mem_checkdestroyed(FILE *file) {
#endif
INSIST(0);
}
UNLOCK(&contextlock);
UNLOCK(&lock);
}
unsigned int
@ -2014,9 +2014,9 @@ isc_mem_references(isc_mem_t *ctx) {
unsigned int references;
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
references = ctx->references;
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
return (references);
}
@ -2047,7 +2047,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
}
REQUIRE(VALID_CONTEXT(ctx));
MCTXLOCK(ctx, &ctx->memlock);
MCTXLOCK(ctx, &ctx->lock);
summary->contextsize += sizeof(*ctx) +
(ctx->max_size + 1) * sizeof(struct stats) +
@ -2110,7 +2110,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
(isc_uint64_t)ctx->lo_water);
xmlTextWriterEndElement(writer); /* lowater */
MCTXUNLOCK(ctx, &ctx->memlock);
MCTXUNLOCK(ctx, &ctx->lock);
xmlTextWriterEndElement(writer); /* context */
}
@ -2127,14 +2127,14 @@ isc_mem_renderxml(xmlTextWriterPtr writer) {
RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
LOCK(&contextlock);
LOCK(&lock);
lost = totallost;
for (ctx = ISC_LIST_HEAD(contexts);
ctx != NULL;
ctx = ISC_LIST_NEXT(ctx, link)) {
renderctx(ctx, &summary, writer);
}
UNLOCK(&contextlock);
UNLOCK(&lock);
xmlTextWriterEndElement(writer); /* contexts */

48
lib/isccfg/namedconf.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.85 2008/03/27 03:30:53 marka Exp $ */
/* $Id: namedconf.c,v 1.86 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
@ -809,6 +809,47 @@ view_only_clauses[] = {
{ NULL, NULL, 0 }
};
/*%
* Sig-validity-interval.
*/
static isc_result_t
parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
isc_result_t result;
UNUSED(type);
CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
if (pctx->token.type == isc_tokentype_number) {
CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
} else {
CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
}
cleanup:
return (result);
}
static void
doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
UNUSED(type);
cfg_print_chars(pctx, "[ <integer> ]", 13);
}
static cfg_type_t cfg_type_optional_uint32 = {
"optional_uint32", parse_optional_uint32, NULL, doc_optional_uint32,
NULL, NULL };
static cfg_tuplefielddef_t validityinterval_fields[] = {
{ "validity", &cfg_type_uint32, 0 },
{ "re-sign", &cfg_type_optional_uint32, 0 },
{ NULL, NULL, 0 }
};
static cfg_type_t cfg_type_validityinterval = {
"validityinterval", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
&cfg_rep_tuple, validityinterval_fields
};
/*%
* Clauses that can be found in a 'zone' statement,
* with defaults in the 'view' or 'options' statement.
@ -852,7 +893,10 @@ zone_clauses[] = {
{ "notify-source", &cfg_type_sockaddr4wild, 0 },
{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
{ "notify-to-soa", &cfg_type_boolean, 0 },
{ "sig-validity-interval", &cfg_type_uint32, 0 },
{ "sig-signing-nodes", &cfg_type_uint32, 0 },
{ "sig-signing-signatures", &cfg_type_uint32, 0 },
{ "sig-signing-type", &cfg_type_uint32, 0 },
{ "sig-validity-interval", &cfg_type_validityinterval, 0 },
{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
{ "try-tcp-refresh", &cfg_type_boolean, 0 },