return (result);
}
-/*
- * Add records to cause the delayed signing of the zone by added DNSKEY
- * to remove the RRSIG records generated by a deleted DNSKEY.
- */
-static isc_result_t
-add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
- dns_dbversion_t *ver, dns_diff_t *diff) {
- dns_difftuple_t *tuple, *newtuple = NULL, *next;
- dns_rdata_dnskey_t dnskey;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- bool flag;
- isc_region_t r;
- isc_result_t result = ISC_R_SUCCESS;
- uint16_t keyid;
- unsigned char buf[5];
- dns_name_t *name = dns_db_origin(db);
- dns_diff_t temp_diff;
-
- dns_diff_init(diff->mctx, &temp_diff);
-
- /*
- * Extract the DNSKEY tuples from the list.
- */
- for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = next) {
- next = ISC_LIST_NEXT(tuple, link);
-
- if (tuple->rdata.type != dns_rdatatype_dnskey) {
- continue;
- }
-
- ISC_LIST_UNLINK(diff->tuples, tuple, link);
- ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
- }
-
- /*
- * Extract TTL changes pairs, we don't need signing records for these.
- */
- for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
- tuple = next)
- {
- if (tuple->op == DNS_DIFFOP_ADD) {
- /*
- * Walk the temp_diff list looking for the
- * corresponding delete.
- */
- next = ISC_LIST_HEAD(temp_diff.tuples);
- while (next != NULL) {
- unsigned char *next_data = next->rdata.data;
- unsigned char *tuple_data = tuple->rdata.data;
- if (next->op == DNS_DIFFOP_DEL &&
- dns_name_equal(&tuple->name, &next->name) &&
- next->rdata.length == tuple->rdata.length &&
- !memcmp(next_data, tuple_data,
- next->rdata.length))
- {
- ISC_LIST_UNLINK(temp_diff.tuples, next,
- link);
- ISC_LIST_APPEND(diff->tuples, next,
- link);
- break;
- }
- next = ISC_LIST_NEXT(next, link);
- }
- /*
- * If we have not found a pair move onto the next
- * tuple.
- */
- if (next == NULL) {
- next = ISC_LIST_NEXT(tuple, link);
- continue;
- }
- /*
- * Find the next tuple to be processed before
- * unlinking then complete moving the pair to 'diff'.
- */
- next = ISC_LIST_NEXT(tuple, link);
- ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
- ISC_LIST_APPEND(diff->tuples, tuple, link);
- } else {
- next = ISC_LIST_NEXT(tuple, link);
- }
- }
-
- /*
- * Process the remaining DNSKEY entries.
- */
- for (tuple = ISC_LIST_HEAD(temp_diff.tuples); tuple != NULL;
- tuple = ISC_LIST_HEAD(temp_diff.tuples))
- {
- ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
- ISC_LIST_APPEND(diff->tuples, tuple, link);
-
- result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK |
- DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE)
- {
- continue;
- }
-
- dns_rdata_toregion(&tuple->rdata, &r);
-
- keyid = dst_region_computeid(&r);
-
- buf[0] = dnskey.algorithm;
- buf[1] = (keyid & 0xff00) >> 8;
- buf[2] = (keyid & 0xff);
- buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
- buf[4] = 0;
- rdata.data = buf;
- rdata.length = sizeof(buf);
- rdata.type = privatetype;
- rdata.rdclass = tuple->rdata.rdclass;
-
- CHECK(rr_exists(db, ver, name, &rdata, &flag));
- if (flag) {
- continue;
- }
- CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
- &rdata, &newtuple));
- CHECK(do_one_tuple(&newtuple, db, ver, diff));
- INSIST(newtuple == NULL);
- /*
- * Remove any record which says this operation has already
- * completed.
- */
- buf[4] = 1;
- CHECK(rr_exists(db, ver, name, &rdata, &flag));
- if (flag) {
- CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
- name, 0, &rdata, &newtuple));
- CHECK(do_one_tuple(&newtuple, db, ver, diff));
- INSIST(newtuple == NULL);
- }
- }
-
-failure:
- dns_diff_clear(&temp_diff);
- return (result);
-}
-
static bool
isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
isc_result_t result;
CHECK(rollback_private(db, privatetype, ver, &diff));
- if (is_signing) {
- CHECK(add_signing_records(db, privatetype, ver, &diff));
- }
-
CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
if (is_signing && had_dnskey && !has_dnskey) {
projects / thirdparty / bind9.git / commitdiff
