* Complete a zone fetch. This may trigger follow-up actions that depend on
* the fetch type.
*/
+
+isc_result_t
+dns_zonefetch_verify(dns_zonefetch_t *fetch, isc_result_t eresult,
+ dns_trust_t trust);
+/*%<
+ * Check a completed zone fetch. This checks the response result,
+ * if there are records and signatures available, and the level of trust.
+ *
+ * Requires:
+ * 'fetch' is not NULL.
+ *
+ * Returns:
+ * ISC_R_SUCCESS - if the completed zone fetch is verified.
+ * ISC_R_NOTFOUND - if no records are found.
+ * DNS_R_NOVALIDSIG - if no signatures are available, or the trust
+ * level is below 'trust'.
+ * eresult - error code in case the fetch failed.
+ */
"Returned from key fetch in keyfetch_done() for '%s': %s",
namebuf, isc_result_totext(eresult));
- /* Fetch failed */
- if (eresult != ISC_R_SUCCESS || !dns_rdataset_isassociated(dnskeys)) {
- dnssec_log(zone, ISC_LOG_WARNING,
- "Unable to fetch DNSKEY set '%s': %s", namebuf,
- isc_result_totext(eresult));
- CHECK(minimal_update(fetch, ver, &diff));
- goto done;
- }
-
- /* No RRSIGs found */
- if (!dns_rdataset_isassociated(dnskeysigs)) {
- dnssec_log(zone, ISC_LOG_WARNING,
- "No DNSKEY RRSIGs found for '%s': %s", namebuf,
- isc_result_totext(eresult));
+ result = dns_zonefetch_verify(fetch, eresult, dns_trust_none);
+ if (result != ISC_R_SUCCESS) {
CHECK(minimal_update(fetch, ver, &diff));
goto done;
}
dns_name_t *pname = NULL;
char pnamebuf[DNS_NAME_FORMATSIZE];
dns_rdataset_t *nsrrset = NULL;
- dns_rdataset_t *nssigset = NULL;
REQUIRE(fetch != NULL);
REQUIRE(fetch->fetchtype == ZONEFETCHTYPE_NS);
dnssec_log(zone, ISC_LOG_DEBUG(3),
"NODATA response for NS '%s', level up", pnamebuf);
return DNS_R_CONTINUE;
-
- } else if (eresult != ISC_R_SUCCESS) {
- dnssec_log(zone, ISC_LOG_WARNING,
- "Unable to fetch NS set '%s': %s", pnamebuf,
- isc_result_totext(eresult));
- result = eresult;
- goto done;
}
- /* No NS records found */
- if (!dns_rdataset_isassociated(nsrrset)) {
- dnssec_log(zone, ISC_LOG_WARNING,
- "No NS records found for '%s'", pnamebuf);
- result = ISC_R_NOTFOUND;
- goto done;
- }
-
- /* No RRSIGs found */
- if (!dns_rdataset_isassociated(nssigset)) {
- dnssec_log(zone, ISC_LOG_WARNING, "No NS RRSIGs found for '%s'",
- pnamebuf);
- result = DNS_R_NOVALIDSIG;
- goto done;
- }
-
- /* Check trust level */
- if (nsrrset->trust < dns_trust_secure) {
- dnssec_log(zone, ISC_LOG_WARNING,
- "Invalid NS RRset for '%s' trust level %u", pnamebuf,
- nsrrset->trust);
- result = DNS_R_NOVALIDSIG;
+ result = dns_zonefetch_verify(fetch, eresult, dns_trust_secure);
+ if (result != ISC_R_SUCCESS) {
goto done;
}
}
}
}
+
+isc_result_t
+dns_zonefetch_verify(dns_zonefetch_t *fetch, isc_result_t eresult,
+ dns_trust_t trust) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ char typebuf[DNS_RDATATYPE_FORMATSIZE];
+ dns_rdataset_t *rrset = NULL;
+ dns_rdataset_t *sigset = NULL;
+
+ REQUIRE(fetch != NULL);
+
+ rrset = &fetch->rrset;
+ sigset = &fetch->sigset;
+ dns_name_format(fetch->qname, namebuf, sizeof(namebuf));
+ dns_rdatatype_format(fetch->qtype, typebuf, sizeof(typebuf));
+
+ if (eresult != ISC_R_SUCCESS) {
+ dns_zone_logc(fetch->zone, DNS_LOGCATEGORY_DNSSEC,
+ ISC_LOG_WARNING, "Unable to fetch %s/%s: %s",
+ namebuf, typebuf, isc_result_totext(eresult));
+ return eresult;
+ }
+
+ /* No records found */
+ if (!dns_rdataset_isassociated(rrset)) {
+ dns_zone_logc(fetch->zone, DNS_LOGCATEGORY_DNSSEC,
+ ISC_LOG_WARNING, "No %s records found for '%s'",
+ typebuf, namebuf);
+ return ISC_R_NOTFOUND;
+ }
+
+ /* No RRSIGs found */
+ if (!dns_rdataset_isassociated(sigset)) {
+ dns_zone_logc(fetch->zone, DNS_LOGCATEGORY_DNSSEC,
+ ISC_LOG_WARNING, "No %s RRSIGs found for '%s'",
+ typebuf, namebuf);
+ return DNS_R_NOVALIDSIG;
+ }
+
+ /* Check trust level */
+ if (rrset->trust < trust) {
+ dns_zone_logc(fetch->zone, DNS_LOGCATEGORY_DNSSEC,
+ ISC_LOG_WARNING,
+ "Invalid %s RRset for '%s' trust level %u",
+ typebuf, namebuf, rrset->trust);
+ return DNS_R_NOVALIDSIG;
+ }
+
+ return ISC_R_SUCCESS;
+}
projects / thirdparty / bind9.git / commitdiff
