From: Colin Vidal <colin@isc.org>
Date: Wed, 27 Aug 2025 12:52:07 +0000 (+0200)
Subject: move handle to keystores from the view to zonemgr
X-Git-Tag: v9.21.12~15^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b397bd0f9bf6a8b0580e3b67b3dd00c7e86a89;p=thirdparty%2Fbind9.git

move handle to keystores from the view to zonemgr

This is a follow-up of !10895 where the keystore pointer was removed
from the zone (as not specific to the zone) and moved to the view. But
in order to avoid adding extra lifecycle dependencies from the zone to
the view, the keystore pointer is now moved to the zonemgr, which also
makes more sense as this is a global settings, and zonemgr wraps a bunch
of other global settings to be accessibles from the zones.

Because the zonemgr lifecycle is the same of the keystores (which are
both depending on named_g_server) this should be a safe change.
---

diff --git a/bin/named/server.c b/bin/named/server.c
index d95256f668c..e93d252c1d0 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3795,9 +3795,8 @@ static isc_result_t
 configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	       cfg_obj_t *vconfig, named_cachelist_t *cachelist,
 	       named_cachelist_t *oldcachelist, dns_kasplist_t *kasplist,
-	       dns_keystorelist_t *keystores, const cfg_obj_t *bindkeys,
-	       isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints,
-	       bool first_time) {
+	       const cfg_obj_t *bindkeys, isc_mem_t *mctx,
+	       cfg_aclconfctx_t *actx, bool need_hints, bool first_time) {
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *cfgmaps[3];
 	const cfg_obj_t *optionmaps[3];
@@ -3860,8 +3859,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
-	view->keystores = keystores;
-
 	if (config != NULL) {
 		(void)cfg_map_get(config, "options", &options);
 	}
@@ -8600,12 +8597,8 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
 	dns_kasp_detach(&default_kasp);
 
 	/*
-	 * Save keystore list and kasp list.
+	 * Save kasp list.
 	 */
-	tmpkeystorelist = server->keystorelist;
-	server->keystorelist = keystorelist;
-	keystorelist = tmpkeystorelist;
-
 	tmpkasplist = server->kasplist;
 	server->kasplist = kasplist;
 	kasplist = tmpkasplist;
@@ -8675,11 +8668,10 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
 			goto cleanup_cachelist;
 		}
 
-		result = configure_view(
-			view, &viewlist, config, vconfig, &cachelist,
-			&server->cachelist, &server->kasplist,
-			&server->keystorelist, bindkeys, isc_g_mctx,
-			named_g_aclconfctx, true, first_time);
+		result = configure_view(view, &viewlist, config, vconfig,
+					&cachelist, &server->cachelist,
+					&server->kasplist, bindkeys, isc_g_mctx,
+					named_g_aclconfctx, true, first_time);
 		if (result != ISC_R_SUCCESS) {
 			dns_view_detach(&view);
 			goto cleanup_cachelist;
@@ -8698,11 +8690,10 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup_cachelist;
 		}
-		result = configure_view(
-			view, &viewlist, config, NULL, &cachelist,
-			&server->cachelist, &server->kasplist,
-			&server->keystorelist, bindkeys, isc_g_mctx,
-			named_g_aclconfctx, true, first_time);
+		result = configure_view(view, &viewlist, config, NULL,
+					&cachelist, &server->cachelist,
+					&server->kasplist, bindkeys, isc_g_mctx,
+					named_g_aclconfctx, true, first_time);
 		if (result != ISC_R_SUCCESS) {
 			dns_view_detach(&view);
 			goto cleanup_cachelist;
@@ -8726,11 +8717,10 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
 			goto cleanup_cachelist;
 		}
 
-		result = configure_view(
-			view, &viewlist, config, vconfig, &cachelist,
-			&server->cachelist, &server->kasplist,
-			&server->keystorelist, bindkeys, isc_g_mctx,
-			named_g_aclconfctx, false, first_time);
+		result = configure_view(view, &viewlist, config, vconfig,
+					&cachelist, &server->cachelist,
+					&server->kasplist, bindkeys, isc_g_mctx,
+					named_g_aclconfctx, false, first_time);
 		if (result != ISC_R_SUCCESS) {
 			dns_view_detach(&view);
 			goto cleanup_cachelist;
@@ -9124,6 +9114,18 @@ apply_configuration(cfg_parser_t *configparser, cfg_obj_t *config,
 	server->sctx->altsecrets = altsecrets;
 	altsecrets = tmpaltsecrets;
 
+	/*
+	 * Swap the new keystores list with the old one (so the new one will be
+	 * used and old one will be cleared).
+	 */
+	tmpkeystorelist = server->keystorelist;
+	server->keystorelist = keystorelist;
+	keystorelist = tmpkeystorelist;
+	if (first_time) {
+		dns_zonemgr_setkeystores(server->zonemgr,
+					 &server->keystorelist);
+	}
+
 	(void)named_server_loadnta(server);
 
 	/*
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index f6b9f71841b..d536cccbd3e 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -79,19 +79,18 @@
 
 struct dns_view {
 	/* Unlocked. */
-	unsigned int	    magic;
-	isc_mem_t	   *mctx;
-	dns_rdataclass_t    rdclass;
-	char		   *name;
-	dns_zt_t	   *zonetable;
-	dns_resolver_t	   *resolver;
-	dns_adb_t	   *adb;
-	dns_requestmgr_t   *requestmgr;
-	dns_dispatchmgr_t  *dispatchmgr;
-	dns_cache_t	   *cache;
-	dns_db_t	   *cachedb;
-	dns_db_t	   *hints;
-	dns_keystorelist_t *keystores;
+	unsigned int	   magic;
+	isc_mem_t	  *mctx;
+	dns_rdataclass_t   rdclass;
+	char		  *name;
+	dns_zt_t	  *zonetable;
+	dns_resolver_t	  *resolver;
+	dns_adb_t	  *adb;
+	dns_requestmgr_t  *requestmgr;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_cache_t	  *cache;
+	dns_db_t	  *cachedb;
+	dns_db_t	  *hints;
 
 	/*
 	 * security roots and negative trust anchors.
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 0497eb57332..a7ce4559649 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2736,6 +2736,24 @@ dns_zone_getzoneversion(dns_zone_t *zone, isc_buffer_t *b);
  * \li	ISC_R_FAILURE other failure.
  */
 
+void
+dns_zonemgr_setkeystores(dns_zonemgr_t *zmgr, dns_keystorelist_t *keystores);
+/**<
+ * Set the global setting keystores into the zonemgr, so it can be used from the
+ * DNS code.
+ *
+ * Requires:
+ * \li	'zmgr' to be a valid.
+ * \li  'keystores' to be a valid.
+ */
+
+dns_keystorelist_t *
+dns_zone_getkeystores(dns_zone_t *zone);
+/**<
+ * Get the keystores pointer, it should never be NULL once the server is
+ * initialized.
+ */
+
 #if DNS_ZONE_TRACE
 #define dns_zone_ref(ptr)   dns_zone__ref(ptr, __func__, __FILE__, __LINE__)
 #define dns_zone_unref(ptr) dns_zone__unref(ptr, __func__, __FILE__, __LINE__)
diff --git a/lib/dns/update.c b/lib/dns/update.c
index 911f6a3ebaf..c5a749e5036 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1031,7 +1031,7 @@ find_zone_keys(dns_zone_t *zone, isc_mem_t *mctx, unsigned int maxkeys,
 
 	kasp = dns_zone_getkasp(zone);
 	keydir = dns_zone_getkeydirectory(zone);
-	keystores = dns_zone_getview(zone)->keystores;
+	keystores = dns_zone_getkeystores(zone);
 
 	dns_zone_lock_keyfiles(zone);
 	result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 7277d9849e1..8ffaeb7982e 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -637,6 +637,7 @@ struct dns_zonemgr {
 	unsigned int startupnotifyrate;
 	unsigned int serialqueryrate;
 	unsigned int startupserialqueryrate;
+	dns_keystorelist_t *keystores;
 
 	dns_keymgmt_t *keymgmt;
 
@@ -6854,7 +6855,7 @@ dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	/* Get keys from private key files. */
 	dns_zone_lock_keyfiles(zone);
 	result = dns_dnssec_findmatchingkeys(origin, kasp, dir,
-					     zone->view->keystores, now,
+					     dns_zone_getkeystores(zone), now,
 					     dns_zone_getmctx(zone), keys);
 	dns_zone_unlock_keyfiles(zone);
 
@@ -16693,7 +16694,7 @@ dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) {
 
 	kasp = dns_zone_getkasp(zone);
 	keydir = dns_zone_getkeydirectory(zone);
-	keystores = zone->view->keystores;
+	keystores = dns_zone_getkeystores(zone);
 
 	dns_zone_lock_keyfiles(zone);
 	result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
@@ -19804,6 +19805,16 @@ dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
 	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, value);
 }
 
+void
+dns_zonemgr_setkeystores(dns_zonemgr_t *zmgr, dns_keystorelist_t *keystores) {
+	zmgr->keystores = keystores;
+}
+
+dns_keystorelist_t *
+dns_zone_getkeystores(dns_zone_t *zone) {
+	return zone->zmgr->keystores;
+}
+
 void
 dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
@@ -22392,8 +22403,8 @@ zone_rekey(dns_zone_t *zone) {
 
 	dns_zone_lock_keyfiles(zone);
 	result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir,
-					     zone->view->keystores, now, mctx,
-					     &keys);
+					     dns_zone_getkeystores(zone), now,
+					     mctx, &keys);
 	dns_zone_unlock_keyfiles(zone);
 
 	if (result != ISC_R_SUCCESS) {