git.ipfire.org Git - thirdparty/bind9.git/commit

author	Evan Hunt <each@isc.org>
	Tue, 17 Sep 2019 04:06:23 +0000 (21:06 -0700)
committer	Evan Hunt <each@isc.org>
	Fri, 15 Nov 2019 23:47:56 +0000 (15:47 -0800)
commit	854af5a353eb97d1a0ca840dea45ac1305a29dd2
tree	9713730b321e34688326a10f6417256239329c17	tree \| snapshot
parent	1a8348e2b45891e4297e7c1e6d2c7fe8b65cd508	commit \| diff

allow DS trust anchors to be set in keytable

note: this is a frankensteinian kluge which needs further refactoring.

the keytable started as an RBT where the node->data points to a list of
dns_keynode structures, each of which points to a single dst_key.
later it was modified so that the list could instead point to a single
"null" keynode structure, which does not reference a key; this means
a trust anchor has been configured but the RFC 5011 refresh failed.

in this branch it is further updated to allow the first keynode in
the list to point to an rdatalist of DS-style trust anchors. these will
be used by the validator to populate 'val->dsset' when validating a zone
key.

a DS style trust anchor can be updated as a result of RFC 5011
processing to contain DST keys instead; this results in the DS list
being freed. the reverse is not possible; attempting to add a DS-style
trust anchor if a key-style trust anchor is already in place results
in an error.

later, this should be refactored to use rdatalists for both DS-style
and key-style trust anchors, but we're keeping the existing code for
old-style trust anchors for now.

bin/named/server.c		diff \| blob \| blame \| history
lib/dns/client.c		diff \| blob \| blame \| history
lib/dns/include/dns/keytable.h		diff \| blob \| blame \| history
lib/dns/keytable.c		diff \| blob \| blame \| history
lib/dns/tests/keytable_test.c		diff \| blob \| blame \| history
lib/dns/win32/libdns.def.in		diff \| blob \| blame \| history
lib/dns/zone.c		diff \| blob \| blame \| history