failure:
return (result);
}
+
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+ dns_rdataset_t *keyset, dns_rdata_t *keyrdata)
+{
+ isc_result_t result;
+ unsigned char buf[DNS_DS_BUFFERSIZE];
+ dns_keytag_t keytag;
+ dns_rdata_dnskey_t key;
+ dns_rdata_ds_t ds;
+ isc_region_t r;
+
+ result = dns_rdata_tostruct(dsrdata, &ds, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ for (result = dns_rdataset_first(keyset);
+ result == ISC_R_SUCCESS;
+ result = dns_rdataset_next(keyset))
+ {
+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+
+ dns_rdata_reset(keyrdata);
+ dns_rdataset_current(keyset, keyrdata);
+
+ result = dns_rdata_tostruct(keyrdata, &key, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ dns_rdata_toregion(keyrdata, &r);
+ keytag = dst_region_computeid(&r);
+
+ if (ds.key_tag != keytag || ds.algorithm != key.algorithm) {
+ continue;
+ }
+
+ result = dns_ds_buildrdata(name, keyrdata, ds.digest_type,
+ buf, &newdsrdata);
+ if (result != ISC_R_SUCCESS) {
+ continue;
+ }
+
+ if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
+ break;
+ }
+ }
+ if (result == ISC_R_NOMORE) {
+ result = ISC_R_NOTFOUND;
+ }
+
+ return (result);
+}
* Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
*/
+isc_result_t
+dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
+ dns_rdataset_t *keyset, dns_rdata_t *keyrdata);
+/*%<
+ * Given a DS rdata and a DNSKEY RRset, find the DNSKEY rdata that matches
+ * the DS, and place it in 'keyrdata'.
+ *
+ * Returns:
+ *\li ISC_R_SUCCESS
+ *\li ISC_R_NOTFOUND
+ *\li Other values indicate error
+ */
ISC_LANG_ENDDECLS
#endif /* DNS_DNSSEC_H */
return (result);
}
-/*%
- * Find the DNSKEY that corresponds to the DS.
- */
-static isc_result_t
-dnskey_for_ds(dns_validator_t *val, dns_rdataset_t *rdataset,
- dns_rdata_t *dsrdata, dns_rdata_ds_t *ds, dns_rdata_t *keyrdata)
-{
- dns_keytag_t keytag;
- dns_rdata_dnskey_t key;
- isc_result_t result;
- unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
- for (result = dns_rdataset_first(rdataset);
- result == ISC_R_SUCCESS;
- result = dns_rdataset_next(rdataset))
- {
- dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-
- dns_rdata_reset(keyrdata);
- dns_rdataset_current(rdataset, keyrdata);
- result = dns_rdata_tostruct(keyrdata, &key, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- keytag = compute_keytag(keyrdata);
- if (ds->key_tag != keytag || ds->algorithm != key.algorithm) {
- continue;
- }
- dns_rdata_reset(&newdsrdata);
- result = dns_ds_buildrdata(val->event->name, keyrdata,
- ds->digest_type,
- dsbuf, &newdsrdata);
- if (result != ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "dns_ds_buildrdata() -> %s",
- dns_result_totext(result));
- continue;
- }
- if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
- break;
- }
- }
- return (result);
-}
-
static isc_result_t
anchor_signed(dns_validator_t *val, isc_result_t *resp) {
isc_result_t result;
static isc_result_t
validate_dnskey(dns_validator_t *val) {
isc_result_t result;
- dns_rdataset_t trdataset;
dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_t keyrdata = DNS_RDATA_INIT;
dns_rdata_ds_t ds;
supported_algorithm = true;
- dns_rdataset_init(&trdataset);
- dns_rdataset_clone(val->event->rdataset, &trdataset);
-
/*
* Find the DNSKEY matching the DS...
*/
- result = dnskey_for_ds(val, &trdataset, &dsrdata,
- &ds, &keyrdata);
+ result = dns_dnssec_matchdskey(val->event->name,
+ &dsrdata,
+ val->event->rdataset,
+ &keyrdata);
if (result != ISC_R_SUCCESS) {
- dns_rdataset_disassociate(&trdataset);
validator_log(val, ISC_LOG_DEBUG(3),
"no DNSKEY matching DS");
continue;
* ... and check that it signed the DNSKEY RRset.
*/
result = check_signer(val, &keyrdata, ds.key_tag, ds.algorithm);
- dns_rdataset_disassociate(&trdataset);
if (result == ISC_R_SUCCESS) {
break;
}
projects / thirdparty / bind9.git / commitdiff
