From: Matthijs Mekking Date: Thu, 14 Mar 2019 08:44:01 +0000 (+0100) Subject: Style: some curly brackets X-Git-Tag: v9.11.7~30^2~3 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=9079ae03c7804fa60edacf92b76a902b5dcf567f;p=thirdparty%2Fbind9.git Style: some curly brackets (cherry picked from commit 2e83e3255a9c0096e1d386839ff2b72ea0185ac5) (cherry picked from commit 42b0bf4d3bab180876d4803fe2ec1f6e93064b28) --- diff --git a/lib/dns/update.c b/lib/dns/update.c index 47cc4cf4ef9..7c9afc24e83 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1105,10 +1105,13 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, for (i = 0; i < nkeys; i++) { bool both = false; - if (!dst_key_isprivate(keys[i])) + /* Don't add signatures for offline or inactive keys */ + if (!dst_key_isprivate(keys[i])) { continue; - if (dst_key_inactive(keys[i])) /* Should be redundant. */ + } + if (dst_key_inactive(keys[i])) { continue; + } if (check_ksk && !REVOKE(keys[i])) { bool have_ksk, have_nonksk; @@ -1120,21 +1123,31 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, have_nonksk = true; } for (j = 0; j < nkeys; j++) { - if (j == i || ALG(keys[i]) != ALG(keys[j])) - continue; - if (!dst_key_isprivate(keys[j])) + if (j == i || ALG(keys[i]) != ALG(keys[j])) { continue; - if (dst_key_inactive(keys[j])) /* SBR */ + } + + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. + */ + if (dst_key_inactive(keys[j])) { continue; - if (REVOKE(keys[j])) + } + + if (REVOKE(keys[j])) { continue; - if (KSK(keys[j])) + } + if (KSK(keys[j])) { have_ksk = true; - else + } else { have_nonksk = true; + } both = have_ksk && have_nonksk; - if (both) + if (both) { break; + } } } diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3f1bc448c63..57295fc00fb 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6365,10 +6365,11 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, * If there is not a matching DNSKEY then * delete the RRSIG. */ - if (!found) + if (!found) { result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); + } if (result != ISC_R_SUCCESS) break; } @@ -6433,10 +6434,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, for (i = 0; i < nkeys; i++) { bool both = false; - if (!dst_key_isprivate(keys[i])) + /* Don't add signatures for offline or inactive keys */ + if (!dst_key_isprivate(keys[i])) { continue; - if (dst_key_inactive(keys[i])) /* Should be redundant. */ + } + if (dst_key_inactive(keys[i])) { continue; + } if (check_ksk && !REVOKE(keys[i])) { bool have_ksk, have_nonksk; @@ -6447,24 +6451,36 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, have_ksk = false; have_nonksk = true; } + for (j = 0; j < nkeys; j++) { - if (j == i || ALG(keys[i]) != ALG(keys[j])) + if (j == i || ALG(keys[i]) != ALG(keys[j])) { continue; - if (!dst_key_isprivate(keys[j])) - continue; - if (dst_key_inactive(keys[j])) /* SBR */ + } + + /* Don't consider inactive keys, however + * the key may be temporary offline, so do + * consider keys which private key files are + * unavailable. + */ + if (dst_key_inactive(keys[j])) { continue; - if (REVOKE(keys[j])) + } + + if (REVOKE(keys[j])) { continue; - if (KSK(keys[j])) + } + if (KSK(keys[j])) { have_ksk = true; - else + } else { have_nonksk = true; + } both = have_ksk && have_nonksk; - if (both) + if (both) { break; + } } } + if (both) { if (type == dns_rdatatype_dnskey) { if (!KSK(keys[i]) && keyset_kskonly) @@ -10220,14 +10236,17 @@ zone_maintenance(dns_zone_t *zone) { if (zone->rss_event != NULL) break; if (!isc_time_isepoch(&zone->signingtime) && - isc_time_compare(&now, &zone->signingtime) >= 0) + isc_time_compare(&now, &zone->signingtime) >= 0) { zone_sign(zone); + } else if (!isc_time_isepoch(&zone->resigntime) && - isc_time_compare(&now, &zone->resigntime) >= 0) + isc_time_compare(&now, &zone->resigntime) >= 0) { zone_resigninc(zone); + } else if (!isc_time_isepoch(&zone->nsec3chaintime) && - isc_time_compare(&now, &zone->nsec3chaintime) >= 0) + isc_time_compare(&now, &zone->nsec3chaintime) >= 0) { zone_nsec3chain(zone); + } /* * Do we need to issue a key expiry warning? */ @@ -17770,15 +17789,18 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, for (tuple = ISC_LIST_HEAD(diff->tuples); tuple != NULL; tuple = ISC_LIST_NEXT(tuple, link)) { - if (tuple->rdata.type != dns_rdatatype_dnskey) + if (tuple->rdata.type != dns_rdatatype_dnskey) { continue; + } result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH)) != DNS_KEYOWNER_ZONE) + { continue; + } dns_rdata_toregion(&tuple->rdata, &r); @@ -17796,8 +17818,10 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, if (sign_all || tuple->op == DNS_DIFFOP_DEL) { CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) + if (flag) { continue; + } + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0, &rdata, &newtuple)); CHECK(do_one_tuple(&newtuple, db, ver, diff)); @@ -18097,7 +18121,6 @@ zone_rekey(dns_zone_t *zone) { } else if (result != ISC_R_NOTFOUND) goto failure; - /* Get the CDS rdataset */ result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds, dns_rdatatype_none, 0, &cdsset, NULL); @@ -18121,7 +18144,6 @@ zone_rekey(dns_zone_t *zone) { if (result == ISC_R_SUCCESS) { bool check_ksk; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); - result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys, &zone->origin, ttl, &diff, !check_ksk,