From d471ea0548a64636ff9cd86c9da4908b3c201d18 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@NLnetLabs.nl>
Date: Fri, 11 May 2012 08:31:26 +0000
Subject: [PATCH] Code review from Matthijs and Wouter. - Check and respond on
 faulty returns in 	- drill/dnssec.c/ldns_nsec3_exact_match 	-
 drill/dnssec.c/ldns_nsec3_closest_encloser - Removal of unused arguments of
 static functions in 	- examples/ldns-compare-zones.c/usage - Removal of an
 unused static function: 	- examples/ldns-signzone.c/usage_openssl -
 Turn unused return value into void in 	-
 examples/ldns-signzone.c/find_or_create_pubkey - Move new error messages from
 examples/ldns-verify-zone to error.c and ldns/error.h (although only used in
 ldns-verify-zone) - More specific error return code in 	-
 examples/ldns-verify-zone.c/read_key_file - Replaced result = result ? result
 : status with update_error(&result, status) to update result with more
 specific errors when possible. - Removed /* TODO */ comment line as the
 result of NSEC3 opt-out detection is now cached. - Be really silent when
 verbosity == 0 - Updated comments for FASTER_DNSSEC_ZONE_NEW_FRM_FP define -
 Carefull casting for rfc 1982 Serial Number Arithmetic in 	-
 -rrsig_check_time_margins

---
 dnssec_zone.c                 |   9 +-
 drill/dnssec.c                |  45 ++++++--
 error.c                       |   4 +
 examples/ldns-compare-zones.c |   8 +-
 examples/ldns-signzone.c      |  14 +--
 examples/ldns-verify-zone.c   | 191 ++++++++++++++++++++--------------
 ldns/error.h                  |   4 +-
 7 files changed, 169 insertions(+), 106 deletions(-)

diff --git a/dnssec_zone.c b/dnssec_zone.c
index 20becca3..385ba2b9 100644
--- a/dnssec_zone.c
+++ b/dnssec_zone.c
@@ -628,7 +628,14 @@ rr_is_rrsig_covering(ldns_rr* rr, ldns_rr_type t)
 		&& ldns_rdf2rr_type(ldns_rr_rrsig_typecovered(rr)) == t;
 }
 
-#define FASTER_DNSSEC_ZONE_NEW_FRM_FP 1 /* But why? Help! */
+/* When the zone is first read into an list and then inserted into an
+ * ldns_dnssec_zone (rbtree) the nodes of the rbtree are allocated close (next)
+ * to each other. Because ldns-verify-zone (the only program that uses this
+ * function) uses the rbtree mostly for sequentual walking, this results
+ * in a speed increase (of 15% on linux) because we have less CPU-cache misses.
+ */
+#define FASTER_DNSSEC_ZONE_NEW_FRM_FP 1
+
 ldns_status
 ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin,
 	       	uint32_t ttl, ldns_rr_class ATTR_UNUSED(c), int* line_nr)
diff --git a/drill/dnssec.c b/drill/dnssec.c
index 6a9aa23a..de3ccf44 100644
--- a/drill/dnssec.c
+++ b/drill/dnssec.c
@@ -245,7 +245,7 @@ ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s
 	uint8_t salt_length;
 	uint8_t *salt;
 	
-	ldns_rdf *sname, *hashed_sname;
+	ldns_rdf *sname = NULL, *hashed_sname = NULL;
 	
 	size_t nsec_i;
 	ldns_rr *nsec;
@@ -253,7 +253,7 @@ ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s
 	
 	const ldns_rr_descriptor *descriptor;
 	
-	ldns_rdf *zone_name;
+	ldns_rdf *zone_name = NULL;
 	
 	if (verbosity >= 4) {
 		printf(";; finding exact match for ");
@@ -279,16 +279,28 @@ ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s
 	salt_length = ldns_nsec3_salt_length(nsec);
 	salt = ldns_nsec3_salt_data(nsec);
 	iterations = ldns_nsec3_iterations(nsec);
+	if (salt == NULL) {
+		goto done;
+	}
 
 	sname = ldns_rdf_clone(qname);
-
+	if (sname == NULL) {
+		goto done;
+	}
 	if (verbosity >= 4) {
 		printf(";; owner name hashes to: ");
 	}
 	hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
-
+	if (hashed_sname == NULL) {
+		goto done;
+	}
 	zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
-	(void)ldns_dname_cat(hashed_sname, zone_name);
+	if (zone_name == NULL) {
+		goto done;
+	}
+	if (ldns_dname_cat(hashed_sname, zone_name) != LDNS_STATUS_OK) {
+		goto done;
+	};
 	
 	if (verbosity >= 4) {
 		ldns_rdf_print(stdout, hashed_sname);
@@ -335,7 +347,7 @@ ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *n
 	uint8_t salt_length;
 	uint8_t *salt;
 
-	ldns_rdf *sname, *hashed_sname, *tmp;
+	ldns_rdf *sname = NULL, *hashed_sname = NULL, *tmp;
 	bool flag;
 	
 	bool exact_match_found;
@@ -362,12 +374,21 @@ ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *n
 	salt_length = ldns_nsec3_salt_length(nsec);
 	salt = ldns_nsec3_salt_data(nsec);
 	iterations = ldns_nsec3_iterations(nsec);
+	if (salt == NULL) {
+		goto done;
+	}
 
 	sname = ldns_rdf_clone(qname);
+	if (sname == NULL) {
+		goto done;
+	}
 
 	flag = false;
 	
 	zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec));
+	if (zone_name == NULL) {
+		goto done;
+	}
 
 	/* algorithm from nsec3-07 8.3 */
 	while (ldns_dname_label_count(sname) > 0) {
@@ -380,8 +401,13 @@ ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *n
 			printf(" hashes to: ");
 		}
 		hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt);
+		if (hashed_sname == NULL) {
+			goto done;
+		}
 
-		(void) ldns_dname_cat(hashed_sname, zone_name);
+		if (ldns_dname_cat(hashed_sname, zone_name) != LDNS_STATUS_OK){
+			goto done;
+		}
 
 		if (verbosity >= 3) {
 			ldns_rdf_print(stdout, hashed_sname);
@@ -426,9 +452,12 @@ ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *n
 		tmp = sname;
 		sname = ldns_dname_left_chop(sname);
 		ldns_rdf_deep_free(tmp);
+		if (sname == NULL) {
+			goto done;
+		}
 	}
 
-	done:
+done:
 	LDNS_FREE(salt);
 	ldns_rdf_deep_free(zone_name);
 	ldns_rdf_deep_free(sname);
diff --git a/error.c b/error.c
index df0e5b1f..cf6788ff 100644
--- a/error.c
+++ b/error.c
@@ -91,6 +91,10 @@ ldns_lookup_table ldns_error_str[] = {
 	{ LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND, "original of NSEC3 hashed name could not be found" },
 	{ LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG, "The RRSIG has to few rdata fields" },
 	{ LDNS_STATUS_MISSING_RDATA_FIELDS_KEY, "The DNSKEY has to few rdata fields" },
+	{ LDNS_STATUS_CRYPTO_SIG_EXPIRED_WITHIN_MARGIN, 
+		"DNSSEC signature will expire too soon" },
+	{ LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED_WITHIN_MARGIN,
+		"DNSSEC signature not incepted long enough" },
 	{ 0, NULL }
 };
 
diff --git a/examples/ldns-compare-zones.c b/examples/ldns-compare-zones.c
index 07c0c6ca..663b744a 100644
--- a/examples/ldns-compare-zones.c
+++ b/examples/ldns-compare-zones.c
@@ -23,10 +23,10 @@
 #define OP_CHG '~'
 
 static void 
-usage(int ATTR_UNUSED(argc), char **argv)
+usage(char *prog)
 {
 	printf("Usage: %s [-v] [-i] [-d] [-c] [-s] <zonefile1> <zonefile2>\n",
-		  argv[0]);
+		prog);
 	printf("       -i - print inserted\n");
 	printf("       -d - print deleted\n");
 	printf("       -c - print changed\n");
@@ -57,7 +57,7 @@ main(int argc, char **argv)
 	while ((c = getopt(argc, argv, "ahvdicsz")) != -1) {
 		switch (c) {
 		case 'h':
-			usage(argc, argv);
+			usage(argv[0]);
 			exit(EXIT_SUCCESS);
 			break;
 		case 'v':
@@ -96,7 +96,7 @@ main(int argc, char **argv)
 	if (argc != 2) {
 		argc -= optind;
 		argv -= optind;
-		usage(argc, argv);
+		usage(argv[0]);
 		exit(EXIT_FAILURE);
 	}
 	fn1 = argv[0];
diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index 6ef1cc1d..34839b05 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -59,12 +59,6 @@ usage(FILE *fp, const char *prog) {
 	fprintf(fp, "  A date can be a timestamp (seconds since the epoch), or of\n  the form <YYYYMMdd[hhmmss]>\n");
 }
 
-void
-usage_openssl(FILE *fp, const char* ATTR_UNUSED(prog)) {
-	fprintf(fp, "Special commands for openssl engines:\n");
-	fprintf(fp, "-c <file>\tOpenSSL config file\n");
-}
-
 static void check_tm(struct tm tm)
 {
 	if (tm.tm_year < 70) {
@@ -215,7 +209,7 @@ find_key_in_file(const char *keyfile_name_base, ldns_key* ATTR_UNUSED(key),
  * Even if keys are not added, the function is still needed, to check
  * whether keys of which we only have key data are KSKs or ZSKS
  */
-static ldns_status
+static void
 find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *orig_zone, bool add_keys, uint32_t default_ttl) {
 	ldns_rr *pubkey_gen, *pubkey;
 	int key_in_zone;
@@ -291,7 +285,6 @@ find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *o
 		equalize_ttls_rr_list(ldns_zone_rrs(orig_zone), pubkey, default_ttl);
 		ldns_zone_push_rr(orig_zone, pubkey);
 	}
-	return LDNS_STATUS_OK;
 }
 
 void
@@ -724,9 +717,8 @@ main(int argc, char *argv[])
 		}
 		/* and, if not unset by -p, find or create the corresponding DNSKEY record */
 		if (key) {
-			(void) find_or_create_pubkey(keyfile_name_base,
-			                             key, orig_zone,
-			                             add_keys, ttl);
+			find_or_create_pubkey(keyfile_name_base, key,
+			                      orig_zone, add_keys, ttl);
 		}
 		argi++;
 	}
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index f1072b33..e30907b4 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -19,32 +19,26 @@
 #ifdef HAVE_SSL
 #include <openssl/err.h>
 
-#define LDNS_VERIFY_ZONE_ERROR	0x8000
-#define LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED_WITHIN_MARGIN \
-				LDNS_VERIFY_ZONE_ERROR | 0
-#define LDNS_STATUS_CRYPTO_SIG_EXPIRED_WITHIN_MARGIN \
-				LDNS_VERIFY_ZONE_ERROR | 1
-
-int verbosity = 3;
-time_t check_time = 0;
-time_t inception_offset = 0;
-time_t expiration_offset = 0;
-bool do_sigchase = false;
-bool no_nomatch_msg = false;
-
-FILE* myout;
-FILE* myerr;
-
-static const char*
-get_errorstr_by_id(int err)
+static int verbosity = 3;
+static time_t check_time = 0;
+static int32_t inception_offset = 0;
+static int32_t expiration_offset = 0;
+static bool do_sigchase = false;
+static bool no_nomatch_msg = false;
+
+static FILE* myout;
+static FILE* myerr;
+
+static void
+update_error(ldns_status* result, ldns_status status)
 {
-	switch (err) {
-		case LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED_WITHIN_MARGIN:
-			return "DNSSEC signature not incepted long enough";
-		case LDNS_STATUS_CRYPTO_SIG_EXPIRED_WITHIN_MARGIN:
-			return "DNSSEC signature will expire to soon";
-		default:
-			return ldns_get_errorstr_by_id(err);
+	if (status != LDNS_STATUS_OK) {
+		if (*result == LDNS_STATUS_OK || *result == LDNS_STATUS_ERR || 
+		    (  *result == LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY 
+		     && status != LDNS_STATUS_ERR 
+		    )) {
+			*result = status;
+		}
 	}
 }
 
@@ -72,9 +66,11 @@ read_key_file(const char *filename, ldns_rr_list *keys)
 	int line_nr;
 
 	if (!(fp = fopen(filename, "r"))) {
-		fprintf(myerr, "Error opening %s: %s\n", filename,
-				strerror(errno));
-		return LDNS_STATUS_ERR;
+		if (verbosity > 0) {
+			fprintf(myerr, "Error opening %s: %s\n", filename,
+					strerror(errno));
+		}
+		return LDNS_STATUS_FILE_ERR;
 	}
 	while (!feof(fp)) {
 		status = ldns_rr_new_frm_fp_l(&rr, fp, &my_ttl, &my_origin,
@@ -117,7 +113,7 @@ static void
 print_rr_status_error(FILE* stream, ldns_rr* rr, ldns_status status)
 {
 	if (status != LDNS_STATUS_OK) {
-		print_rr_error(stream, rr, get_errorstr_by_id(status));
+		print_rr_error(stream, rr, ldns_get_errorstr_by_id(status));
 		if (verbosity > 0 && status == LDNS_STATUS_SSL_ERR) {
 			ERR_load_crypto_strings();
 			ERR_print_errors_fp(stream);
@@ -133,9 +129,9 @@ print_rrs_status_error(FILE* stream, ldns_rr_list* rrs, ldns_status status,
 		if (ldns_rr_list_rr_count(rrs) > 0) {
 			print_rr_status_error(stream, ldns_rr_list_rr(rrs, 0),
 					status);
-		} else {
+		} else if (verbosity > 0) {
 			fprintf(stream, "Error: %s for <unknown>\n",
-					get_errorstr_by_id(status));
+					ldns_get_errorstr_by_id(status));
 		}
 		if (verbosity >= 4) {
 			fprintf(stream, "RRSet:\n");
@@ -148,27 +144,31 @@ print_rrs_status_error(FILE* stream, ldns_rr_list* rrs, ldns_status status,
 }
 
 static ldns_status
-rrsig_check_time_margins(ldns_rr* rrsig)
+rrsig_check_time_margins(ldns_rr* rrsig
+#if 0 /* Passing those as arguments becomes sensible when 
+       * rrsig_check_time_margins will be added to the library.
+       */
+	,time_t check_time, int32_t inception_offset, int32_t expiration_offset
+#endif
+	)
 {
 	int32_t inception, expiration;
 
 	inception  = ldns_rdf2native_int32(ldns_rr_rrsig_inception (rrsig));
 	expiration = ldns_rdf2native_int32(ldns_rr_rrsig_expiration(rrsig));
 
-	if (check_time - inception_offset  - inception  < 0) {
+	if (((int32_t) (check_time - inception_offset))  - inception  < 0) {
 		return LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED_WITHIN_MARGIN;
 	}
-	if (expiration - expiration_offset - check_time < 0) {
+	if (expiration - ((int32_t) (check_time + expiration_offset)) < 0) {
 		return LDNS_STATUS_CRYPTO_SIG_EXPIRED_WITHIN_MARGIN;
 	}
 	return LDNS_STATUS_OK;
 }
 
 static ldns_status
-verify_rrs( ldns_rr_list* rrset_rrs
-	  , ldns_dnssec_rrs* cur_sig
-	  , ldns_rr_list* keys
-	  )
+verify_rrs(ldns_rr_list* rrset_rrs, ldns_dnssec_rrs* cur_sig,
+		ldns_rr_list* keys)
 {
 	ldns_rr_list* good_keys;
 	ldns_status status, result = LDNS_STATUS_OK;
@@ -185,7 +185,7 @@ verify_rrs( ldns_rr_list* rrset_rrs
 			print_rrs_status_error(myerr, rrset_rrs, status,
 					cur_sig);
 		}
-		result = result ? result : status;
+		update_error(&result, status);
 		ldns_rr_list_free(good_keys);
 		cur_sig = cur_sig->next;
 	}
@@ -356,15 +356,15 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 			status = verify_single_rr(name->nsec,
 					name->nsec_signatures, keys);
 
-			result = result ? result : status;
+			update_error(&result, status);
 		} else {
-			if (verbosity >= 0) {
+			if (verbosity > 0) {
 				fprintf(myerr,
 					"Error: the NSEC(3) record of ");
 				ldns_rdf_print(myerr, name->name);
 				fprintf(myerr, " has no signatures\n");
 			}
-			result = result ? result : LDNS_STATUS_ERR;
+			update_error(&result, LDNS_STATUS_ERR);
 		}
 		/* check whether the NSEC record points to the right name */
 		switch (ldns_rr_get_type(name->nsec)) {
@@ -386,12 +386,15 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 				if (ldns_dname_compare(next_name->name,
 							ldns_rr_rdf(name->nsec,
 								0)) != 0) {
-					fprintf(myerr,
-						"Error: the NSEC record for ");
-					ldns_rdf_print(myerr, name->name);
-					fprintf(myerr,
-						" points to the wrong next"
-						" owner name\n");
+					if (verbosity > 0) {
+						fprintf(myerr, "Error: the "
+							"NSEC record for ");
+						ldns_rdf_print(myerr,
+								name->name);
+						fprintf(myerr, " points to "
+							"the wrong "
+							"next owner name\n");
+					}
 					if (verbosity >= 4) {
 						fprintf(myerr, "\t: ");
 						ldns_rdf_print(myerr,
@@ -403,8 +406,8 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 							next_name->name);
 						fprintf(myerr, ".\n");
 					}
-					result = result ? result 
-					                : LDNS_STATUS_ERR;
+					update_error(&result,
+							LDNS_STATUS_ERR);
 				}
 				break;
 			case LDNS_RR_TYPE_NSEC3:
@@ -414,7 +417,7 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 				 * (ie. pointer to next hashed name?)
 				 */
 				status = verify_next_hashed_name(zone, name);
-				result = result ? result : status;
+				update_error(&result, status);
 				break;
 			default:
 				break;
@@ -426,18 +429,17 @@ verify_nsec(ldns_dnssec_zone* zone, ldns_rbnode_t *cur_node,
 							   LDNS_RR_TYPE_NS)
 		      && !ldns_dnssec_rrsets_contains_type(name->rrsets,
 							   LDNS_RR_TYPE_DS)))) {
-			/* TODO */
 			/* ok, no problem, but we need to remember to check
 			 * whether the chain does not actually point to this
 			 * name later */
 		} else {
-			if (verbosity >= 1) {
+			if (verbosity > 0) {
 				fprintf(myerr,
 					"Error: there is no NSEC(3) for ");
 				ldns_rdf_print(myerr, name->name);
 				fprintf(myerr, "\n");
 			}
-			result = result ? result : LDNS_STATUS_ERR;
+			update_error(&result, LDNS_STATUS_ERR);
 		}
 	}
 	return result;
@@ -466,7 +468,7 @@ verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone* zone,
 		cur_rrset = name->rrsets;
 		while (cur_rrset) {
 			if (cur_rrset->signatures) {
-				if (verbosity >= 0) {
+				if (verbosity > 0) {
 					fprintf(myerr, "Error: ");
 					ldns_rdf_print(myerr, name->name);
 					fprintf(myerr, "\t");
@@ -479,7 +481,7 @@ verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone* zone,
 			cur_rrset = cur_rrset->next;
 		}
 		if (name->nsec) {
-			if (verbosity >= 0) {
+			if (verbosity > 0) {
 				fprintf(myerr, "Error: ");
 				ldns_rdf_print(myerr, name->name);
 				fprintf(myerr, " has an NSEC(3),"
@@ -510,12 +512,12 @@ verify_dnssec_name(ldns_rdf *zone_name, ldns_dnssec_zone* zone,
 
 				status = verify_dnssec_rrset(zone_name,
 						name->name, cur_rrset, keys);
-				result = result ? result : status;
+				update_error(&result, status);
 			}
 			cur_rrset = cur_rrset->next;
 		}
 		status = verify_nsec(zone, cur_node, keys);
-		result = result ? result : status;
+		update_error(&result, status);
 	}
 	return result;
 }
@@ -577,9 +579,13 @@ sigchase(ldns_resolver* res, ldns_rdf *zone_name, ldns_dnssec_rrsets *zonekeys,
 		if (!res) {
 			if ((status = ldns_resolver_new_frm_file(&res, NULL))){
 				ldns_resolver_free(res);
-				fprintf(myerr,
-					"Could not create resolver: %s\n",
-					ldns_get_errorstr_by_id(status));
+				if (verbosity > 0) {
+					fprintf(myerr,
+						"Could not create resolver: "
+						"%s\n",
+						ldns_get_errorstr_by_id(status)
+						);
+				}
 				return status;
 			}
 			free_resolver = true;
@@ -642,7 +648,7 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
 	cur_key_rrset = ldns_dnssec_zone_find_rrset(dnssec_zone, zone_name,
 			LDNS_RR_TYPE_DNSKEY);
 	if (!cur_key_rrset || !cur_key_rrset->rrs) {
-		if (verbosity >= 0) {
+		if (verbosity > 0) {
 			fprintf(myerr,
 				"Error: No DNSKEY records at zone apex\n");
 		}
@@ -660,7 +666,7 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
 
 		cur_node = ldns_rbtree_first(dnssec_zone->names);
 		if (cur_node == LDNS_RBTREE_NULL) {
-			if (verbosity >= 0) {
+			if (verbosity > 0) {
 				fprintf(myerr, "Error: Empty zone?\n");
 			}
 			result = LDNS_STATUS_ERR;
@@ -684,7 +690,7 @@ verify_dnssec_zone(ldns_dnssec_zone *dnssec_zone, ldns_rdf *zone_name,
 			    || ((random() % 100) >= 100 - percentage)) {
 				status = verify_dnssec_name(zone_name,
 						dnssec_zone, cur_node, keys);
-				result = result ? result : status;
+				update_error(&result, status);
 				if (apexonly)
 					break;
 			}
@@ -767,10 +773,13 @@ main(int argc, char **argv)
 		case 'i':
 			duration = ldns_duration_create_from_string(optarg);
 			if (!duration) {
-				fprintf(myerr,
-					"<period> should be in ISO 8601 "
-					"duration format: "
-					"P[n]Y[n]M[n]DT[n]H[n]M[n]S\n");
+				if (verbosity > 0) {
+					fprintf(myerr,
+						"<period> should be in ISO "
+						"8601 duration format: "
+						"P[n]Y[n]M[n]DT[n]H[n]M[n]S\n"
+						);
+				}
                                 exit(EXIT_FAILURE);
 			}
 			if (c == 'e')
@@ -783,14 +792,20 @@ main(int argc, char **argv)
 		case 'k':
 			s = read_key_file(optarg, keys);
 			if (s != LDNS_STATUS_OK) {
-				fprintf(myerr,
-					"Could not parse key file %s: %s\n",
-					optarg, get_errorstr_by_id(s));
+				if (verbosity > 0) {
+					fprintf(myerr,
+						"Could not parse key file "
+						"%s: %s\n",optarg,
+						ldns_get_errorstr_by_id(s));
+				}
                                 exit(EXIT_FAILURE);
 			}
 			if (ldns_rr_list_rr_count(keys) == nkeys) {
-				fprintf(myerr, "No keys found in file %s\n",
+				if (verbosity > 0) {
+					fprintf(myerr,
+						"No keys found in file %s\n",
 						optarg);
+				}
 				exit(EXIT_FAILURE);
 			}
 			nkeys = ldns_rr_list_rr_count(keys);
@@ -798,8 +813,11 @@ main(int argc, char **argv)
                 case 'p':
                         percentage = atoi(optarg);
                         if (percentage < 0 || percentage > 100) {
-	                        fprintf(myerr, "percentage needs to fall "
+				if (verbosity > 0) {
+	                        	fprintf(myerr,
+						"percentage needs to fall "
 						"between 0..100\n");
+				}
                                 exit(EXIT_FAILURE);
                         }
                         srandom(time(NULL) ^ getpid());
@@ -834,8 +852,11 @@ main(int argc, char **argv)
 		}
 	}
 	if (do_sigchase && nkeys == 0) {
-		fprintf(myerr, "Unable to chase signature without keys.\n");
-		exit(EXIT_SUCCESS);
+		if (verbosity > 0) {
+			fprintf(myerr,
+				"Unable to chase signature without keys.\n");
+		}
+		exit(EXIT_FAILURE);
 	}
 
 	argc -= optind;
@@ -848,8 +869,10 @@ main(int argc, char **argv)
 
 		fp = fopen(filename, "r");
 		if (!fp) {
-			fprintf(myerr, "Unable to open %s: %s\n",
+			if (verbosity > 0) {
+				fprintf(myerr, "Unable to open %s: %s\n",
 					filename, strerror(errno));
+			}
 			exit(EXIT_FAILURE);
 		}
 	}
@@ -858,13 +881,16 @@ main(int argc, char **argv)
 			LDNS_RR_CLASS_IN, &line_nr);
 	if (s == LDNS_STATUS_OK) {
 		if (!dnssec_zone->soa) {
-			fprintf(myerr, "; Error: no SOA in the zone\n");
-			exit(1);
+			if (verbosity > 0) {
+				fprintf(myerr,
+					"; Error: no SOA in the zone\n");
+			}
+			exit(EXIT_FAILURE);
 		}
 
 		result = ldns_dnssec_zone_mark_glue(dnssec_zone);
 		if (result != LDNS_STATUS_OK) {
-			if (verbosity >= 1) {
+			if (verbosity > 0) {
 				fprintf(myerr,
 					"There were errors identifying the "
 					"glue in the zone\n");
@@ -885,7 +911,7 @@ main(int argc, char **argv)
 					"Zone is verified and complete\n");
 			}
 		} else {
-			if (verbosity >= 1) {
+			if (verbosity > 0) {
 				fprintf(myerr,
 					"There were errors in the zone\n");
 			}
@@ -893,7 +919,10 @@ main(int argc, char **argv)
 
 		ldns_dnssec_zone_deep_free(dnssec_zone);
 	} else {
-		fprintf(myerr, "%s at %d\n", get_errorstr_by_id(s), line_nr);
+		if (verbosity > 0) {
+			fprintf(myerr, "%s at %d\n",
+				ldns_get_errorstr_by_id(s), line_nr);
+		}
                 exit(EXIT_FAILURE);
 	}
 	fclose(fp);
diff --git a/ldns/error.h b/ldns/error.h
index 99d4f0bf..6396a934 100644
--- a/ldns/error.h
+++ b/ldns/error.h
@@ -100,7 +100,9 @@ enum ldns_enum_status {
 	LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED,
 	LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND,
 	LDNS_STATUS_MISSING_RDATA_FIELDS_RRSIG,
-	LDNS_STATUS_MISSING_RDATA_FIELDS_KEY
+	LDNS_STATUS_MISSING_RDATA_FIELDS_KEY,
+	LDNS_STATUS_CRYPTO_SIG_EXPIRED_WITHIN_MARGIN,
+	LDNS_STATUS_CRYPTO_SIG_NOT_INCEPTED_WITHIN_MARGIN
 };
 typedef enum ldns_enum_status ldns_status;
 
-- 
2.47.3