use log category "dnssec" instead of "zone" for DNSSEC-related events

author Evan Hunt <each@isc.org>

Sun, 20 Jan 2019 18:25:20 +0000 (10:25 -0800)

committer Evan Hunt <each@isc.org>

Thu, 31 Jan 2019 20:18:12 +0000 (12:18 -0800)
author Evan Hunt <each@isc.org>
Sun, 20 Jan 2019 18:25:20 +0000 (10:25 -0800)
committer Evan Hunt <each@isc.org>
Thu, 31 Jan 2019 20:18:12 +0000 (12:18 -0800)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index ed7c0925d1b4b6526398efdfe92121e2c9fad5e8..e69e4f55d8dd2acda08eba219d95049e5f6952a4 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -736,6 +736,8 @@ static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
                           const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
  static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
       ISC_FORMAT_PRINTF(3, 4);
+static void dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
  static void queue_xfrin(dns_zone_t *zone);
  static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
                                   dns_diff_t *diff, dns_diffop_t op,
@@ -3239,10 +3241,10 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
                                 algorithm = "RSASHA1";
                         }
                         if (logit) {
-                               dns_zone_log(zone, ISC_LOG_WARNING,
-                                            "weak %s (%u) key found "
-                                            "(exponent=3)", algorithm,
-                                            dnskey.algorithm);
+                               dnssec_log(zone, ISC_LOG_WARNING,
+                                          "weak %s (%u) key found "
+                                          "(exponent=3)", algorithm,
+                                          dnskey.algorithm);
                         }
                 }
                 dns_rdata_reset(&rdata);
@@ -3308,9 +3310,9 @@ resume_signingwithkey(dns_zone_t *zone) {
                                           (rdata.data[1] << 8) | rdata.data[2],
                                           rdata.data[3]);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                    "zone_signwithkey failed: %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_signwithkey failed: %s",
+                                  dns_result_totext(result));
                 }
                 dns_rdata_reset(&rdata);
         }
@@ -3440,10 +3442,8 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
         result = dns_nsec3param_salttotext(nsec3param, saltbuf,
                                            sizeof(saltbuf));
         RUNTIME_CHECK(result == ISC_R_SUCCESS);
-       dns_zone_log(zone, ISC_LOG_INFO,
-                    "zone_addnsec3chain(%u,%s,%u,%s)",
-                     nsec3param->hash, flags, nsec3param->iterations,
-                     saltbuf);
+       dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
+                  nsec3param->hash, flags, nsec3param->iterations, saltbuf);
  
         /*
          * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
@@ -3608,9 +3608,9 @@ resume_addnsec3chain(dns_zone_t *zone) {
                          */
                         result = zone_addnsec3chain(zone, &nsec3param);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_addnsec3chain failed: %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_addnsec3chain failed: %s",
+                                          dns_result_totext(result));
                         }
                 }
         }
@@ -4057,13 +4057,13 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
         if (trusted == 0 && pending != 0) {
                 char namebuf[DNS_NAME_FORMATSIZE];
                 dns_name_format(name, namebuf, sizeof namebuf);
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "No valid trust anchors for '%s'!", namebuf);
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "%d key(s) revoked, %d still pending",
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "No valid trust anchors for '%s'!", namebuf);
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "%d key(s) revoked, %d still pending",
                              revoked, pending);
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "All queries to '%s' will fail", namebuf);
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "All queries to '%s' will fail", namebuf);
                 fail_secure(zone, name);
         }
  }
@@ -4307,9 +4307,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
  
         result = dns_db_newversion(db, &ver);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "sync_keyzone:dns_db_newversion -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "sync_keyzone:dns_db_newversion -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -4384,9 +4384,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
         if (result != ISC_R_SUCCESS &&
             !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
         {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "unable to synchronize managed keys: %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "unable to synchronize managed keys: %s",
+                          dns_result_totext(result));
                 isc_time_settoepoch(&zone->refreshkeytime);
         }
         if (keynode != NULL) {
@@ -4946,18 +4946,16 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
                                 dns_name_format(name, namebuf, sizeof(namebuf));
                                 dns_rdatatype_format(next.covers,
                                                      typebuf, sizeof(typebuf));
-                               dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
-                                             ISC_LOG_DEBUG(3),
-                                             "next resign: %s/%s "
-                                             "in %d seconds", namebuf, typebuf,
-                                             next.resign - timenow -
-                                              zone->sigresigninginterval);
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "next resign: %s/%s "
+                                          "in %d seconds", namebuf, typebuf,
+                                          next.resign - timenow -
+                                           zone->sigresigninginterval);
                                 dns_rdataset_disassociate(&next);
                         } else {
-                               dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
-                                             ISC_LOG_WARNING,
-                                             "signed dynamic zone has no "
-                                             "resign event scheduled");
+                               dnssec_log(zone, ISC_LOG_WARNING,
+                                          "signed dynamic zone has no "
+                                          "resign event scheduled");
                         }
                 }
  
@@ -5005,10 +5003,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
  
   cleanup:
         if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "failed to initialize managed-keys (%s): "
-                            "DNSSEC validation is at risk",
-                            isc_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "failed to initialize managed-keys (%s): "
+                          "DNSSEC validation is at risk",
+                          isc_result_totext(result));
         }
  
         for (inc = ISC_LIST_HEAD(zone->newincludes);
@@ -7685,9 +7683,9 @@ zone_nsec3chain(dns_zone_t *zone) {
  
         result = dns_db_newversion(db, &version);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_nsec3chain:dns_db_newversion -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:dns_db_newversion -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -7696,9 +7694,9 @@ zone_nsec3chain(dns_zone_t *zone) {
         result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
                                     DNS_MAXZONEKEYS, zone_keys, &nkeys);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_nsec3chain:dns__zone_findkeys -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:dns__zone_findkeys -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -7876,9 +7874,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                                             zone->minimum, unsecure,
                                             &nsec3_diff);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                                    "dns_nsec3_addnsec3 -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+                                  "dns_nsec3_addnsec3 -> %s",
+                                  dns_result_totext(result));
                         goto failure;
                 }
  
@@ -7934,10 +7932,10 @@ zone_nsec3chain(dns_zone_t *zone) {
                                 ISC_LIST_APPEND(cleanup, nsec3chain, link);
                                 goto next_addchain;
                         } else if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "dns_dbiterator_next -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:"
+                                          "dns_dbiterator_next -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         } else if (delegation) {
                                 dns_dbiterator_current(nsec3chain->dbiterator,
@@ -8011,17 +8009,18 @@ zone_nsec3chain(dns_zone_t *zone) {
                                                  &nsec3chain->nsec3param,
                                                  &buildnsecchain);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "need_nsec_chain -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:"
+                                          "need_nsec_chain -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         }
                 }
  
                 if (first) {
-                       dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
-                                    "buildnsecchain = %u\n", buildnsecchain);
+                       dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                  "zone_nsec3chain:buildnsecchain = %u\n",
+                                  buildnsecchain);
                 }
  
                 dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
@@ -8037,10 +8036,10 @@ zone_nsec3chain(dns_zone_t *zone) {
                                                           true, privatetype,
                                                           &param_diff);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                                    "zone_nsec3chain:"
-                                                    "fixup_nsec3param -> %s",
-                                                    dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                                  "zone_nsec3chain:"
+                                                  "fixup_nsec3param -> %s",
+                                                  dns_result_totext(result));
                                         goto failure;
                                 }
                         }
@@ -8052,10 +8051,10 @@ zone_nsec3chain(dns_zone_t *zone) {
                                                      &nsec3chain->nsec3param,
                                                      &nsec3_diff);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "deletematchingnsec3 -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:"
+                                          "deletematchingnsec3 -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         }
                         goto next_removenode;
@@ -8161,27 +8160,26 @@ zone_nsec3chain(dns_zone_t *zone) {
                                                           privatetype,
                                                           &param_diff);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                                    "zone_nsec3chain:"
-                                                    "fixup_nsec3param -> %s",
-                                                    dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                                  "zone_nsec3chain:"
+                                                  "fixup_nsec3param -> %s",
+                                                  dns_result_totext(result));
                                         goto failure;
                                 }
                                 goto next_removechain;
                         } else if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "dns_dbiterator_next -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:"
+                                          "dns_dbiterator_next -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         } else if (delegation) {
                                 dns_dbiterator_current(nsec3chain->dbiterator,
                                                        &node, nextname);
                                 dns_db_detachnode(db, &node);
-                               if (!dns_name_issubdomain(nextname, name))
-                                       {
+                               if (!dns_name_issubdomain(nextname, name)) {
                                         break;
-                                       }
+                               }
                         } else {
                                 break;
                         }
@@ -8211,9 +8209,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                 RUNTIME_CHECK(result == ISC_R_SUCCESS);
                 result = dns_db_allrdatasets(db, node, version, 0, &iterator);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                                    "dns_db_allrdatasets -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_nsec3chain:dns_db_allrdatasets -> %s",
+                                  dns_result_totext(result));
                         goto failure;
                 }
                 for (result = dns_rdatasetiter_first(iterator);
@@ -8240,10 +8238,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                                               zone->minimum, true,
                                               &nsec_diff);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "updatesecure -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:updatesecure -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         }
                 }
@@ -8258,10 +8255,10 @@ zone_nsec3chain(dns_zone_t *zone) {
                                                      zone->minimum, false,
                                                      &nsec3_diff);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_nsec3chain:"
-                                            "dns_nsec3_addnsec3s -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_nsec3chain:"
+                                          "dns_nsec3_addnsec3s -> %s",
+                                          dns_result_totext(result));
                                 goto failure;
                         }
                 }
@@ -8277,9 +8274,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                                       nkeys, zone, inception, expire, 0, now,
                                       check_ksk, keyset_kskonly, &zonediff);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "dns__zone_updatesigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:dns__zone_updatesigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -8291,9 +8288,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                                       nkeys, zone, inception, expire, 0, now,
                                       check_ksk, keyset_kskonly, &zonediff);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "dns__zone_updatesigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:dns__zone_updatesigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -8301,9 +8298,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                 result = updatesecure(db, version, &zone->origin,
                                       zone->minimum, false, &nsec_diff);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                                    "updatesecure -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_nsec3chain:updatesecure -> %s",
+                                  dns_result_totext(result));
                         goto failure;
                 }
         }
@@ -8312,9 +8309,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                                       nkeys, zone, inception, expire, 0, now,
                                       check_ksk, keyset_kskonly, &zonediff);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "dns__zone_updatesigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:dns__zone_updatesigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -8333,17 +8330,18 @@ zone_nsec3chain(dns_zone_t *zone) {
         result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
                           &zonediff, zone_keys, nkeys, now, false);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "del_sigs -> %s", dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:del_sigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
         result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
                                    zone->updatemethod);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "update_soa_serial -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:update_soa_serial -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -8351,8 +8349,9 @@ zone_nsec3chain(dns_zone_t *zone) {
                           zonediff.diff, zone_keys, nkeys, zone->mctx,
                           inception, soaexpire, check_ksk, keyset_kskonly);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-                            "add_sigs -> %s", dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_nsec3chain:add_sigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -8399,8 +8398,8 @@ zone_nsec3chain(dns_zone_t *zone) {
  
   failure:
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
+                          dns_result_totext(result));
         }
  
         /*
@@ -8657,9 +8656,9 @@ zone_sign(dns_zone_t *zone) {
  
         result = dns_db_newversion(db, &version);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_sign:dns_db_newversion -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_sign:dns_db_newversion -> %s",
+                          dns_result_totext(result));
                 goto cleanup;
         }
  
@@ -8668,9 +8667,9 @@ zone_sign(dns_zone_t *zone) {
         result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
                                     DNS_MAXZONEKEYS, zone_keys, &nkeys);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_sign:dns__zone_findkeys -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_sign:dns__zone_findkeys -> %s",
+                          dns_result_totext(result));
                 goto cleanup;
         }
  
@@ -8960,9 +8959,8 @@ zone_sign(dns_zone_t *zone) {
                                                               false,
                                                               &post_diff);
                                         if (result != ISC_R_SUCCESS) {
-                                               dns_zone_log(zone,
-                                                            ISC_LOG_ERROR,
-                                                   "updatesecure -> %s",
+                                               dnssec_log(zone, ISC_LOG_ERROR,
+                                                  "updatesecure -> %s",
                                                     dns_result_totext(result));
                                                 goto cleanup;
                                         }
@@ -8973,17 +8971,18 @@ zone_sign(dns_zone_t *zone) {
                                                            zone->minimum,
                                                            &post_diff);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                                    "updatesignwithkey -> %s",
-                                                    dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                                  "updatesignwithkey -> %s",
+                                                  dns_result_totext(result));
                                         goto cleanup;
                                 }
                                 build_nsec = false;
                                 goto next_signing;
                         } else if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                       "zone_sign:dns_dbiterator_next -> %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_sign:"
+                                          "dns_dbiterator_next -> %s",
+                                          dns_result_totext(result));
                                 goto cleanup;
                         } else if (is_bottom_of_zone) {
                                 dns_dbiterator_current(signing->dbiterator,
@@ -9011,9 +9010,9 @@ zone_sign(dns_zone_t *zone) {
                                               check_ksk, keyset_kskonly,
                                               &zonediff);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
-                                    "dns__zone_updatesigs -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_sign:dns__zone_updatesigs -> %s",
+                                  dns_result_totext(result));
                         goto cleanup;
                 }
         }
@@ -9034,18 +9033,17 @@ zone_sign(dns_zone_t *zone) {
         result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
                           &zonediff, zone_keys, nkeys, now, false);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_sign:del_sigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s",
+                          dns_result_totext(result));
                 goto cleanup;
         }
  
         result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
                                    zone->updatemethod);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_sign:update_soa_serial -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "zone_sign:update_soa_serial -> %s",
+                          dns_result_totext(result));
                 goto cleanup;
         }
  
@@ -9057,9 +9055,8 @@ zone_sign(dns_zone_t *zone) {
                           zonediff.diff, zone_keys, nkeys, zone->mctx,
                           inception, soaexpire, check_ksk, keyset_kskonly);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "zone_sign:add_sigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR, "zone_sign:add_sigs -> %s",
+                          dns_result_totext(result));
                 goto cleanup;
         }
  
@@ -9114,8 +9111,8 @@ zone_sign(dns_zone_t *zone) {
  
   failure:
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR, "zone_sign: failed: %s",
+                          dns_result_totext(result));
         }
  
   cleanup:
@@ -9426,9 +9423,9 @@ revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
                                                    &sigrr,
                                                    dns_fixedname_name(&fixed));
  
-                       dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
-                                    "Confirm revoked DNSKEY is self-signed: "
-                                    "%s", dns_result_totext(result));
+                       dnssec_log(kfetch->zone, ISC_LOG_DEBUG(3),
+                                  "Confirm revoked DNSKEY is self-signed: %s",
+                                  dns_result_totext(result));
  
                         if (result == ISC_R_SUCCESS) {
                                 answer = true;
@@ -9519,26 +9516,26 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
         }
  
-       dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                    "Returned from key fetch in keyfetch_done() for "
-                    "'%s': %s", namebuf, dns_result_totext(eresult));
+       dnssec_log(zone, ISC_LOG_DEBUG(3),
+                  "Returned from key fetch in keyfetch_done() for '%s': %s",
+                  namebuf, dns_result_totext(eresult));
  
         /* Fetch failed */
         if (eresult != ISC_R_SUCCESS ||
             !dns_rdataset_isassociated(&kfetch->dnskeyset))
         {
-               dns_zone_log(zone, ISC_LOG_WARNING,
-                            "Unable to fetch DNSKEY set "
-                            "'%s': %s", namebuf, dns_result_totext(eresult));
+               dnssec_log(zone, ISC_LOG_WARNING,
+                          "Unable to fetch DNSKEY set '%s': %s",
+                          namebuf, dns_result_totext(eresult));
                 CHECK(minimal_update(kfetch, ver, &diff));
                 goto done;
         }
  
         /* No RRSIGs found */
         if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
-               dns_zone_log(zone, ISC_LOG_WARNING,
-                            "No DNSKEY RRSIGs found for "
-                            "'%s': %s", namebuf, dns_result_totext(eresult));
+               dnssec_log(zone, ISC_LOG_WARNING,
+                          "No DNSKEY RRSIGs found for '%s': %s",
+                          namebuf, dns_result_totext(eresult));
                 CHECK(minimal_update(kfetch, ver, &diff));
                 goto done;
         }
@@ -9587,11 +9584,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                                            dns_fixedname_name(
                                                            &fixed));
  
-                               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                            "Verifying DNSKEY set for zone "
-                                            "'%s' using key %d/%d: %s",
-                                            namebuf, sig.keyid, sig.algorithm,
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "Verifying DNSKEY set for zone "
+                                          "'%s' using key %d/%d: %s",
+                                          namebuf, sig.keyid, sig.algorithm,
+                                          dns_result_totext(result));
  
                                 if (result == ISC_R_SUCCESS) {
                                         kfetch->dnskeyset.trust =
@@ -9625,9 +9622,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
          * trusted keys then all we can do is look at any revoked keys.
          */
         if (!secure) {
-               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                            "DNSKEY set for zone '%s' could not be verified "
-                            "with current keys", namebuf);
+               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                          "DNSKEY set for zone '%s' could not be verified "
+                          "with current keys", namebuf);
         }
  
         /*
@@ -9679,29 +9676,29 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                         } else if (keydata.addhd == 0) {
                                 deletekey = true;
                         } else if (keydata.addhd > now) {
-                               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                            "Pending key %d for zone %s "
-                                            "unexpectedly missing "
-                                            "restarting 30-day acceptance "
-                                            "timer", keytag, namebuf);
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "Pending key %d for zone %s "
+                                          "unexpectedly missing "
+                                          "restarting 30-day acceptance "
+                                          "timer", keytag, namebuf);
                                 if (keydata.addhd < now + dns_zone_mkey_month) {
                                         keydata.addhd =
                                                 now + dns_zone_mkey_month;
                                 }
                                 keydata.refresh = refresh_time(kfetch, false);
                         } else if (keydata.removehd == 0) {
-                               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                            "Active key %d for zone %s "
-                                            "unexpectedly missing",
-                                            keytag, namebuf);
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "Active key %d for zone %s "
+                                          "unexpectedly missing",
+                                          keytag, namebuf);
                                 keydata.refresh = now + dns_zone_mkey_hour;
                         } else if (keydata.removehd <= now) {
                                 deletekey = true;
-                               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                            "Revoked key %d for zone %s "
-                                            "missing: deleting from "
-                                            "managed keys database",
-                                            keytag, namebuf);
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "Revoked key %d for zone %s "
+                                          "missing: deleting from "
+                                          "managed keys database",
+                                          keytag, namebuf);
                         } else {
                                 keydata.refresh = refresh_time(kfetch, false);
                         }
@@ -9787,13 +9784,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                          * it's been revoked?  Just remove it
                                          */
                                         deletekey = true;
-                                       dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                                    "Pending key %d "
-                                                    "for zone %s is now "
-                                                    "revoked: "
-                                                    "deleting from the "
-                                                    "managed keys database",
-                                                    keytag, namebuf);
+                                       dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                                  "Pending key %d for "
+                                                  "zone %s is now revoked: "
+                                                  "deleting from the "
+                                                  "managed keys database",
+                                                  keytag, namebuf);
                                 } else if (keydata.removehd == 0) {
                                         /*
                                          * Remove key from secroots.
@@ -9811,30 +9807,28 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                                         DNS_KEYFLAG_REVOKE;
                                         }
  
-                                       dns_zone_log(zone, ISC_LOG_INFO,
-                                                    "Trusted key %d "
-                                                    "for zone %s is now "
-                                                    "revoked",
-                                                    keytag, namebuf);
+                                       dnssec_log(zone, ISC_LOG_INFO,
+                                                  "Trusted key %d for "
+                                                  "zone %s is now revoked",
+                                                  keytag, namebuf);
                                 } else if (keydata.removehd < now) {
                                         /* Scheduled for removal */
                                         deletekey = true;
  
-                                       dns_zone_log(zone, ISC_LOG_INFO,
-                                                    "Revoked key %d "
-                                                    "for zone %s removal "
-                                                    "timer complete: "
-                                                    "deleting from the "
-                                                    "managed keys database",
-                                                    keytag, namebuf);
+                                       dnssec_log(zone, ISC_LOG_INFO,
+                                                  "Revoked key %d for "
+                                                  "zone %s removal timer "
+                                                  "complete: deleting from "
+                                                  "the managed keys database",
+                                                  keytag, namebuf);
                                 }
                         } else if (revoked && keydata.removehd == 0) {
-                               dns_zone_log(zone, ISC_LOG_WARNING,
-                                            "Active key %d for zone "
-                                            "%s is revoked but "
-                                            "did not self-sign; "
-                                            "ignoring", keytag, namebuf);
-                                       continue;
+                               dnssec_log(zone, ISC_LOG_WARNING,
+                                          "Active key %d for zone "
+                                          "%s is revoked but "
+                                          "did not self-sign; "
+                                          "ignoring", keytag, namebuf);
+                               continue;
                         } else if (secure) {
                                 if (keydata.removehd != 0) {
                                         /*
@@ -9850,12 +9844,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                         keydata.addhd =
                                                 now + dns_zone_mkey_month;
  
-                                       dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                                    "Revoked key %d "
-                                                    "for zone %s "
-                                                    "has returned: starting "
-                                                    "30-day acceptance timer",
-                                                    keytag, namebuf);
+                                       dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                                  "Revoked key %d for "
+                                                  "zone %s has returned: "
+                                                  "starting 30-day "
+                                                  "acceptance timer",
+                                                  keytag, namebuf);
                                 } else if (keydata.addhd > now) {
                                         pending++;
                                 } else if (keydata.addhd == 0) {
@@ -9864,15 +9858,15 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
  
                                 if (keydata.addhd <= now) {
                                         trustkey = true;
-                                       dns_zone_log(zone, ISC_LOG_INFO,
-                                                    "Key %d for zone %s "
-                                                    "is now trusted (%s)",
-                                                    keytag, namebuf,
-                                                    initial
-                                                     ? "initializing key "
-                                                       "verified"
-                                                     : "acceptance timer "
-                                                       "complete");
+                                       dnssec_log(zone, ISC_LOG_INFO,
+                                                  "Key %d for zone %s "
+                                                  "is now trusted (%s)",
+                                                  keytag, namebuf,
+                                                  initial
+                                                   ? "initializing key "
+                                                      "verified"
+                                                   : "acceptance timer "
+                                                      "complete");
                                 }
                         } else if (keydata.addhd > now) {
                                 /*
@@ -9881,12 +9875,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                                  */
                                 pending++;
                                 keydata.addhd = now + dns_zone_mkey_month;
-                               dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                            "Pending key %d "
-                                            "for zone %s was "
-                                            "not validated: restarting "
-                                            "30-day acceptance timer",
-                                            keytag, namebuf);
+                               dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                          "Pending key %d "
+                                          "for zone %s was "
+                                          "not validated: restarting "
+                                          "30-day acceptance timer",
+                                          keytag, namebuf);
                         }
  
                         if (!deletekey && !newkey) {
@@ -9905,21 +9899,21 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                         newkey = true;
  
                         if (initializing) {
-                               dns_zone_log(zone, ISC_LOG_WARNING,
-                                            "Initializing automatic trust "
-                                            "anchor management for zone '%s'; "
-                                            "DNSKEY ID %d is now trusted, "
-                                            "waiving the normal 30-day "
-                                            "waiting period.",
-                                            namebuf, keytag);
+                               dnssec_log(zone, ISC_LOG_WARNING,
+                                          "Initializing automatic trust "
+                                          "anchor management for zone '%s'; "
+                                          "DNSKEY ID %d is now trusted, "
+                                          "waiving the normal 30-day "
+                                          "waiting period.",
+                                          namebuf, keytag);
                                 trustkey = true;
                         } else {
-                               dns_zone_log(zone, ISC_LOG_INFO,
-                                            "New key %d observed "
-                                            "for zone '%s': "
-                                            "starting 30-day "
-                                            "acceptance timer",
-                                            keytag, namebuf);
+                               dnssec_log(zone, ISC_LOG_INFO,
+                                          "New key %d observed "
+                                          "for zone '%s': "
+                                          "starting 30-day "
+                                          "acceptance timer",
+                                          keytag, namebuf);
                         }
                 } else {
                         /*
@@ -10021,10 +10015,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
  
   failure:
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "error during managed-keys processing (%s): "
-                            "DNSSEC validation may be at risk",
-                            isc_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "error during managed-keys processing (%s): "
+                          "DNSSEC validation may be at risk",
+                          isc_result_totext(result));
         }
         dns_diff_clear(&diff);
         if (ver != NULL) {
@@ -10187,10 +10181,10 @@ zone_refreshkeys(dns_zone_t *zone) {
                         char namebuf[DNS_NAME_FORMATSIZE];
                         dns_name_format(kname, namebuf,
                                         sizeof(namebuf));
-                       dns_zone_log(zone, ISC_LOG_DEBUG(3),
-                                    "Creating key fetch in "
-                                    "zone_refreshkeys() for '%s'",
-                                    namebuf);
+                       dnssec_log(zone, ISC_LOG_DEBUG(3),
+                                  "Creating key fetch in "
+                                  "zone_refreshkeys() for '%s'",
+                                  namebuf);
                 }
  
                 /*
@@ -10231,9 +10225,8 @@ zone_refreshkeys(dns_zone_t *zone) {
                         dns_rdataset_disassociate(&kfetch->keydataset);
                         dns_name_free(kname, zone->mctx);
                         isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
-                       dns_zone_log(zone, ISC_LOG_WARNING,
-                                    "Failed to create fetch for "
-                                    "DNSKEY update");
+                       dnssec_log(zone, ISC_LOG_WARNING,
+                                  "Failed to create fetch for DNSKEY update");
                         fetch_err = true;
                 }
         }
@@ -10260,8 +10253,8 @@ zone_refreshkeys(dns_zone_t *zone) {
                 zone_settimer(zone, &timenow);
  
                 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-               dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
-                            timebuf);
+               dnssec_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
+                          timebuf);
         } else if (!timerset) {
                 isc_time_settoepoch(&zone->refreshkeytime);
         }
@@ -14194,6 +14187,15 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
         va_end(ap);
  }
  
+static void
+dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+       va_list ap;
+
+       va_start(ap, fmt);
+       dns_zone_logv(zone, DNS_LOGCATEGORY_DNSSEC, level, NULL, fmt, ap);
+       va_end(ap);
+}
+
  static int
  message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
  {
@@ -17702,9 +17704,9 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
         isc_result_t result;
         REQUIRE(DNS_ZONE_VALID(zone));
  
-       dns_zone_log(zone, ISC_LOG_NOTICE,
-                    "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
-                    algorithm, keyid);
+       dnssec_log(zone, ISC_LOG_NOTICE,
+                  "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
+                  algorithm, keyid);
         LOCK_ZONE(zone);
         result = zone_signwithkey(zone, algorithm, keyid, deleteit);
         UNLOCK_ZONE(zone);
@@ -17727,10 +17729,9 @@ dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
  
         result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
         RUNTIME_CHECK(result == ISC_R_SUCCESS);
-       dns_zone_log(zone, ISC_LOG_NOTICE,
-                    "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
-                    nsec3param->hash, nsec3param->iterations,
-                    salt);
+       dnssec_log(zone, ISC_LOG_NOTICE,
+                  "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
+                  nsec3param->hash, nsec3param->iterations, salt);
         LOCK_ZONE(zone);
         result = zone_addnsec3chain(zone, nsec3param);
         UNLOCK_ZONE(zone);
@@ -17858,15 +17859,6 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
         return (result);
  }
  
-static void
-logmsg(const char *format, ...) {
-       va_list args;
-       va_start(args, format);
-       isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-                      ISC_LOG_DEBUG(1), format, args);
-       va_end(args);
-}
-
  static void
  clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
         dns_dnsseckey_t *key;
@@ -18030,9 +18022,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
         result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
                                     DNS_MAXZONEKEYS, zone_keys, &nkeys);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "sign_apex:dns__zone_findkeys -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "sign_apex:dns__zone_findkeys -> %s",
+                          dns_result_totext(result));
                 return (result);
         }
  
@@ -18069,9 +18061,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                                   dns_rdatatype_dnskey, zonediff,
                                   zone_keys, nkeys, now, false);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                    "sign_apex:del_sigs -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "sign_apex:del_sigs -> %s",
+                                  dns_result_totext(result));
                         goto failure;
                 }
                 result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
@@ -18079,9 +18071,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                                   inception, keyexpire, check_ksk,
                                   keyset_kskonly);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                    "sign_apex:add_sigs -> %s",
-                                    dns_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "sign_apex:add_sigs -> %s",
+                                  dns_result_totext(result));
                         goto failure;
                 }
         }
@@ -18091,9 +18083,9 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
                                       check_ksk, keyset_kskonly, zonediff);
  
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "sign_apex:dns__zone_updatesigs -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "sign_apex:dns__zone_updatesigs -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -18154,7 +18146,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
  
         /* Refuse to allow NSEC3 with NSEC-only keys */
         if (nseconly && nsec3) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
+               dnssec_log(zone, ISC_LOG_ERROR,
                            "NSEC only DNSKEYs and NSEC3 chains not allowed");
                 goto failure;
         }
@@ -18241,6 +18233,15 @@ add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
         return (result);
  }
  
+static void
+dnssec_report(const char *format, ...) {
+       va_list args;
+       va_start(args, format);
+       isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_ZONE,
+                      ISC_LOG_DEBUG(1), format, args);
+       va_end(args);
+}
+
  static void
  zone_rekey(dns_zone_t *zone) {
         isc_result_t result;
@@ -18287,7 +18288,7 @@ zone_rekey(dns_zone_t *zone) {
         TIME_NOW(&timenow);
         now = isc_time_seconds(&timenow);
  
-       dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
+       dnssec_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
  
         /* Get the SOA record's TTL */
         CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
@@ -18338,16 +18339,16 @@ zone_rekey(dns_zone_t *zone) {
  
                 result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
                                                &zone->origin, ttl, &diff,
-                                              !check_ksk,
-                                              mctx, logmsg);
+                                              !check_ksk, mctx,
+                                              dnssec_report);
                 /*
                  * Keys couldn't be updated for some reason;
                  * try again later.
                  */
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
-                                    "couldn't update zone keys: %s",
-                                    isc_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_rekey:couldn't update zone keys: %s",
+                                  isc_result_totext(result));
                         goto failure;
                 }
  
@@ -18358,9 +18359,9 @@ zone_rekey(dns_zone_t *zone) {
                                                &cdnskeyset, now, ttl,
                                                &diff, mctx);
                 if (result != ISC_R_SUCCESS) {
-                       dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
-                                    "couldn't update CDS/CDNSKEY: %s",
-                                    isc_result_totext(result));
+                       dnssec_log(zone, ISC_LOG_ERROR,
+                                  "zone_rekey:couldn't update CDS/CDNSKEY: %s",
+                                  isc_result_totext(result));
                         goto failure;
                 }
  
@@ -18440,9 +18441,9 @@ zone_rekey(dns_zone_t *zone) {
                                                           dst_key_id(key->key),
                                                           true);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_signwithkey failed: %s",
-                                            dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_signwithkey failed: %s",
+                                          dns_result_totext(result));
                                 }
                         }
                 }
@@ -18465,9 +18466,9 @@ zone_rekey(dns_zone_t *zone) {
                                                           dst_key_id(key->key),
                                                           false);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_signwithkey failed: %s",
-                                            dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_signwithkey failed: %s",
+                                          dns_result_totext(result));
                                 }
                         }
                 } else if (newalg) {
@@ -18490,9 +18491,9 @@ zone_rekey(dns_zone_t *zone) {
                                                           dst_key_id(key->key),
                                                           false);
                                 if (result != ISC_R_SUCCESS) {
-                                       dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_signwithkey failed: %s",
-                                            dns_result_totext(result));
+                                       dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_signwithkey failed: %s",
+                                          dns_result_totext(result));
                                 }
                         }
                 }
@@ -18535,9 +18536,9 @@ zone_rekey(dns_zone_t *zone) {
  
                         result = zone_addnsec3chain(zone, &nsec3param);
                         if (result != ISC_R_SUCCESS) {
-                               dns_zone_log(zone, ISC_LOG_ERROR,
-                                            "zone_addnsec3chain failed: %s",
-                                            dns_result_totext(result));
+                               dnssec_log(zone, ISC_LOG_ERROR,
+                                          "zone_addnsec3chain failed: %s",
+                                          dns_result_totext(result));
                         }
                 }
  
@@ -18596,7 +18597,7 @@ zone_rekey(dns_zone_t *zone) {
                 zone_settimer(zone, &timenow);
  
                 isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
-               dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+               dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
         }
  
         result = ISC_R_SUCCESS;
@@ -19063,9 +19064,9 @@ keydone(isc_task_t *task, isc_event_t *event) {
         dns_db_currentversion(db, &oldver);
         result = dns_db_newversion(db, &newver);
         if (result != ISC_R_SUCCESS) {
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "keydone:dns_db_newversion -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "keydone:dns_db_newversion -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -19286,9 +19287,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
         result = dns_db_newversion(db, &newver);
         if (result != ISC_R_SUCCESS) {
                 ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
-               dns_zone_log(zone, ISC_LOG_ERROR,
-                            "setnsec3param:dns_db_newversion -> %s",
-                            dns_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR,
+                          "setnsec3param:dns_db_newversion -> %s",
+                          dns_result_totext(result));
                 goto failure;
         }
  
@@ -19825,9 +19826,8 @@ dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
         }
  
         if (result != ISC_R_SUCCESS) {
-               dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
-                            "zone verification failed: %s",
-                            isc_result_totext(result));
+               dnssec_log(zone, ISC_LOG_ERROR, "zone verification failed: %s",
+                          isc_result_totext(result));
                 result = DNS_R_VERIFYFAILURE;
         }
author	Evan Hunt <each@isc.org>
	Sun, 20 Jan 2019 18:25:20 +0000 (10:25 -0800)
committer	Evan Hunt <each@isc.org>
	Thu, 31 Jan 2019 20:18:12 +0000 (12:18 -0800)