Merge branch '266-convert-verifyzone-to-a-libdns-function' into 'master'

Convert verifyzone() to a libdns function

Closes #266

See merge request isc-projects/bind9!291

CHANGES

@@ -1,3 +1,9 @@
+4973.	[func]		verifyzone() and the functions it uses were moved to
+			libdns and refactored to prevent exit() from being
+			called upon failure.  A side effect of that is that
+			dnssec-signzone and dnssec-verify now check for memory
+			leaks upon shutdown. [GL #266]
+
 4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
 			to be const. [GL #341]
 

bin/dnssec/dnssec-signzone.c

@@ -76,6 +76,7 @@
 #include <dns/soa.h>
 #include <dns/time.h>
 #include <dns/update.h>
+#include <dns/zoneverify.h>
 
 #include <dst/dst.h>
 
@@ -96,6 +97,10 @@ typedef struct hashlist hashlist_t;
 
 static int nsec_datatype = dns_rdatatype_nsec;
 
+#define check_dns_dbiterator_current(result) \
+	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
+		     "dns_dbiterator_current()")
+
 #define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
 #define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
 
@@ -498,11 +503,11 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	dns_ttl_t ttl;
 	int i;
 	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[TYPE_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
 	char sigstr[SIG_FORMATSIZE];
 
 	dns_name_format(name, namestr, sizeof(namestr));
-	type_format(set->type, typestr, sizeof(typestr));
+	dns_rdatatype_format(set->type, typestr, sizeof(typestr));
 
 	ttl = ISC_MIN(set->ttl, endtime - starttime);
 
@@ -1042,6 +1047,47 @@ secure(dns_name_t *name, dns_dbnode_t *node) {
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
+static isc_boolean_t
+is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
+{
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, origin))
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
+				     0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL)
+			*ttlp = nsset.ttl;
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+/*%
+ * Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
+ * 'node'; return ISC_FALSE otherwise.
+ */
+static isc_boolean_t
+has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
+	dns_rdataset_t dnameset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dnameset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
+				     &dnameset, NULL);
+	if (dns_rdataset_isassociated(&dnameset)) {
+		dns_rdataset_disassociate(&dnameset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
 /*%
  * Signs all records at a name.
  */
@@ -2090,10 +2136,10 @@ rrset_cleanup(dns_name_t *name, dns_rdataset_t *rdataset,
 	unsigned int count1 = 0;
 	dns_rdataset_t tmprdataset;
 	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[TYPE_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
 
 	dns_name_format(name, namestr, sizeof(namestr));
-	type_format(rdataset->type, typestr, sizeof(typestr));
+	dns_rdatatype_format(rdataset->type, typestr, sizeof(typestr));
 
 	dns_rdataset_init(&tmprdataset);
 	for (result = dns_rdataset_first(rdataset);
@@ -3181,7 +3227,7 @@ main(int argc, char *argv[]) {
 	isc_time_t timer_start, timer_finish;
 	isc_time_t sign_start, sign_finish;
 	dns_dnsseckey_t *key;
-	isc_result_t result;
+	isc_result_t result, vresult;
 	isc_log_t *log = NULL;
 #ifdef USE_PKCS11
 	const char *engine = PKCS11_ENGINE;
@@ -3866,9 +3912,18 @@ main(int argc, char *argv[]) {
 	postsign();
 	TIME_NOW(&sign_finish);
 
-	if (!disable_zone_check)
-		verifyzone(gdb, gversion, gorigin, mctx,
-			   ignore_kskflag, keyset_kskonly);
+	if (disable_zone_check) {
+		vresult = ISC_R_SUCCESS;
+	} else {
+		vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
+						mctx, ignore_kskflag,
+						keyset_kskonly);
+		if (vresult != ISC_R_SUCCESS) {
+			fprintf(output_stdout ? stderr : stdout,
+				"Zone verification failed (%s)\n",
+				isc_result_totext(vresult));
+		}
+	}
 
 	if (outputformat != dns_masterformat_text) {
 		dns_masterrawheader_t header;
@@ -3894,12 +3949,16 @@ main(int argc, char *argv[]) {
 		check_result(result, "isc_stdio_close");
 		removefile = ISC_FALSE;
 
-		result = isc_file_rename(tempfile, output);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to rename temp file to %s: %s",
-			      output, isc_result_totext(result));
-
-		printf("%s\n", output);
+		if (vresult == ISC_R_SUCCESS) {
+			result = isc_file_rename(tempfile, output);
+			if (result != ISC_R_SUCCESS) {
+				fatal("failed to rename temp file to %s: %s",
+				      output, isc_result_totext(result));
+			}
+			printf("%s\n", output);
+		} else {
+			isc_file_remove(tempfile);
+		}
 	}
 
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
@@ -3939,5 +3998,5 @@ main(int argc, char *argv[]) {
 #ifdef _WIN32
 	DestroySockets();
 #endif
-	return (0);
+	return (vresult == ISC_R_SUCCESS ? 0 : 1);
 }

bin/dnssec/dnssec-verify.c

@@ -58,6 +58,7 @@
 #include <dns/result.h>
 #include <dns/soa.h>
 #include <dns/time.h>
+#include <dns/zoneverify.h>
 
 #include <dst/dst.h>
 
@@ -322,8 +323,8 @@ main(int argc, char *argv[]) {
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");
 
-	verifyzone(gdb, gversion, gorigin, mctx,
-		   ignore_kskflag, keyset_kskonly);
+	result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
+				       ignore_kskflag, keyset_kskonly);
 
 	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
 	dns_db_detach(&gdb);
@@ -337,5 +338,5 @@ main(int argc, char *argv[]) {
 
 	(void) isc_app_finish();
 
-	return (0);
+	return (result == ISC_R_SUCCESS ? 0 : 1);
 }

bin/dnssec/dnssectool.h

@@ -18,11 +18,6 @@
 #include <dns/rdatastruct.h>
 #include <dst/dst.h>
 
-#define check_dns_dbiterator_current(result) \
-	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
-		     "dns_dbiterator_current()")
-
-
 typedef void (fatalcallback_t)(void);
 
 ISC_PLATFORM_NORETURN_PRE void
@@ -41,10 +36,6 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
 ISC_PLATFORM_NORETURN_PRE void
 version(const char *program) ISC_PLATFORM_NORETURN_POST;
 
-void
-type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
-#define TYPE_FORMATSIZE 20
-
 void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
 #define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
@@ -80,22 +71,6 @@ isc_boolean_t
 key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
 	      isc_mem_t *mctx, isc_boolean_t *exact);
 
-isc_boolean_t
-is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-		      dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
-
-/*%
- * Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
- * 'node'; return ISC_FALSE otherwise.
- */
-isc_boolean_t
-has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
-
-void
-verifyzone(dns_db_t *db, dns_dbversion_t *ver,
-		   dns_name_t *origin, isc_mem_t *mctx,
-		   isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
-
 isc_boolean_t
 isoptarg(const char *arg, char **argv, void (*usage)(void));
 

lib/dns/Makefile.in

@@ -77,7 +77,8 @@ DNSOBJS =	acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
 		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
 		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
-		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
+		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ \
+		zoneverify.@O@ zt.@O@
 PORTDNSOBJS =	client.@O@ ecdb.@O@
 
 OBJS=		@DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
@@ -119,7 +120,8 @@ DNSSRCS =	acl.c adb.c badcache. byaddr.c \
 		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
 		tsec.c tsig.c ttl.c update.c validator.c \
-		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
+		version.c view.c xfrin.c zone.c zoneverify.c \
+		zonekey.c zt.c ${OTHERSRCS}
 PORTDNSSRCS =	client.c ecdb.c
 
 SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIPLINKSRCS@

lib/dns/include/dns/Makefile.in

@@ -31,7 +31,7 @@ HEADERS =	acl.h adb.h badcache.h bit.h byaddr.h \
 		sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
 		tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
 		update.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
+		zone.h zonekey.h zoneverify.h zt.h
 
 GENHEADERS =	@DNSTAP_PB_C_H@ enumclass.h enumtype.h rdatastruct.h
 

lib/dns/include/dns/zoneverify.h

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file dns/zoneverify.h */
+
+#include <dns/types.h>
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Verify that certain things are sane:
+ *
+ *   The apex has a DNSKEY record with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
+ *
+ *   The DNSKEY record was signed with at least one of the KSKs in this
+ *   set.
+ *
+ *   The rest of the zone was signed with at least one of the ZSKs
+ *   present in the DNSKEY RRSET.
+ */
+isc_result_t
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		      dns_name_t *origin, isc_mem_t *mctx,
+		      isc_boolean_t ignore_kskflag,
+		      isc_boolean_t keyset_kskonly);
+
+ISC_LANG_ENDDECLS

lib/dns/win32/libdns.def.in

@@ -1334,6 +1334,7 @@ dns_zonemgr_shutdown
 dns_zonemgr_unreachable
 dns_zonemgr_unreachableadd
 dns_zonemgr_unreachabledel
+dns_zoneverify_dnssec
 dns_zt_apply
 dns_zt_asyncload
 dns_zt_attach

util/copyrights

@@ -3081,6 +3081,7 @@
 ./lib/dns/include/dns/xfrin.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018
 ./lib/dns/include/dns/zone.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/dns/include/dns/zonekey.h			C	2001,2004,2005,2006,2007,2016,2018
+./lib/dns/include/dns/zoneverify.h		C	2018
 ./lib/dns/include/dns/zt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018
 ./lib/dns/include/dst/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007,2012,2015,2016,2018
 ./lib/dns/include/dst/dst.h			C	2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
@@ -3421,6 +3422,7 @@
 ./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/dns/zone_p.h				C	2018
 ./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007,2016,2018
+./lib/dns/zoneverify.c				C	2018
 ./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018
 ./lib/irs/Atffile				X	2016,2018
 ./lib/irs/Kyuafile				X	2017,2018