Style: some curly brackets

diff --git a/lib/dns/update.c b/lib/dns/update.c
index 52adfe656618a283ff42dd920d703106b77a3f0f..745256bf30e8e0c34f1debdc732085251a6abcf4 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1106,10 +1106,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
        for (i = 0; i < nkeys; i++) {
                bool both = false;
 
-               if (!dst_key_isprivate(keys[i]))
+               /* Don't add signatures for offline or inactive keys */
+               if (!dst_key_isprivate(keys[i])) {
                        continue;
-               if (dst_key_inactive(keys[i]))  /* Should be redundant. */
+               }
+               if (dst_key_inactive(keys[i])) {
                        continue;
+               }
 
                if (check_ksk && !REVOKE(keys[i])) {
                        bool have_ksk, have_nonksk;
@@ -1121,21 +1124,31 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                                have_nonksk = true;
                        }
                        for (j = 0; j < nkeys; j++) {
-                               if (j == i || ALG(keys[i]) != ALG(keys[j]))
-                                       continue;
-                               if (!dst_key_isprivate(keys[j]))
+                               if (j == i || ALG(keys[i]) != ALG(keys[j])) {
                                        continue;
-                               if (dst_key_inactive(keys[j]))  /* SBR */
+                               }
+
+                               /* Don't consider inactive keys, however
+                                * the key may be temporary offline, so do
+                                * consider keys which private key files are
+                                * unavailable.
+                                */
+                               if (dst_key_inactive(keys[j])) {
                                        continue;
-                               if (REVOKE(keys[j]))
+                               }
+
+                               if (REVOKE(keys[j])) {
                                        continue;
-                               if (KSK(keys[j]))
+                               }
+                               if (KSK(keys[j])) {
                                        have_ksk = true;
-                               else
+                               } else {
                                        have_nonksk = true;
+                               }
                                both = have_ksk && have_nonksk;
-                               if (both)
+                               if (both) {
                                        break;
+                               }
                        }
                }
 

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index dcb2495da27282b4e52b04c649357d0fd01d8c30..2c5156ff07d0c2115bc3e454d12d2d4d7048f4b2 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6461,10 +6461,11 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                 * If there is not a matching DNSKEY then
                 * delete the RRSIG.
                 */
-               if (!found)
+               if (!found) {
                        result = update_one_rr(db, ver, zonediff->diff,
                                               DNS_DIFFOP_DELRESIGN, name,
                                               rdataset.ttl, &rdata);
+               }
                if (result != ISC_R_SUCCESS)
                        break;
        }
@@ -6529,10 +6530,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
        for (i = 0; i < nkeys; i++) {
                bool both = false;
 
-               if (!dst_key_isprivate(keys[i]))
+               /* Don't add signatures for offline or inactive keys */
+               if (!dst_key_isprivate(keys[i])) {
                        continue;
-               if (dst_key_inactive(keys[i]))  /* Should be redundant. */
+               }
+               if (dst_key_inactive(keys[i])) {
                        continue;
+               }
 
                if (check_ksk && !REVOKE(keys[i])) {
                        bool have_ksk, have_nonksk;
@@ -6543,24 +6547,36 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
                                have_ksk = false;
                                have_nonksk = true;
                        }
+
                        for (j = 0; j < nkeys; j++) {
-                               if (j == i || ALG(keys[i]) != ALG(keys[j]))
+                               if (j == i || ALG(keys[i]) != ALG(keys[j])) {
                                        continue;
-                               if (!dst_key_isprivate(keys[j]))
-                                       continue;
-                               if (dst_key_inactive(keys[j]))  /* SBR */
+                               }
+
+                               /* Don't consider inactive keys, however
+                                * the key may be temporary offline, so do
+                                * consider keys which private key files are
+                                * unavailable.
+                                */
+                               if (dst_key_inactive(keys[j])) {
                                        continue;
-                               if (REVOKE(keys[j]))
+                               }
+
+                               if (REVOKE(keys[j])) {
                                        continue;
-                               if (KSK(keys[j]))
+                               }
+                               if (KSK(keys[j])) {
                                        have_ksk = true;
-                               else
+                               } else {
                                        have_nonksk = true;
+                               }
                                both = have_ksk && have_nonksk;
-                               if (both)
+                               if (both) {
                                        break;
+                               }
                        }
                }
+
                if (both) {
                        /*
                         * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
@@ -10485,14 +10501,17 @@ zone_maintenance(dns_zone_t *zone) {
                if (zone->rss_event != NULL)
                        break;
                if (!isc_time_isepoch(&zone->signingtime) &&
-                   isc_time_compare(&now, &zone->signingtime) >= 0)
+                   isc_time_compare(&now, &zone->signingtime) >= 0) {
                        zone_sign(zone);
+               }
                else if (!isc_time_isepoch(&zone->resigntime) &&
-                   isc_time_compare(&now, &zone->resigntime) >= 0)
+                   isc_time_compare(&now, &zone->resigntime) >= 0) {
                        zone_resigninc(zone);
+               }
                else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
-                       isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
+                       isc_time_compare(&now, &zone->nsec3chaintime) >= 0) {
                        zone_nsec3chain(zone);
+               }
                /*
                 * Do we need to issue a key expiry warning?
                 */
@@ -18016,15 +18035,18 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
        for (tuple = ISC_LIST_HEAD(diff->tuples);
             tuple != NULL;
             tuple = ISC_LIST_NEXT(tuple, link)) {
-               if (tuple->rdata.type != dns_rdatatype_dnskey)
+               if (tuple->rdata.type != dns_rdatatype_dnskey) {
                        continue;
+               }
 
                result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
                if ((dnskey.flags &
                     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
                         != DNS_KEYOWNER_ZONE)
+               {
                        continue;
+               }
 
                dns_rdata_toregion(&tuple->rdata, &r);
 
@@ -18042,8 +18064,10 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 
                if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
                        CHECK(rr_exists(db, ver, name, &rdata, &flag));
-                       if (flag)
+                       if (flag) {
                                continue;
+                       }
+
                        CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
                                                   name, 0, &rdata, &newtuple));
                        CHECK(do_one_tuple(&newtuple, db, ver, diff));
@@ -18369,7 +18393,6 @@ zone_rekey(dns_zone_t *zone) {
                goto failure;
        }
 
-
        /* Get the CDS rdataset */
        result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds,
                                     dns_rdatatype_none, 0, &cdsset, NULL);
@@ -18395,7 +18418,6 @@ zone_rekey(dns_zone_t *zone) {
        if (result == ISC_R_SUCCESS) {
                bool check_ksk;
                check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-
                result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
                                               &zone->origin, ttl, &diff,
                                               !check_ksk, mctx,