/* Load keys corresponding to the existing DNSKEY RRset. */
result = dns_dnssec_keylistfromrdataset(
- gorigin, directory, mctx, &rdataset, &keysigs, &soasigs,
+ gorigin, NULL, directory, mctx, &rdataset, &keysigs, &soasigs,
preserve_keys, load_public, &keylist);
if (result != ISC_R_SUCCESS) {
fatal("failed to load the zone keys: %s",
/*
* Find keys that match this zone in the key repository.
*/
- result = dns_dnssec_findmatchingkeys(gorigin, directory, now, mctx,
- &matchkeys);
+ result = dns_dnssec_findmatchingkeys(gorigin, NULL, directory, NULL,
+ now, mctx, &matchkeys);
if (result == ISC_R_NOTFOUND) {
result = ISC_R_SUCCESS;
}
alg = dst_key_alg(dstkey);
ISC_LIST_INIT(matchkeys);
- result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys);
+ result = dns_dnssec_findmatchingkeys(name, NULL, dir, NULL, now, mctx,
+ &matchkeys);
if (result == ISC_R_NOTFOUND) {
return (false);
}
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
- dns_kasplist_t *kasplist, dns_zone_t *zone,
- dns_zone_t *raw);
+ dns_kasplist_t *kasplist, dns_keystorelist_t *keystores,
+ dns_zone_t *zone, dns_zone_t *raw);
/*%<
* Configure or reconfigure a zone according to the named.conf
* data.
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, dns_view_t *view,
dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
- cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
- bool modify);
+ dns_keystorelist_t *keystores, cfg_aclconfctx_t *aclconf,
+ bool added, bool old_rpz_ok, bool modify);
static void
configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig,
zoneobj = cfg_listelt_value(cfg_list_first(zlist));
/* Mark view unfrozen so that zone can be added */
-
isc_loopmgr_pause(named_g_loopmgr);
dns_view_thaw(cz->view);
result = configure_zone(cfg->config, zoneobj, cfg->vconfig, cz->view,
&cz->cbd->server->viewlist,
- &cz->cbd->server->kasplist, cfg->actx, true,
- false, cz->mod);
+ &cz->cbd->server->kasplist,
+ &cz->cbd->server->keystorelist,
+ cfg->actx, true, false, cz->mod);
dns_view_freeze(cz->view);
isc_loopmgr_resume(named_g_loopmgr);
static isc_result_t
configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
cfg_obj_t *vconfig, named_cachelist_t *cachelist,
- dns_kasplist_t *kasplist, const cfg_obj_t *bindkeys,
- isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints) {
+ dns_kasplist_t *kasplist, dns_keystorelist_t *keystores,
+ const cfg_obj_t *bindkeys, isc_mem_t *mctx,
+ cfg_aclconfctx_t *actx, bool need_hints) {
const cfg_obj_t *maps[4];
const cfg_obj_t *cfgmaps[3];
const cfg_obj_t *optionmaps[3];
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, view, viewlist,
- kasplist, actx, false, old_rpz_ok, false));
+ kasplist, keystores, actx, false,
+ old_rpz_ok, false));
zone_element_latest = element;
}
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, dns_view_t *view,
dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
- cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
- bool modify) {
+ dns_keystorelist_t *keystores, cfg_aclconfctx_t *aclconf,
+ bool added, bool old_rpz_ok, bool modify) {
dns_view_t *pview = NULL; /* Production view */
dns_zone_t *zone = NULL; /* New or reused zone */
dns_zone_t *raw = NULL; /* New or reused raw zone */
dns_zone_setstats(zone, named_g_server->zonestats);
}
CHECK(named_zone_configure(config, vconfig, zconfig, aclconf,
- kasplist, zone, NULL));
+ kasplist, keystores, zone, NULL));
dns_zone_attach(zone, &view->redirect);
goto cleanup;
}
* Configure the zone.
*/
CHECK(named_zone_configure(config, vconfig, zconfig, aclconf, kasplist,
- zone, raw));
+ keystores, zone, raw));
/*
* Add the zone to its view in the new view list.
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, view,
&named_g_server->viewlist,
- &named_g_server->kasplist, actx, true,
+ &named_g_server->kasplist,
+ &named_g_server->keystorelist, actx, true,
false, false));
}
cfg_aclconfctx_t *actx) {
return (configure_zone(
config, zconfig, vconfig, view, &named_g_server->viewlist,
- &named_g_server->kasplist, actx, true, false, false));
+ &named_g_server->kasplist, &named_g_server->keystorelist, actx,
+ true, false, false));
}
/*%
}
result = configure_view(view, &viewlist, config, vconfig,
- &cachelist, &server->kasplist, bindkeys,
+ &cachelist, &server->kasplist,
+ &server->keystorelist, bindkeys,
named_g_mctx, named_g_aclconfctx, true);
if (result != ISC_R_SUCCESS) {
dns_view_detach(&view);
goto cleanup_cachelist;
}
result = configure_view(view, &viewlist, config, NULL,
- &cachelist, &server->kasplist, bindkeys,
+ &cachelist, &server->kasplist,
+ &server->keystorelist, bindkeys,
named_g_mctx, named_g_aclconfctx, true);
if (result != ISC_R_SUCCESS) {
dns_view_detach(&view);
}
result = configure_view(view, &viewlist, config, vconfig,
- &cachelist, &server->kasplist, bindkeys,
+ &cachelist, &server->kasplist,
+ &server->keystorelist, bindkeys,
named_g_mctx, named_g_aclconfctx,
false);
if (result != ISC_R_SUCCESS) {
/* Mark view unfrozen and configure zone */
dns_view_thaw(view);
result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view,
- &server->viewlist, &server->kasplist, cfg->actx,
- true, false, false);
+ &server->viewlist, &server->kasplist,
+ &server->keystorelist, cfg->actx, true, false,
+ false);
dns_view_freeze(view);
isc_loopmgr_resume(named_g_loopmgr);
/* Reconfigure the zone */
dns_view_thaw(view);
result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view,
- &server->viewlist, &server->kasplist, cfg->actx,
- true, false, true);
+ &server->viewlist, &server->kasplist,
+ &server->keystorelist, cfg->actx, true, false,
+ true);
dns_view_freeze(view);
isc_loopmgr_resume(named_g_loopmgr);
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
- dns_kasplist_t *kasplist, dns_zone_t *zone,
- dns_zone_t *raw) {
+ dns_kasplist_t *kasplist, dns_keystorelist_t *keystorelist,
+ dns_zone_t *zone, dns_zone_t *raw) {
isc_result_t result;
const char *zname;
dns_rdataclass_t zclass;
filename = cfg_obj_asstring(obj);
CHECK(dns_zone_setkeydirectory(zone, filename));
}
+ /* Also save a reference to the keystore list. */
+ dns_zone_setkeystores(zone, keystorelist);
obj = NULL;
result = named_config_get(maps, "sig-signing-signatures", &obj);
}
}
-/*%
- * Get a list of DNSSEC keys from the key repository.
- */
-isc_result_t
-dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
- isc_stdtime_t now, isc_mem_t *mctx,
- dns_dnsseckeylist_t *keylist) {
+static isc_result_t
+findmatchingkeys(const char *directory, char *namebuf, unsigned int len,
+ isc_mem_t *mctx, isc_stdtime_t now,
+ dns_dnsseckeylist_t *list) {
isc_result_t result = ISC_R_SUCCESS;
- bool dir_open = false;
- dns_dnsseckeylist_t list;
isc_dir_t dir;
+ bool dir_open = false;
+ unsigned int i, alg;
dns_dnsseckey_t *key = NULL;
dst_key_t *dstkey = NULL;
- char namebuf[DNS_NAME_FORMATSIZE];
- isc_buffer_t b;
- unsigned int len, i, alg;
- REQUIRE(keylist != NULL);
- ISC_LIST_INIT(list);
isc_dir_init(&dir);
-
- isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
- RETERR(dns_name_tofilenametext(origin, false, &b));
- len = isc_buffer_usedlength(&b);
- namebuf[len] = '\0';
-
if (directory == NULL) {
directory = ".";
}
if (key->legacy) {
dns_dnsseckey_destroy(mctx, &key);
} else {
- ISC_LIST_APPEND(list, key, link);
+ ISC_LIST_APPEND(*list, key, link);
key = NULL;
}
}
+failure:
+ if (dir_open) {
+ isc_dir_close(&dir);
+ }
+ if (dstkey != NULL) {
+ dst_key_free(&dstkey);
+ }
+ return (result);
+}
+
+/*%
+ * Get a list of DNSSEC keys from the key repository.
+ */
+isc_result_t
+dns_dnssec_findmatchingkeys(const dns_name_t *origin, dns_kasp_t *kasp,
+ const char *keydir, dns_keystorelist_t *keystores,
+ isc_stdtime_t now, isc_mem_t *mctx,
+ dns_dnsseckeylist_t *keylist) {
+ isc_result_t result = ISC_R_SUCCESS;
+ dns_dnsseckeylist_t list;
+ dns_dnsseckey_t *key = NULL;
+ char namebuf[DNS_NAME_FORMATSIZE];
+ isc_buffer_t b;
+ unsigned int len;
+
+ REQUIRE(keylist != NULL);
+ ISC_LIST_INIT(list);
+
+ isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
+ RETERR(dns_name_tofilenametext(origin, false, &b));
+ len = isc_buffer_usedlength(&b);
+ namebuf[len] = '\0';
+
+ if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
+ (strcmp(dns_kasp_getname(kasp), "insecure") == 0))
+ {
+ RETERR(findmatchingkeys(keydir, namebuf, len, mctx, now,
+ &list));
+ } else if (keystores != NULL) {
+ for (dns_keystore_t *keystore = ISC_LIST_HEAD(*keystores);
+ keystore != NULL; keystore = ISC_LIST_NEXT(keystore, link))
+ {
+ for (dns_kasp_key_t *kkey =
+ ISC_LIST_HEAD(dns_kasp_keys(kasp));
+ kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+ {
+ if (dns_kasp_key_keystore(kkey) == keystore) {
+ const char *directory =
+ dns_keystore_directory(
+ keystore);
+ if (directory == NULL ||
+ (strcmp(dns_keystore_name(keystore),
+ DNS_KEYSTORE_KEYDIRECTORY) ==
+ 0))
+ {
+ directory = keydir;
+ }
+ RETERR(findmatchingkeys(
+ directory, namebuf, len, mctx,
+ now, &list));
+ break;
+ }
+ }
+ }
+ }
+
if (!ISC_LIST_EMPTY(list)) {
result = ISC_R_SUCCESS;
ISC_LIST_APPENDLIST(*keylist, list, link);
}
failure:
- if (dir_open) {
- isc_dir_close(&dir);
- }
- INSIST(key == NULL);
while ((key = ISC_LIST_HEAD(list)) != NULL) {
ISC_LIST_UNLINK(list, key, link);
INSIST(key->key != NULL);
dst_key_free(&key->key);
dns_dnsseckey_destroy(mctx, &key);
}
- if (dstkey != NULL) {
- dst_key_free(&dstkey);
- }
return (result);
}
return (result);
}
+static isc_result_t
+keyfromfile(dns_kasp_t *kasp, const char *keydir, dst_key_t *key, int type,
+ isc_mem_t *mctx, dst_key_t **savekey) {
+ const char *directory = keydir;
+ isc_result_t result = ISC_R_NOTFOUND;
+
+ if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
+ (strcmp(dns_kasp_getname(kasp), "insecure") == 0))
+ {
+ result = dst_key_fromfile(dst_key_name(key), dst_key_id(key),
+ dst_key_alg(key), type, directory,
+ mctx, savekey);
+ } else {
+ for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+ kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
+ {
+ dns_keystore_t *ks = dns_kasp_key_keystore(kkey);
+ if (ks == NULL ||
+ strcmp(dns_keystore_name(ks),
+ DNS_KEYSTORE_KEYDIRECTORY) == 0)
+ {
+ directory = keydir;
+ } else {
+ directory = dns_keystore_directory(ks);
+ }
+
+ result = dst_key_fromfile(dst_key_name(key),
+ dst_key_id(key),
+ dst_key_alg(key), type,
+ directory, mctx, savekey);
+ if (result == ISC_R_SUCCESS) {
+ break;
+ }
+ }
+ }
+
+ return (result);
+}
+
/*%
* Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
*/
isc_result_t
-dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory,
- isc_mem_t *mctx, dns_rdataset_t *keyset,
- dns_rdataset_t *keysigs, dns_rdataset_t *soasigs,
- bool savekeys, bool publickey,
- dns_dnsseckeylist_t *keylist) {
+dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
+ const char *directory, isc_mem_t *mctx,
+ dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+ dns_rdataset_t *soasigs, bool savekeys,
+ bool publickey, dns_dnsseckeylist_t *keylist) {
dns_rdataset_t keys;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *dnskey = NULL, *pubkey = NULL, *privkey = NULL;
}
/* Try to read the public key. */
- result = dst_key_fromfile(
- dst_key_name(dnskey), dst_key_id(dnskey),
- dst_key_alg(dnskey), (DST_TYPE_PUBLIC | DST_TYPE_STATE),
- directory, mctx, &pubkey);
+ result = keyfromfile(kasp, directory, dnskey,
+ (DST_TYPE_PUBLIC | DST_TYPE_STATE), mctx,
+ &pubkey);
if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
result = ISC_R_SUCCESS;
}
RETERR(result);
/* Now read the private key. */
- result = dst_key_fromfile(
- dst_key_name(dnskey), dst_key_id(dnskey),
- dst_key_alg(dnskey),
+ result = keyfromfile(
+ kasp, directory, dnskey,
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
- directory, mctx, &privkey);
+ mctx, &privkey);
/*
* If the key was revoked and the private file
if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
dst_key_setflags(dnskey,
flags & ~DNS_KEYFLAG_REVOKE);
- result = dst_key_fromfile(
- dst_key_name(dnskey),
- dst_key_id(dnskey), dst_key_alg(dnskey),
- (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
- DST_TYPE_STATE),
- directory, mctx, &privkey);
+ result = keyfromfile(kasp, directory, dnskey,
+ (DST_TYPE_PUBLIC |
+ DST_TYPE_PRIVATE |
+ DST_TYPE_STATE),
+ mctx, &privkey);
if (result == ISC_R_SUCCESS &&
dst_key_pubcompare(dnskey, privkey, false))
{
dst_key_alg(dnskey),
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
DST_TYPE_STATE),
- directory, mctx, &buf);
+ NULL, mctx, &buf);
if (result2 != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
char algbuf[DNS_SECALG_FORMATSIZE];
#include <isc/stdtime.h>
#include <dns/diff.h>
+#include <dns/kasp.h>
#include <dns/types.h>
#include <dst/dst.h>
*/
isc_result_t
-dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
+dns_dnssec_findmatchingkeys(const dns_name_t *origin, dns_kasp_t *kasp,
+ const char *keydir, dns_keystorelist_t *keystores,
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist);
/*%<
- * Search 'directory' for K* key files matching the name in 'origin'.
+ * Search for K* key files matching the name in 'origin'. If 'kasp' is not
+ * NULL, search in the directories used in 'keystores'. Otherwise search in the
+ * key-directory 'keydir'.
+ *
* Append all such keys, along with use hints gleaned from their
* metadata, onto 'keylist'. Skip any unsupported algorithms.
*
*/
isc_result_t
-dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory,
- isc_mem_t *mctx, dns_rdataset_t *keyset,
- dns_rdataset_t *keysigs, dns_rdataset_t *soasigs,
- bool savekeys, bool publickey,
- dns_dnsseckeylist_t *keylist);
+dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
+ const char *directory, isc_mem_t *mctx,
+ dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+ dns_rdataset_t *soasigs, bool savekeys,
+ bool publickey, dns_dnsseckeylist_t *keylist);
/*%<
* Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
- * Omit duplicates. If 'publickey' is false, search 'directory' for
- * matching key files, and load the private keys that go with
- * the public ones. If 'savekeys' is true, mark the keys so
- * they will not be deleted or inactivated regardless of metadata.
+ * Omit duplicates. If 'publickey' is false, search the key stores referenced
+ * in 'kasp', or 'directory' if 'kasp' is NULL, for matching key files, and
+ * load the private keys that go with the public ones. If 'savekeys' is true,
+ * mark the keys so they will not be deleted or inactivated regardless of
+ * metadata.
*
* 'keysigs' and 'soasigs', if not NULL and associated, contain the
* RRSIGS for the DNSKEY and SOA records respectively and are used to mark
dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
/*%<
* Sets the name of the directory where private keys used for
- * online signing of dynamic zones are found.
+ * online signing or dynamic zones are found.
*
* Require:
*\li 'zone' to be a valid zone.
* Pointer to null-terminated file name, or NULL.
*/
+void
+dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores);
+/*%<
+ * Sets the keystore list where private keys used for
+ * online signing or dynamic zones are found.
+ *
+ * Require:
+ *\li 'zone' to be a valid zone.
+ */
+
+dns_keystorelist_t *
+dns_zone_getkeystores(dns_zone_t *zone);
+/*%<
+ * Gets the keystore list where private keys used for
+ * online signing or dynamic zones are found.
+ *
+ * Require:
+ *\li 'zone' to be a valid zone.
+ *
+ * Returns:
+ * Pointer to the keystore list, or NULL.
+ */
+
isc_result_t
dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
isc_stdtime_t now, dns_dnsseckeylist_t *keys);
unsigned int count = 0;
isc_result_t result;
isc_stdtime_t now = isc_stdtime_now();
+ dns_kasp_t *kasp;
+ dns_keystorelist_t *keystores;
+ const char *keydir;
ISC_LIST_INIT(keylist);
+ kasp = dns_zone_getkasp(zone);
+ keydir = dns_zone_getkeydirectory(zone);
+ keystores = dns_zone_getkeystores(zone);
+
dns_zone_lock_keyfiles(zone);
- result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
- dns_zone_getkeydirectory(zone),
- now, mctx, &keylist);
+ result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
+ keydir, keystores, now, mctx,
+ &keylist);
dns_zone_unlock_keyfiles(zone);
if (result != ISC_R_SUCCESS) {
isc_stdtime_t log_key_expired_timer;
char *keydirectory;
dns_keyfileio_t *kfio;
+ dns_keystorelist_t *keystores;
uint32_t maxrefresh;
uint32_t minrefresh;
/* Get keys from private key files. */
dns_zone_lock_keyfiles(zone);
- result = dns_dnssec_findmatchingkeys(origin, dir, now,
- dns_zone_getmctx(zone), keys);
+ result = dns_dnssec_findmatchingkeys(origin, kasp, dir, zone->keystores,
+ now, dns_zone_getmctx(zone), keys);
dns_zone_unlock_keyfiles(zone);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
dns_rdatatype_none, 0, &keyset, NULL);
if (result == ISC_R_SUCCESS) {
CHECK(dns_dnssec_keylistfromrdataset(
- origin, dir, dns_zone_getmctx(zone), &keyset, NULL,
- NULL, false, false, &dnskeys));
+ origin, kasp, dir, dns_zone_getmctx(zone), &keyset,
+ NULL, NULL, false, false, &dnskeys));
} else if (result != ISC_R_NOTFOUND) {
CHECK(result);
}
isc_result_t result = ISC_R_SUCCESS;
isc_stdtime_t now = isc_stdtime_now();
isc_mem_t *mctx;
+ dns_kasp_t *kasp;
+ dns_keystorelist_t *keystores;
+ const char *keydir;
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(dns_rdatatype_iskeymaterial(rdata->type));
*inuse = false;
+ kasp = dns_zone_getkasp(zone);
+ keydir = dns_zone_getkeydirectory(zone);
+ keystores = dns_zone_getkeystores(zone);
+
dns_zone_lock_keyfiles(zone);
- result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone),
- dns_zone_getkeydirectory(zone),
- now, mctx, &keylist);
+ result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp,
+ keydir, keystores, now, mctx,
+ &keylist);
dns_zone_unlock_keyfiles(zone);
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
return (zone->keydirectory);
}
+void
+dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ zone->keystores = keystores;
+ UNLOCK_ZONE(zone);
+}
+
+dns_keystorelist_t *
+dns_zone_getkeystores(dns_zone_t *zone) {
+ dns_keystorelist_t *ks = NULL;
+
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ if (inline_raw(zone) && zone->secure != NULL) {
+ ks = zone->secure->keystores;
+ } else {
+ ks = zone->keystores;
+ }
+ UNLOCK_ZONE(zone);
+
+ return (ks);
+}
+
unsigned int
dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
dns_zone_t *zone;
dns_zone_lock_keyfiles(zone);
result = dns_dnssec_keylistfromrdataset(
- &zone->origin, dir, mctx, &keyset, &keysigs, &soasigs,
- false, false, &dnskeys);
+ &zone->origin, kasp, dir, mctx, &keyset, &keysigs,
+ &soasigs, false, false, &dnskeys);
dns_zone_unlock_keyfiles(zone);
KASP_LOCK(kasp);
dns_zone_lock_keyfiles(zone);
- result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx,
- &keys);
+ result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir,
+ zone->keystores, now, mctx, &keys);
dns_zone_unlock_keyfiles(zone);
if (result != ISC_R_SUCCESS) {
projects / thirdparty / bind9.git / commitdiff
