*\li Any other result indicates an error.
*/
-isc_result_t
+bool
dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
- dns_name_t *foundname, bool *wantdnssecp);
+ dns_name_t *foundname);
/*%<
* Is 'name' at or beneath a trusted key?
*
*
*\li 'foundanme' is NULL or is a pointer to an initialized dns_name_t
*
- *\li '*wantsdnssecp' is a valid bool.
- *
* Ensures:
*
- *\li On success, *wantsdnssecp will be true if and only if 'name'
- * is at or beneath a trusted key. If 'foundname' is not NULL, then
- * it will be updated to contain the name of the closest enclosing
- * trust anchor.
- *
- * Returns:
- *
- *\li ISC_R_SUCCESS
- *
- *\li Any other result is an error.
+ *\li Returns true if and only if 'name' is at or beneath a trusted key.
+ * If 'foundname' is not NULL, then it will be updated to contain
+ * the name of the closest enclosing trust anchor.
*/
isc_result_t
*\li ISC_R_NOTFOUND
*/
-isc_result_t
+bool
dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
- isc_stdtime_t now, bool checknta, bool *ntap,
- bool *secure_domain);
+ isc_stdtime_t now, bool checknta, bool *ntap);
/*%<
* Is 'name' at or beneath a trusted key, and not covered by a valid
- * negative trust anchor? Put answer in '*secure_domain'.
+ * negative trust anchor, and DNSSEC validation is enabled?
*
* If 'checknta' is false, ignore the NTA table in determining
* whether this is a secure domain. If 'checknta' is not false, and if
*
* Requires:
* \li 'view' is valid.
- *
- * Returns:
- *\li ISC_R_SUCCESS
- *\li Any other value indicates failure
*/
bool
return result;
}
-isc_result_t
+bool
dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
- dns_name_t *foundname, bool *wantdnssecp) {
+ dns_name_t *foundname) {
isc_result_t result;
dns_qpread_t qpr;
dns_keynode_t *keynode = NULL;
void *pval = NULL;
+ bool secure = false;
/*
* Is 'name' at or beneath a trusted key?
REQUIRE(VALID_KEYTABLE(keytable));
REQUIRE(dns_name_isabsolute(name));
- REQUIRE(wantdnssecp != NULL);
dns_qpmulti_query(keytable->table, &qpr);
result = dns_qp_lookup(&qpr, name, DNS_DBNAMESPACE_NORMAL, NULL, NULL,
if (foundname != NULL) {
dns_name_copy(&keynode->name, foundname);
}
- *wantdnssecp = true;
- result = ISC_R_SUCCESS;
- } else if (result == ISC_R_NOTFOUND) {
- *wantdnssecp = false;
- result = ISC_R_SUCCESS;
+ secure = true;
}
dns_qpread_destroy(keytable->table, &qpr);
- return result;
+ return secure;
}
static isc_result_t
memmove(cookie, digest, CLIENT_COOKIE_SIZE);
}
-static isc_result_t
+static bool
issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
- isc_stdtime_t now, bool checknta, bool *ntap, bool *issecure) {
+ isc_stdtime_t now, bool checknta, bool *ntap) {
dns_name_t suffix;
unsigned int labels;
name = &suffix;
}
- return dns_view_issecuredomain(view, name, now, checknta, ntap,
- issecure);
+ return dns_view_issecuredomain(view, name, now, checknta, ntap);
}
static isc_result_t
checknta = false;
}
- if (res->view->enablevalidation) {
- result = issecuredomain(res->view, name, fctx->type, now,
- checknta, NULL, &secure_domain);
- if (result != ISC_R_SUCCESS) {
- return result;
- }
- }
+ secure_domain = issecuredomain(res->view, name, fctx->type, now,
+ checknta, NULL);
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
valoptions |= DNS_VALIDATOR_NOCDFLAG;
checknta = false;
}
- if (fctx->res->view->enablevalidation) {
- result = issecuredomain(res->view, name, fctx->type, now,
- checknta, NULL, &secure_domain);
- if (result != ISC_R_SUCCESS) {
- return result;
- }
- }
+ secure_domain = issecuredomain(res->view, name, fctx->type, now,
+ checknta, NULL);
if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
valoptions |= DNS_VALIDATOR_NOCDFLAG;
*/
static isc_result_t
rctx_authority_dnssec(respctx_t *rctx) {
- isc_result_t result;
fetchctx_t *fctx = rctx->fctx;
dns_message_t *msg = rctx->query->rmessage;
if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
checknta = false;
}
- if (fctx->res->view->enablevalidation) {
- result = issecuredomain(
- fctx->res->view, name,
- dns_rdatatype_ds, fctx->now,
- checknta, NULL, &secure_domain);
- if (result != ISC_R_SUCCESS) {
- return result;
- }
- }
+ secure_domain = issecuredomain(
+ fctx->res->view, name, dns_rdatatype_ds,
+ fctx->now, checknta, NULL);
if (secure_domain) {
rdataset->trust =
dns_trust_pending_answer;
return dns_ntatable_covered(view->ntatable_priv, now, name, anchor);
}
-isc_result_t
+bool
dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
- isc_stdtime_t now, bool checknta, bool *ntap,
- bool *secure_domain) {
- isc_result_t result;
+ isc_stdtime_t now, bool checknta, bool *ntap) {
bool secure = false;
dns_fixedname_t fn;
dns_name_t *anchor;
REQUIRE(DNS_VIEW_VALID(view));
- if (view->secroots_priv == NULL) {
- return ISC_R_NOTFOUND;
+ if (!view->enablevalidation || view->secroots_priv == NULL) {
+ return false;
}
anchor = dns_fixedname_initname(&fn);
-
- result = dns_keytable_issecuredomain(view->secroots_priv, name, anchor,
- &secure);
- if (result != ISC_R_SUCCESS) {
- return result;
- }
+ secure = dns_keytable_issecuredomain(view->secroots_priv, name, anchor);
SET_IF_NOT_NULL(ntap, false);
if (checknta && secure && view->ntatable_priv != NULL &&
dns_ntatable_covered(view->ntatable_priv, now, name, anchor))
{
- if (ntap != NULL) {
- *ntap = true;
- }
+ SET_IF_NOT_NULL(ntap, true);
secure = false;
}
- *secure_domain = secure;
- return ISC_R_SUCCESS;
+ return secure;
}
void
/* check issecuredomain() */
ISC_LOOP_TEST_IMPL(issecuredomain) {
- bool issecure;
const char **n;
const char *names[] = { "example.com", "sub.example.com",
"null.example", "sub.null.example", NULL };
* of installing a null key).
*/
for (n = names; *n != NULL; n++) {
- assert_int_equal(dns_keytable_issecuredomain(keytable,
- str2name(*n), NULL,
- &issecure),
- ISC_R_SUCCESS);
- assert_true(issecure);
+ assert_true(dns_keytable_issecuredomain(keytable, str2name(*n),
+ NULL));
}
/*
* If the key table has no entry (not even a null one) for a domain or
* any of its ancestors, that domain is considered insecure.
*/
- assert_int_equal(dns_keytable_issecuredomain(keytable,
- str2name("example.org"),
- NULL, &issecure),
- ISC_R_SUCCESS);
- assert_false(issecure);
+ assert_false(dns_keytable_issecuredomain(
+ keytable, str2name("example.org"), NULL));
destroy_tables();
/* check negative trust anchors */
ISC_LOOP_TEST_IMPL(nta) {
isc_result_t result;
- bool issecure, covered;
+ bool covered;
dns_fixedname_t fn;
dns_name_t *keyname = dns_fixedname_name(&fn);
unsigned char digest[DNS_DS_BUFFERSIZE];
assert_int_equal(result, ISC_R_SUCCESS);
/* Should be secure */
- result = dns_view_issecuredomain(myview,
- str2name("test.secure.example"), now,
- true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_true(dns_view_issecuredomain(
+ myview, str2name("test.secure.example"), now, true, &covered));
assert_false(covered);
- assert_true(issecure);
/* Should not be secure */
- result = dns_view_issecuredomain(myview,
- str2name("test.insecure.example"), now,
- true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_false(dns_view_issecuredomain(myview,
+ str2name("test.insecure.example"),
+ now, true, &covered));
assert_true(covered);
- assert_false(issecure);
/* NTA covered */
covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
assert_false(covered);
/* As of now + 2, the NTA should be clear */
- result = dns_view_issecuredomain(myview,
- str2name("test.insecure.example"),
- now + 2, true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_true(dns_view_issecuredomain(myview,
+ str2name("test.insecure.example"),
+ now + 2, true, &covered));
assert_false(covered);
- assert_true(issecure);
/* Now check deletion */
- result = dns_view_issecuredomain(myview, str2name("test.new.example"),
- now, true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_true(dns_view_issecuredomain(
+ myview, str2name("test.new.example"), now, true, &covered));
assert_false(covered);
- assert_true(issecure);
result = dns_ntatable_add(ntatable, str2name("new.example"), false, now,
3600);
assert_int_equal(result, ISC_R_SUCCESS);
- result = dns_view_issecuredomain(myview, str2name("test.new.example"),
- now, true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_false(dns_view_issecuredomain(
+ myview, str2name("test.new.example"), now, true, &covered));
assert_true(covered);
- assert_false(issecure);
result = dns_ntatable_delete(ntatable, str2name("new.example"));
assert_int_equal(result, ISC_R_SUCCESS);
- result = dns_view_issecuredomain(myview, str2name("test.new.example"),
- now, true, &covered, &issecure);
- assert_int_equal(result, ISC_R_SUCCESS);
+ assert_true(dns_view_issecuredomain(
+ myview, str2name("test.new.example"), now, true, &covered));
assert_false(covered);
- assert_true(issecure);
isc_loopmgr_shutdown();
projects / thirdparty / bind9.git / commitdiff
