move dns_zonekey_iszonekey() to dns_dnssec module

dns_zonekey_iszonekey() was the only function defined in the
dns_zonekey module, and was only called from one place. it
makes more sense to group this with dns_dnssec functions.

diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am
index a93feaebfb0ac664c357ba4272f1f154795ed2a2..d76a2028d276f84ac0d64ff5682db9a1761c36ed 100644 (file)
--- a/lib/dns/Makefile.am
+++ b/lib/dns/Makefile.am
@@ -136,7 +136,6 @@ libdns_la_HEADERS =                 \
        include/dns/view.h              \
        include/dns/xfrin.h             \
        include/dns/zone.h              \
-       include/dns/zonekey.h           \
        include/dns/zoneverify.h        \
        include/dns/zt.h
 
@@ -255,7 +254,6 @@ libdns_la_SOURCES =                 \
        zone.c                          \
        zone_p.h                        \
        zoneverify.c                    \
-       zonekey.c                       \
        zt.c
 
 if HAVE_GSSAPI

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index b609f60f663c8d7c28e60342e0dbb6d4cd7e11a2..a463752edb029b24ac450df9f020a5a91378f46d 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1101,6 +1101,41 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
        return false;
 }
 
+bool
+dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) {
+       return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+              (key->flags & DNS_KEYTYPE_NOAUTH) == 0 &&
+              (key->protocol == DNS_KEYPROTO_DNSSEC ||
+               key->protocol == DNS_KEYPROTO_ANY);
+}
+
+bool
+dns_dnssec_haszonekey(dns_rdataset_t *keyset) {
+       isc_result_t result;
+
+       REQUIRE(keyset != NULL);
+
+       if (keyset->type != dns_rdatatype_dnskey) {
+               return false;
+       }
+
+       for (result = dns_rdataset_first(keyset); result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(keyset))
+       {
+               dns_rdata_t rdata = DNS_RDATA_INIT;
+               dns_rdata_dnskey_t key;
+
+               dns_rdataset_current(keyset, &rdata);
+               dns_rdata_tostruct(&rdata, &key, NULL); /* can't fail */
+
+               if (dns_dnssec_iszonekey(&key)) {
+                       return true;
+               }
+       }
+
+       return false;
+}
+
 void
 dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
                     dns_dnsseckey_t **dkp) {

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 56f006f66432b290dda91467518a70ea3a0eb59b..400e00233847a16fd1d28ce3f35ce99276c555d3 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -242,6 +242,24 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
  * rrset.  dns_dnssec_signs() works on any rrset.
  */
 
+bool
+dns_dnssec_iszonekey(dns_rdata_dnskey_t *key);
+/*%<
+ * Verify that 'key' is a DNSSEC key with the DNS_KEYOWNER_ZONE flag set.
+ *
+ * Requires:
+ *\li          'key' is not NULL.
+ */
+
+bool
+dns_dnssec_haszonekey(dns_rdataset_t *keyset);
+/*%<
+ * Verify that 'keyset' includes at least one zone key.
+ *
+ * Requires:
+ *\li          'keyset' is not NULL.
+ */
+
 void
 dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
                     dns_dnsseckey_t **dkp);

diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
deleted file mode 100644 (file)
index 5b1b30a..0000000
--- a/lib/dns/include/dns/zonekey.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file dns/zonekey.h */
-
-#include <stdbool.h>
-
-#include <dns/types.h>
-
-bool
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
-/*%<
- *     Determines if the key record contained in the rdata is a zone key.
- *
- *     Requires:
- *             'keyrdata' is not NULL.
- */

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 03d0abd73bad73af689c01ccff136018f0537b5f..5ec6bc66db33d00c4872d4a712da05e3d39469a4 100644 (file)
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -55,7 +55,6 @@
 #include <dns/stats.h>
 #include <dns/time.h>
 #include <dns/view.h>
-#include <dns/zonekey.h>
 
 #include "db_p.h"
 #include "qpcache_p.h"

diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index d4570d689ac6beae0d0181114998053734802bcd..dacd281dfa3e59eb35723226da0379e9be347c8b 100644 (file)
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -43,6 +43,7 @@
 #include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
 #include <dns/name.h>
@@ -58,7 +59,6 @@
 #include <dns/time.h>
 #include <dns/view.h>
 #include <dns/zone.h>
-#include <dns/zonekey.h>
 
 #include "db_p.h"
 #include "qpzone_p.h"
@@ -1143,25 +1143,17 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) {
        bool hasnsec = false;
        isc_result_t result;
 
+       version->secure = false;
+       version->havensec3 = false;
+
        dns_rdataset_init(&keyset);
        result = dns_db_findrdataset(db, origin, (dns_dbversion_t *)version,
                                     dns_rdatatype_dnskey, 0, 0, &keyset, NULL);
        if (result == ISC_R_SUCCESS) {
-               result = dns_rdataset_first(&keyset);
-               while (result == ISC_R_SUCCESS) {
-                       dns_rdata_t keyrdata = DNS_RDATA_INIT;
-                       dns_rdataset_current(&keyset, &keyrdata);
-                       if (dns_zonekey_iszonekey(&keyrdata)) {
-                               haszonekey = true;
-                               break;
-                       }
-                       result = dns_rdataset_next(&keyset);
-               }
+               haszonekey = dns_dnssec_haszonekey(&keyset);
                dns_rdataset_disassociate(&keyset);
        }
        if (!haszonekey) {
-               version->secure = false;
-               version->havensec3 = false;
                return;
        }
 
@@ -1181,12 +1173,11 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) {
        setnsec3parameters(db, version);
 
        /*
-        * Do we have a valid NSEC/NSEC3 chain?
+        * If we don't have a valid NSEC/NSEC3 chain,
+        * clear the secure flag.
         */
        if (version->havensec3 || hasnsec) {
                version->secure = true;
-       } else {
-               version->secure = false;
        }
 }
 

diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
deleted file mode 100644 (file)
index 310bf88..0000000
--- a/lib/dns/zonekey.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/types.h>
-#include <dns/zonekey.h>
-
-bool
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
-       isc_result_t result;
-       dns_rdata_dnskey_t key;
-       bool iszonekey = true;
-
-       REQUIRE(keyrdata != NULL);
-
-       result = dns_rdata_tostruct(keyrdata, &key, NULL);
-       if (result != ISC_R_SUCCESS) {
-               return false;
-       }
-
-       if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0) {
-               iszonekey = false;
-       }
-       if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
-               iszonekey = false;
-       }
-       if (key.protocol != DNS_KEYPROTO_DNSSEC &&
-           key.protocol != DNS_KEYPROTO_ANY)
-       {
-               iszonekey = false;
-       }
-
-       return iszonekey;
-}