Propagate dns_zoneverify_dnssec() errors to callers

Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers.  Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 3d3e6f80f1eee6b381b8534ebcb5744ab09bc4f6..2747c627fd0d5a9e54b4d57327a809a3f7aa07cc 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3227,7 +3227,7 @@ main(int argc, char *argv[]) {
        isc_time_t timer_start, timer_finish;
        isc_time_t sign_start, sign_finish;
        dns_dnsseckey_t *key;
-       isc_result_t result;
+       isc_result_t result, vresult;
        isc_log_t *log = NULL;
 #ifdef USE_PKCS11
        const char *engine = PKCS11_ENGINE;
@@ -3912,9 +3912,18 @@ main(int argc, char *argv[]) {
        postsign();
        TIME_NOW(&sign_finish);
 
-       if (!disable_zone_check)
-               dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
-                                     ignore_kskflag, keyset_kskonly);
+       if (disable_zone_check) {
+               vresult = ISC_R_SUCCESS;
+       } else {
+               vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
+                                               mctx, ignore_kskflag,
+                                               keyset_kskonly);
+               if (vresult != ISC_R_SUCCESS) {
+                       fprintf(output_stdout ? stderr : stdout,
+                               "Zone verification failed (%s)\n",
+                               isc_result_totext(vresult));
+               }
+       }
 
        if (outputformat != dns_masterformat_text) {
                dns_masterrawheader_t header;
@@ -3940,12 +3949,16 @@ main(int argc, char *argv[]) {
                check_result(result, "isc_stdio_close");
                removefile = ISC_FALSE;
 
-               result = isc_file_rename(tempfile, output);
-               if (result != ISC_R_SUCCESS)
-                       fatal("failed to rename temp file to %s: %s",
-                             output, isc_result_totext(result));
-
-               printf("%s\n", output);
+               if (vresult == ISC_R_SUCCESS) {
+                       result = isc_file_rename(tempfile, output);
+                       if (result != ISC_R_SUCCESS) {
+                               fatal("failed to rename temp file to %s: %s",
+                                     output, isc_result_totext(result));
+                       }
+                       printf("%s\n", output);
+               } else {
+                       isc_file_remove(tempfile);
+               }
        }
 
        dns_db_closeversion(gdb, &gversion, ISC_FALSE);
@@ -3985,5 +3998,5 @@ main(int argc, char *argv[]) {
 #ifdef _WIN32
        DestroySockets();
 #endif
-       return (0);
+       return (vresult == ISC_R_SUCCESS ? 0 : 1);
 }

diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
index 48b9e0b18681c9212373f080e26103b1ba24628f..3fb5fa2c4923bf538f76e6d47a45fe1c2ac290df 100644 (file)
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -323,8 +323,8 @@ main(int argc, char *argv[]) {
        result = dns_db_newversion(gdb, &gversion);
        check_result(result, "dns_db_newversion()");
 
-       dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
-                             ignore_kskflag, keyset_kskonly);
+       result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
+                                      ignore_kskflag, keyset_kskonly);
 
        dns_db_closeversion(gdb, &gversion, ISC_FALSE);
        dns_db_detach(&gdb);
@@ -338,5 +338,5 @@ main(int argc, char *argv[]) {
 
        (void) isc_app_finish();
 
-       return (0);
+       return (result == ISC_R_SUCCESS ? 0 : 1);
 }

diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h
index 090fcc2f9b66b03ea3446a5358c1452e0202a420..0e491c23ddef9123eac8eb29ea9baed2c4715111 100644 (file)
--- a/lib/dns/include/dns/zoneverify.h
+++ b/lib/dns/include/dns/zoneverify.h
@@ -31,7 +31,7 @@ ISC_LANG_BEGINDECLS
  *   The rest of the zone was signed with at least one of the ZSKs
  *   present in the DNSKEY RRSET.
  */
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                      dns_name_t *origin, isc_mem_t *mctx,
                      isc_boolean_t ignore_kskflag,

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index 7c847d17c3ba3fa6183859addd58c5d277aa1407..b3437156e963fd35f75c8161e0279d95f199f503 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1809,7 +1809,7 @@ print_summary(const vctx_t *vctx, isc_boolean_t keyset_kskonly) {
        }
 }
 
-void
+isc_result_t
 dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                      dns_name_t *origin, isc_mem_t *mctx,
                      isc_boolean_t ignore_kskflag,
@@ -1820,7 +1820,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
        result = vctx_init(&vctx, mctx, zone, db, ver, origin);
        if (result != ISC_R_SUCCESS) {
-               return;
+               return (result);
        }
 
        result = check_apex_rrsets(&vctx);
@@ -1879,4 +1879,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 
  done:
        vctx_destroy(&vctx);
+
+       return (result);
 }