dns_db_detachnode(vctx->db, &node);
}
-void
-dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
- dns_name_t *origin, isc_mem_t *mctx,
- isc_boolean_t ignore_kskflag,
- isc_boolean_t keyset_kskonly)
-{
- char algbuf[80];
- dns_dbiterator_t *dbiter = NULL;
- dns_dbnode_t *node = NULL, *nextnode = NULL;
- dns_fixedname_t fname, fnextname, fprevname, fzonecut;
- dns_name_t *name, *nextname, *prevname, *zonecut;
- dns_rdata_dnskey_t dnskey;
+/*%
+ * Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
+ * algorithm in it (or, if -x was used, one self-signing KSK).
+ */
+static void
+check_dnskey(vctx_t *vctx) {
dns_rdata_t rdata = DNS_RDATA_INIT;
- int i;
- isc_boolean_t done = ISC_FALSE;
- isc_boolean_t first = ISC_TRUE;
- isc_result_t result, vresult = ISC_R_UNSET;
- vctx_t vctx;
-
- result = vctx_init(&vctx, mctx, zone, db, ver, origin);
- if (result != ISC_R_SUCCESS) {
- return;
- }
-
- check_apex_rrsets(&vctx);
+ dns_rdata_dnskey_t dnskey;
+ isc_result_t result;
- /*
- * Check that the DNSKEY RR has at least one self signing KSK
- * and one ZSK per algorithm in it (or, if -x was used, one
- * self-signing KSK).
- */
- for (result = dns_rdataset_first(&vctx.keyset);
+ for (result = dns_rdataset_first(&vctx->keyset);
result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&vctx.keyset)) {
- dns_rdataset_current(&vctx.keyset, &rdata);
+ result = dns_rdataset_next(&vctx->keyset)) {
+ dns_rdataset_current(&vctx->keyset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
check_result(result, "dns_rdata_tostruct");
;
else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
- !dns_dnssec_selfsigns(&rdata, vctx.origin,
- &vctx.keyset, &vctx.keysigs,
- ISC_FALSE, vctx.mctx)) {
+ !dns_dnssec_selfsigns(&rdata, vctx->origin,
+ &vctx->keyset,
+ &vctx->keysigs, ISC_FALSE,
+ vctx->mctx)) {
char namebuf[DNS_NAME_FORMATSIZE];
char buffer[1024];
isc_buffer_t buf;
- dns_name_format(vctx.origin, namebuf,
+ dns_name_format(vctx->origin, namebuf,
sizeof(namebuf));
isc_buffer_init(&buf, buffer, sizeof(buffer));
result = dns_rdata_totext(&rdata, NULL, &buf);
(int)isc_buffer_usedlength(&buf), buffer);
}
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
- vctx.revoked_ksk[dnskey.algorithm] != 255)
- vctx.revoked_ksk[dnskey.algorithm]++;
+ vctx->revoked_ksk[dnskey.algorithm] != 255)
+ vctx->revoked_ksk[dnskey.algorithm]++;
else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
- vctx.revoked_zsk[dnskey.algorithm] != 255)
- vctx.revoked_zsk[dnskey.algorithm]++;
+ vctx->revoked_zsk[dnskey.algorithm] != 255)
+ vctx->revoked_zsk[dnskey.algorithm]++;
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
- if (dns_dnssec_selfsigns(&rdata, vctx.origin,
- &vctx.keyset, &vctx.keysigs,
- ISC_FALSE, vctx.mctx)) {
- if (vctx.ksk_algorithms[dnskey.algorithm] != 255)
- vctx.ksk_algorithms[dnskey.algorithm]++;
- vctx.goodksk = ISC_TRUE;
+ if (dns_dnssec_selfsigns(&rdata, vctx->origin,
+ &vctx->keyset, &vctx->keysigs,
+ ISC_FALSE, vctx->mctx)) {
+ if (vctx->ksk_algorithms[dnskey.algorithm] != 255)
+ vctx->ksk_algorithms[dnskey.algorithm]++;
+ vctx->goodksk = ISC_TRUE;
} else {
- if (vctx.standby_ksk[dnskey.algorithm] != 255)
- vctx.standby_ksk[dnskey.algorithm]++;
+ if (vctx->standby_ksk[dnskey.algorithm] != 255)
+ vctx->standby_ksk[dnskey.algorithm]++;
}
- } else if (dns_dnssec_selfsigns(&rdata, vctx.origin,
- &vctx.keyset, &vctx.keysigs,
- ISC_FALSE, vctx.mctx)) {
- if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
- vctx.zsk_algorithms[dnskey.algorithm]++;
- vctx.goodzsk = ISC_TRUE;
- } else if (dns_dnssec_signs(&rdata, vctx.origin, &vctx.soaset,
- &vctx.soasigs, ISC_FALSE,
- vctx.mctx)) {
- if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
- vctx.zsk_algorithms[dnskey.algorithm]++;
+ } else if (dns_dnssec_selfsigns(&rdata, vctx->origin,
+ &vctx->keyset, &vctx->keysigs,
+ ISC_FALSE, vctx->mctx)) {
+ if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
+ vctx->zsk_algorithms[dnskey.algorithm]++;
+ vctx->goodzsk = ISC_TRUE;
+ } else if (dns_dnssec_signs(&rdata, vctx->origin,
+ &vctx->soaset, &vctx->soasigs,
+ ISC_FALSE, vctx->mctx)) {
+ if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
+ vctx->zsk_algorithms[dnskey.algorithm]++;
} else {
- if (vctx.standby_zsk[dnskey.algorithm] != 255)
- vctx.standby_zsk[dnskey.algorithm]++;
+ if (vctx->standby_zsk[dnskey.algorithm] != 255)
+ vctx->standby_zsk[dnskey.algorithm]++;
}
dns_rdata_freestruct(&dnskey);
dns_rdata_reset(&rdata);
}
+}
+
+void
+dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+ dns_name_t *origin, isc_mem_t *mctx,
+ isc_boolean_t ignore_kskflag,
+ isc_boolean_t keyset_kskonly)
+{
+ char algbuf[80];
+ dns_dbiterator_t *dbiter = NULL;
+ dns_dbnode_t *node = NULL, *nextnode = NULL;
+ dns_fixedname_t fname, fnextname, fprevname, fzonecut;
+ dns_name_t *name, *nextname, *prevname, *zonecut;
+ int i;
+ isc_boolean_t done = ISC_FALSE;
+ isc_boolean_t first = ISC_TRUE;
+ isc_result_t result, vresult = ISC_R_UNSET;
+ vctx_t vctx;
+
+ result = vctx_init(&vctx, mctx, zone, db, ver, origin);
+ if (result != ISC_R_SUCCESS) {
+ return;
+ }
+
+ check_apex_rrsets(&vctx);
+
+ check_dnskey(&vctx);
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
projects / thirdparty / bind9.git / commitdiff
