Extract check_apex_rrsets() from dns_zoneverify_dnssec()

author Michał Kępień <michal@isc.org>

Fri, 15 Jun 2018 07:59:20 +0000 (09:59 +0200)

committer Michał Kępień <michal@isc.org>

Fri, 15 Jun 2018 08:10:24 +0000 (10:10 +0200)
author Michał Kępień <michal@isc.org>
Fri, 15 Jun 2018 07:59:20 +0000 (09:59 +0200)
committer Michał Kępień <michal@isc.org>
Fri, 15 Jun 2018 08:10:24 +0000 (10:10 +0200)
diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c

index c13b83a51bcccdaba63e4abe37bcea291be0cb23..5e4da21569cca5845240f96870d34f6576f7249e 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1157,79 +1157,87 @@ vctx_destroy(vctx_t *vctx) {
         isc_heap_destroy(&vctx->found_chains);
  }
  
-void
-dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-                     dns_name_t *origin, isc_mem_t *mctx,
-                     isc_boolean_t ignore_kskflag,
-                     isc_boolean_t keyset_kskonly)
-{
-       char algbuf[80];
-       dns_dbiterator_t *dbiter = NULL;
-       dns_dbnode_t *node = NULL, *nextnode = NULL;
-       dns_fixedname_t fname, fnextname, fprevname, fzonecut;
-       dns_name_t *name, *nextname, *prevname, *zonecut;
-       dns_rdata_dnskey_t dnskey;
-       dns_rdata_t rdata = DNS_RDATA_INIT;
-       int i;
-       isc_boolean_t done = ISC_FALSE;
-       isc_boolean_t first = ISC_TRUE;
-       isc_result_t result, vresult = ISC_R_UNSET;
-       vctx_t vctx;
-
-       result = vctx_init(&vctx, mctx, zone, db, ver, origin);
-       if (result != ISC_R_SUCCESS) {
-               return;
-       }
+static void
+check_apex_rrsets(vctx_t *vctx) {
+       dns_dbnode_t *node = NULL;
+       isc_result_t result;
  
-       result = dns_db_findnode(vctx.db, vctx.origin, ISC_FALSE, &node);
+       result = dns_db_findnode(vctx->db, vctx->origin, ISC_FALSE, &node);
         if (result != ISC_R_SUCCESS)
                 fatal("failed to find the zone's origin: %s",
                       isc_result_totext(result));
  
-       result = dns_db_findrdataset(vctx.db, node, vctx.ver,
-                                    dns_rdatatype_dnskey, 0, 0, &vctx.keyset,
-                                    &vctx.keysigs);
+       result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+                                    dns_rdatatype_dnskey, 0, 0,
+                                    &vctx->keyset, &vctx->keysigs);
         if (result != ISC_R_SUCCESS)
                 fatal("Zone contains no DNSSEC keys\n");
  
-       result = dns_db_findrdataset(vctx.db, node, vctx.ver,
-                                    dns_rdatatype_soa, 0, 0, &vctx.soaset,
-                                    &vctx.soasigs);
+       result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+                                    dns_rdatatype_soa, 0, 0,
+                                    &vctx->soaset, &vctx->soasigs);
         if (result != ISC_R_SUCCESS)
                 fatal("Zone contains no SOA record\n");
  
-       result = dns_db_findrdataset(vctx.db, node, vctx.ver,
-                                    dns_rdatatype_nsec, 0, 0, &vctx.nsecset,
-                                    &vctx.nsecsigs);
+       result = dns_db_findrdataset(vctx->db, node, vctx->ver,
+                                    dns_rdatatype_nsec, 0, 0,
+                                    &vctx->nsecset, &vctx->nsecsigs);
         if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
                 fatal("NSEC lookup failed\n");
  
-       result = dns_db_findrdataset(vctx.db, node, vctx.ver,
+       result = dns_db_findrdataset(vctx->db, node, vctx->ver,
                                      dns_rdatatype_nsec3param, 0, 0,
-                                    &vctx.nsec3paramset,
-                                    &vctx.nsec3paramsigs);
+                                    &vctx->nsec3paramset,
+                                    &vctx->nsec3paramsigs);
         if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
                 fatal("NSEC3PARAM lookup failed\n");
  
-       if (!dns_rdataset_isassociated(&vctx.keysigs))
+       if (!dns_rdataset_isassociated(&vctx->keysigs))
                 fatal("DNSKEY is not signed (keys offline or inactive?)\n");
  
-       if (!dns_rdataset_isassociated(&vctx.soasigs))
+       if (!dns_rdataset_isassociated(&vctx->soasigs))
                 fatal("SOA is not signed (keys offline or inactive?)\n");
  
-       if (dns_rdataset_isassociated(&vctx.nsecset) &&
-           !dns_rdataset_isassociated(&vctx.nsecsigs))
+       if (dns_rdataset_isassociated(&vctx->nsecset) &&
+           !dns_rdataset_isassociated(&vctx->nsecsigs))
                 fatal("NSEC is not signed (keys offline or inactive?)\n");
  
-       if (dns_rdataset_isassociated(&vctx.nsec3paramset) &&
-           !dns_rdataset_isassociated(&vctx.nsec3paramsigs))
+       if (dns_rdataset_isassociated(&vctx->nsec3paramset) &&
+           !dns_rdataset_isassociated(&vctx->nsec3paramsigs))
                 fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
  
-       if (!dns_rdataset_isassociated(&vctx.nsecset) &&
-           !dns_rdataset_isassociated(&vctx.nsec3paramset))
+       if (!dns_rdataset_isassociated(&vctx->nsecset) &&
+           !dns_rdataset_isassociated(&vctx->nsec3paramset))
                 fatal("No valid NSEC/NSEC3 chain for testing\n");
  
-       dns_db_detachnode(vctx.db, &node);
+       dns_db_detachnode(vctx->db, &node);
+}
+
+void
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+                     dns_name_t *origin, isc_mem_t *mctx,
+                     isc_boolean_t ignore_kskflag,
+                     isc_boolean_t keyset_kskonly)
+{
+       char algbuf[80];
+       dns_dbiterator_t *dbiter = NULL;
+       dns_dbnode_t *node = NULL, *nextnode = NULL;
+       dns_fixedname_t fname, fnextname, fprevname, fzonecut;
+       dns_name_t *name, *nextname, *prevname, *zonecut;
+       dns_rdata_dnskey_t dnskey;
+       dns_rdata_t rdata = DNS_RDATA_INIT;
+       int i;
+       isc_boolean_t done = ISC_FALSE;
+       isc_boolean_t first = ISC_TRUE;
+       isc_result_t result, vresult = ISC_R_UNSET;
+       vctx_t vctx;
+
+       result = vctx_init(&vctx, mctx, zone, db, ver, origin);
+       if (result != ISC_R_SUCCESS) {
+               return;
+       }
+
+       check_apex_rrsets(&vctx);
  
         /*
          * Check that the DNSKEY RR has at least one self signing KSK
author	Michał Kępień <michal@isc.org>
	Fri, 15 Jun 2018 07:59:20 +0000 (09:59 +0200)
committer	Michał Kępień <michal@isc.org>
	Fri, 15 Jun 2018 08:10:24 +0000 (10:10 +0200)