upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove all code that uses non-DS trust anchors

Browse source 
as initial-key and static-key trust anchors will now be stored as a
DS rrset, code referencing keynodes storing DNSKEY trust anchors will
no longer be reached.
This commit is contained in:
Evan Hunt 2019-12-19 19:39:33 -08:00
parent 21d3f66f1c
commit 7fdf40770f
9 changed files with 28 additions and 571 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
bin/named/server.c
View file

@ -6835,11 +6835,7 @@ struct dotat_arg {
* reported in the TAT query.
*/
static isc_result_t
get_tat_qname(dns_name_t *target, dns_name_t *keyname,
dns_keytable_t *keytable, dns_keynode_t *keynode)
{
dns_keynode_t *firstnode = keynode;
dns_keynode_t *nextnode = NULL;
get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) {
dns_rdataset_t *dsset = NULL;
unsigned int i, n = 0;
uint16_t ids[12];
@ -6866,23 +6862,6 @@ get_tat_qname(dns_name_t *target, dns_name_t *keyname,
n++;
}
}
} else {
do {
dst_key_t *key = dns_keynode_key(keynode);
if (key != NULL) {
if (n < (sizeof(ids)/sizeof(ids[0]))) {
ids[n] = dst_key_id(key);
n++;
}
}
nextnode = NULL;
(void)dns_keytable_nextkeynode(keytable, keynode,
&nextnode);
if (keynode != firstnode) {
dns_keytable_detachkeynode(keytable, &keynode);
}
keynode = nextnode;
} while (keynode != NULL);
}
if (n == 0) {
@ -6938,7 +6917,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode,
task = dotat_arg->task;
tatname = dns_fixedname_initname(&fixed);
result = get_tat_qname(tatname, keyname, keytable, keynode);
result = get_tat_qname(tatname, keyname, keynode);
if (result != ISC_R_SUCCESS) {
return;
}

86
lib/dns/include/dns/keytable.h
View file

@ -223,9 +223,8 @@ isc_result_t
dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
dns_keynode_t **keynodep);
/*%<
* Search for the first instance of a key named 'name' in 'keytable',
* without regard to keyid and algorithm. Use dns_keytable_nextkeynode()
* to find subsequent instances.
* Search for the first instance of a trust anchor named 'name' in
* 'keytable', without regard to keyid and algorithm.
*
* Requires:
*
@ -243,78 +242,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Return for the next key after 'keynode' in 'keytable', without regard to
* keyid and algorithm.
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'keynode' is a valid keynode.
*
*\li nextnodep != NULL && *nextnodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
dns_secalg_t algorithm, dns_keytag_t tag,
dns_keynode_t **keynodep);
/*%<
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'. This finds the first instance which matches. Use
* dns_keytable_findnextkeynode() to find other instances.
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'name' is a valid absolute name.
*
*\li keynodep != NULL && *keynodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li DNS_R_PARTIALMATCH the name existed in the keytable.
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep);
/*%<
* Search for the next key with the same properties as 'keynode' in
* 'keytable' as found by dns_keytable_findkeynode().
*
* Requires:
*
*\li 'keytable' is a valid keytable.
*
*\li 'keynode' is a valid keynode.
*
*\li nextnodep != NULL && *nextnodep == NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li ISC_R_NOTFOUND
*
*\li Any other result indicates an error.
*/
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname);
@ -413,12 +340,6 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **buf);
* Dump the keytable to buffer at 'buf'
*/
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode);
/*%<
* Get the DST key associated with keynode.
*/
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode);
/*%<
@ -466,8 +387,7 @@ dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
void
dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
/*%<
* Detach a single keynode, without touching any keynodes that
* may be pointed to by its 'next' pointer
* Detach a keynode.
*/
void

131
lib/dns/keytable.c
View file

@ -516,123 +516,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname,
return (result);
}
isc_result_t
dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep)
{
/*
* Return the next key after 'keynode', regardless of
* properties.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(VALID_KEYNODE(keynode));
REQUIRE(nextnodep != NULL && *nextnodep == NULL);
if (keynode->next == NULL) {
return (ISC_R_NOTFOUND);
}
dns_keytable_attachkeynode(keytable, keynode->next, nextnodep);
return (ISC_R_SUCCESS);
}
isc_result_t
dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name,
dns_secalg_t algorithm, dns_keytag_t tag,
dns_keynode_t **keynodep)
{
isc_result_t result;
dns_keynode_t *knode;
void *data;
/*
* Search for a key named 'name', matching 'algorithm' and 'tag' in
* 'keytable'.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(dns_name_isabsolute(name));
REQUIRE(keynodep != NULL && *keynodep == NULL);
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
/*
* Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
* as that indicates that 'name' was not found.
*
* DNS_R_PARTIALMATCH indicates that the name was found but we
* didn't get a match on algorithm and key id arguments.
*/
knode = NULL;
data = NULL;
result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
if (result == ISC_R_SUCCESS) {
INSIST(data != NULL);
for (knode = data; knode != NULL; knode = knode->next) {
if (knode->key == NULL) {
knode = NULL;
break;
}
if (algorithm == dst_key_alg(knode->key) &&
tag == dst_key_id(knode->key))
{
break;
}
}
if (knode != NULL) {
dns_keytable_attachkeynode(keytable, knode, keynodep);
} else {
result = DNS_R_PARTIALMATCH;
}
} else if (result == DNS_R_PARTIALMATCH) {
result = ISC_R_NOTFOUND;
}
RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
return (result);
}
isc_result_t
dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
dns_keynode_t **nextnodep)
{
isc_result_t result;
dns_keynode_t *knode;
/*
* Search for the next key with the same properties as 'keynode' in
* 'keytable'.
*/
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(VALID_KEYNODE(keynode));
REQUIRE(nextnodep != NULL && *nextnodep == NULL);
for (knode = keynode->next; knode != NULL; knode = knode->next) {
if (knode->key == NULL) {
knode = NULL;
break;
}
if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
dst_key_id(keynode->key) == dst_key_id(knode->key))
{
break;
}
}
if (knode != NULL) {
dns_keytable_attachkeynode(keytable, knode, nextnodep);
result = ISC_R_SUCCESS;
} else {
result = ISC_R_NOTFOUND;
}
return (result);
}
isc_result_t
dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
dns_name_t *foundname)
@ -674,7 +557,8 @@ dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
REQUIRE(VALID_KEYNODE(source));
REQUIRE(target != NULL && *target == NULL);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1) < UINT32_MAX);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
1) < UINT32_MAX);
dns_keynode_attach(source, target);
}
@ -913,8 +797,8 @@ dns_keytable_forall(dns_keytable_t *keytable,
}
goto cleanup;
}
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1)
< UINT32_MAX);
REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes,
1) < UINT32_MAX);
for (;;) {
dns_rbtnodechain_current(&chain, foundname, origin, &node);
if (node->data != NULL) {
@ -939,13 +823,6 @@ dns_keytable_forall(dns_keytable_t *keytable,
return (result);
}
dst_key_t *
dns_keynode_key(dns_keynode_t *keynode) {
REQUIRE(VALID_KEYNODE(keynode));
return (keynode->key);
}
dns_rdataset_t *
dns_keynode_dsset(dns_keynode_t *keynode) {
REQUIRE(VALID_KEYNODE(keynode));

107
lib/dns/tests/keytable_test.c
View file

@ -219,7 +219,6 @@ static void
add_test(void **state) {
dst_key_t *key = NULL;
dns_keynode_t *keynode = NULL;
dns_keynode_t *next_keynode = NULL;
dns_keynode_t *null_keynode = NULL;
UNUSED(state);
@ -227,27 +226,24 @@ add_test(void **state) {
create_tables();
/*
* Get the keynode for the example.com key. There's no other key for
* the name, so nextkeynode() should return NOTFOUND.
* Getting the keynode for the example.com key should succeed.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
/*
* Try to add the same key. This should have no effect, so
* nextkeynode() should still return NOTFOUND.
* Try to add the same key. This should have no effect but
* report success.
*/
create_key(257, 3, 5, "example.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, false, false,
dst_key_name(key), &key, NULL),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
/* Add another key (different keydata) */
dns_keytable_detachkeynode(keytable, &keynode);
@ -258,24 +254,16 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("example.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Get the keynode for the managed.com key. There's no other key for
* the name, so nextkeynode() should return NOTFOUND. Ensure the
* Get the keynode for the managed.com key. Ensure the
* retrieved key is an initializing key, then mark it as trusted using
* dns_keynode_trust() and ensure the latter works as expected.
*/
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keynode_trust(keynode);
assert_int_equal(dns_keynode_initial(keynode), false);
@ -283,8 +271,7 @@ add_test(void **state) {
/*
* Add a different managed key for managed.com, marking it as an
* initializing key. Ensure nextkeynode() no longer returns
* ISC_R_NOTFOUND and that the added key is an initializing key.
* initializing key.
*/
create_key(257, 3, 5, "managed.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
@ -293,11 +280,7 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
@ -314,22 +297,11 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &keynode);
keynode = next_keynode;
next_keynode = NULL;
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a managed key at a new node, two.com, marking it as an
* initializing key. Ensure nextkeynode() returns ISC_R_NOTFOUND and
* that the added key is an initializing key.
* initializing key.
*/
create_key(257, 3, 5, "two.com", keystr1, &key);
assert_int_equal(dns_keytable_add(keytable, true, true,
@ -338,16 +310,12 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keynode_initial(keynode), true);
dns_keytable_detachkeynode(keytable, &keynode);
/*
* Add a different managed key for two.com, marking it as a
* non-initializing key. Ensure nextkeynode() no longer returns
* ISC_R_NOTFOUND and that the added key is not an initializing key.
* non-initializing key.
*/
create_key(257, 3, 5, "two.com", keystr2, &key);
assert_int_equal(dns_keytable_add(keytable, true, false,
@ -356,10 +324,7 @@ add_test(void **state) {
assert_int_equal(dns_keytable_find(keytable, str2name("two.com"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode), ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
dns_keytable_detachkeynode(keytable, &next_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
/*
@ -376,16 +341,6 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_SUCCESS);
dns_keytable_detachkeynode(keytable, &keynode);
keynode = next_keynode;
next_keynode = NULL;
assert_int_equal(dns_keynode_initial(keynode), false);
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &keynode);
/*
@ -403,13 +358,11 @@ add_test(void **state) {
&keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode); /* should be the same node */
assert_non_null(dns_keynode_key(keynode)); /* now have a key */
dns_keytable_detachkeynode(keytable, &null_keynode);
/*
* Try to add a null key to a name that already has a key. It's
* effectively no-op, so the same key node is still there, with no
* no next node.
* effectively no-op, so the same key node is still there.
* (Note: this and above checks confirm that if a name has a null key
* that's the only key for the name).
*/
@ -420,10 +373,6 @@ add_test(void **state) {
&null_keynode),
ISC_R_SUCCESS);
assert_int_equal(keynode, null_keynode);
assert_non_null(dns_keynode_key(keynode));
assert_int_equal(dns_keytable_nextkeynode(keytable, keynode,
&next_keynode),
ISC_R_NOTFOUND);
dns_keytable_detachkeynode(keytable, &null_keynode);
dns_keytable_detachkeynode(keytable, &keynode);
@ -553,7 +502,6 @@ find_test(void **state) {
str2name("null.example"),
&keynode),
ISC_R_SUCCESS);
assert_int_equal(dns_keynode_key(keynode), NULL);
dns_keytable_detachkeynode(keytable, &keynode);
/*
@ -581,37 +529,6 @@ find_test(void **state) {
ISC_R_SUCCESS);
assert_true(dns_name_equal(name, str2name("null.example")));
/*
* dns_keytable_findkeynode() requires exact name, algorithm, keytag
* match. If algorithm or keytag doesn't match, should result in
* PARTIALMATCH. Same for a node with a null key.
*/
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.org"),
5, keytag1, &keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("sub.example.com"),
5, keytag1, &keynode),
ISC_R_NOTFOUND);
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
4, keytag1, &keynode),
DNS_R_PARTIALMATCH); /* different algorithm */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
5, keytag1 + 1, &keynode),
DNS_R_PARTIALMATCH); /* different keytag */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("null.example"),
5, 0, &keynode),
DNS_R_PARTIALMATCH); /* null key */
assert_int_equal(dns_keytable_findkeynode(keytable,
str2name("example.com"),
5, keytag1, &keynode),
ISC_R_SUCCESS); /* complete match */
dns_keytable_detachkeynode(keytable, &keynode);
destroy_tables();
}

113
lib/dns/validator.c
View file

@ -1684,110 +1684,6 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata,
return (result);
}
static isc_result_t
anchor_signed(dns_validator_t *val, isc_result_t *resp) {
isc_result_t result;
bool atsep = false;
/*
* First, see if this key was signed by a trust anchor.
*/
for (result = dns_rdataset_first(val->event->sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(val->event->sigrdataset))
{
dns_keynode_t *keynode = NULL;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
dns_fixedname_t fixed;
dns_name_t *found;
dst_key_t *dstkey;
dns_rdata_rrsig_t sig;
found = dns_fixedname_initname(&fixed);
dns_rdata_reset(&sigrdata);
dns_rdataset_current(val->event->sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_name_equal(val->event->name, &sig.signer)) {
continue;
}
result = dns_keytable_findkeynode(val->keytable,
val->event->name,
sig.algorithm, sig.keyid,
&keynode);
if (result == ISC_R_NOTFOUND) {
result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
found);
if (result != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
*resp = markanswer(val, "validate_dnskey (1)",
"not beneath secure root");
return (ISC_R_COMPLETE);
}
continue;
}
if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) {
atsep = true;
}
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
dstkey = dns_keynode_key(keynode);
if (dstkey == NULL) {
dns_keytable_detachkeynode(val->keytable,
&keynode);
break;
}
result = verify(val, dstkey, &sigrdata, sig.keyid);
if (result == ISC_R_SUCCESS) {
dns_keytable_detachkeynode(val->keytable,
&keynode);
break;
}
result = dns_keytable_findnextkeynode(val->keytable,
keynode,
&nextnode);
dns_keytable_detachkeynode(val->keytable, &keynode);
keynode = nextnode;
}
if (result == ISC_R_SUCCESS) {
marksecure(val->event);
validator_log(val, ISC_LOG_DEBUG(3),
"signed by trusted key; "
"marking as secure");
*resp = result;
return (ISC_R_COMPLETE);
}
}
if (atsep) {
/*
* We have not found a key to verify this DNSKEY
* RRset, but there is a trust anchor defined for this
* name, so we have to assume that the RRset is invalid.
*/
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(val->event->name, namebuf, sizeof(namebuf));
validator_log(val, ISC_LOG_NOTICE,
"unable to find a DNSKEY which verifies "
"the DNSKEY RRset and also matches a "
"trusted key for '%s'", namebuf);
*resp = DNS_R_NOVALIDKEY;
return (ISC_R_COMPLETE);
}
return (result);
}
/*
* get_dsset is called to look up a DS RRset corresponding to the name
* of a DNSKEY record, either in the cache or, if necessary, by starting a
@ -1924,15 +1820,6 @@ validate_dnskey(dns_validator_t *val) {
if (val->dsset == NULL) {
isc_result_t tresult = ISC_R_SUCCESS;
/*
* First, check whether the key to be validated was
* signed by a trust anchor.
*/
result = anchor_signed(val, &tresult);
if (result == ISC_R_COMPLETE) {
return (tresult);
}
/*
* If this is the root name and there was no trusted key,
* we can give up now, since there's no DS at the root.

4
lib/dns/win32/libdns.def.in
View file

@ -463,7 +463,6 @@ dns_keynode_detach
dns_keynode_detachall
dns_keynode_dsset
dns_keynode_initial
dns_keynode_key
dns_keynode_managed
dns_keynode_trust
dns_keyring_restore
@ -478,12 +477,9 @@ dns_keytable_detachkeynode
dns_keytable_dump
dns_keytable_find
dns_keytable_finddeepestmatch
dns_keytable_findkeynode
dns_keytable_findnextkeynode
dns_keytable_forall
dns_keytable_issecuredomain
dns_keytable_marksecure
dns_keytable_nextkeynode
dns_keytable_totext
dns_lib_init
dns_lib_shutdown

85
lib/dns/zone.c
View file

@ -3857,12 +3857,9 @@ create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_stdtime_get(&now);
/*
* If the keynode has neither a key nor a DS RRset,
* we shouldn't be here.
* If the keynode has no trust anchor set, we shouldn't be here.
*/
if (dns_keynode_key(keynode) == NULL &&
dns_keynode_dsset(keynode) == NULL)
{
if (dns_keynode_dsset(keynode) == NULL) {
return (ISC_R_FAILURE);
}
@ -4265,12 +4262,9 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
}
/*
* If the keynode has neither a key-style nor a DS-style
* trust anchor, return.
* If the keynode has no trust anchor set, return.
*/
if (dns_keynode_dsset(keynode) == NULL &&
dns_keynode_key(keynode) == NULL)
{
if (dns_keynode_dsset(keynode) == NULL) {
return;
}
@ -9823,8 +9817,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
}
/*
* If the first keynode has a DS trust anchor, use that for
* verification.
* If the keynode has a DS trust anchor, use it for verification.
*/
if ((dsset = dns_keynode_dsset(keynode)) != NULL) {
for (result = dns_rdataset_first(dnskeysigs);
@ -9897,74 +9890,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
break;
}
}
goto anchors_done;
} else {
dns_keytable_detachkeynode(secroots, &keynode);
}
/*
* Validate the DNSKEY set against using the key-style
* trust anchor(s).
*/
for (result = dns_rdataset_first(dnskeysigs);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(dnskeysigs))
{
result = dns_keytable_find(secroots, keyname, &keynode);
if (result != ISC_R_SUCCESS) {
goto anchors_done;
}
dns_rdata_reset(&sigrr);
dns_rdataset_current(dnskeysigs, &sigrr);
result = dns_rdata_tostruct(&sigrr, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = ISC_R_SUCCESS;
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
dstkey = dns_keynode_key(keynode);
if (dstkey == NULL) {
/* fail_secure() was called */
break;
}
if (dst_key_alg(dstkey) == sig.algorithm &&
dst_key_id(dstkey) == sig.keyid)
{
result = dns_dnssec_verify(keyname, dnskeys,
dstkey, false, 0,
mctx, &sigrr, NULL);
dnssec_log(zone, ISC_LOG_DEBUG(3),
"Verifying DNSKEY set "
"for zone '%s' "
"using key %d/%d: %s",
namebuf, sig.keyid,
sig.algorithm,
dns_result_totext(result));
if (result == ISC_R_SUCCESS) {
dnskeys->trust = dns_trust_secure;
dnskeysigs->trust = dns_trust_secure;
secure = true;
initial = dns_keynode_initial(keynode);
dns_keynode_trust(keynode);
break;
}
}
result = dns_keytable_nextkeynode(secroots, keynode,
&nextnode);
if (result == ISC_R_SUCCESS) {
dns_keytable_detachkeynode(secroots, &keynode);
keynode = nextnode;
}
}
dns_keytable_detachkeynode(secroots, &keynode);
if (secure) {
break;
}
}
anchors_done:

33
lib/dns/zoneverify.c
View file

@ -1614,39 +1614,6 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
goto cleanup;
}
/*
* The keynode didn't have any DS trust anchors, so we now try to
* find a matching DNSKEY trust anchor.
*/
result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
dst_key_alg(key), dst_key_id(key),
&keynode);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Walk the keynode list until we find a matching key or
* reach the end.
*/
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
if (dst_key_compare(key, dns_keynode_key(keynode))) {
dns_keytable_detachkeynode(vctx->secroots, &keynode);
dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
*goodkey = true;
goto cleanup;
}
result = dns_keytable_findnextkeynode(vctx->secroots,
keynode, &nextnode);
dns_keytable_detachkeynode(vctx->secroots, &keynode);
keynode = nextnode;
}
cleanup:
if (keynode != NULL) {
dns_keytable_detachkeynode(vctx->secroots, &keynode);

15
lib/ns/query.c
View file

@ -6634,23 +6634,12 @@ has_ta(query_ctx_t *qctx) {
}
}
while (result == ISC_R_SUCCESS) {
dns_keynode_t *nextnode = NULL;
dns_keytag_t keyid = dst_key_id(dns_keynode_key(keynode));
if (keyid == sentinel) {
dns_keytable_detachkeynode(keytable, &keynode);
dns_keytable_detach(&keytable);
return (true);
}
result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
dns_keytable_detachkeynode(keytable, &keynode);
keynode = nextnode;
}
if (keynode != NULL) {
dns_keytable_detachkeynode(keytable, &keynode);
}
dns_keytable_detach(&keytable);
return (false);
}