Commit 1a6525ff authored by Michał Kępień's avatar Michał Kępień

Do not call exit() upon check_apex_rrsets() errors

Replace all fatal() calls inside check_apex_rrsets() with
zoneverify_log_error() calls and error handling code.  Enable
check_apex_rrsets() to signal errors to the caller using its return
value.

Modify the call site of check_apex_rrsets() so that its errors are
properly handled.
parent ee061820
......@@ -1155,60 +1155,103 @@ vctx_destroy(vctx_t *vctx) {
isc_heap_destroy(&vctx->found_chains);
}
static void
static isc_result_t
check_apex_rrsets(vctx_t *vctx) {
dns_dbnode_t *node = NULL;
isc_result_t result;
result = dns_db_findnode(vctx->db, vctx->origin, ISC_FALSE, &node);
if (result != ISC_R_SUCCESS)
fatal("failed to find the zone's origin: %s",
isc_result_totext(result));
if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx,
"failed to find the zone's origin: %s",
isc_result_totext(result));
return (result);
}
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
dns_rdatatype_dnskey, 0, 0,
&vctx->keyset, &vctx->keysigs);
if (result != ISC_R_SUCCESS)
fatal("Zone contains no DNSSEC keys\n");
if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "Zone contains no DNSSEC keys");
goto done;
}
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
dns_rdatatype_soa, 0, 0,
&vctx->soaset, &vctx->soasigs);
if (result != ISC_R_SUCCESS)
fatal("Zone contains no SOA record\n");
if (result != ISC_R_SUCCESS) {
zoneverify_log_error(vctx, "Zone contains no SOA record");
goto done;
}
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
dns_rdatatype_nsec, 0, 0,
&vctx->nsecset, &vctx->nsecsigs);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
fatal("NSEC lookup failed\n");
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
zoneverify_log_error(vctx, "NSEC lookup failed");
goto done;
}
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
dns_rdatatype_nsec3param, 0, 0,
&vctx->nsec3paramset,
&vctx->nsec3paramsigs);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
fatal("NSEC3PARAM lookup failed\n");
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
zoneverify_log_error(vctx, "NSEC3PARAM lookup failed");
goto done;
}
if (!dns_rdataset_isassociated(&vctx->keysigs))
fatal("DNSKEY is not signed (keys offline or inactive?)\n");
if (!dns_rdataset_isassociated(&vctx->keysigs)) {
zoneverify_log_error(vctx,
"DNSKEY is not signed "
"(keys offline or inactive?)");
result = ISC_R_FAILURE;
goto done;
}
if (!dns_rdataset_isassociated(&vctx->soasigs))
fatal("SOA is not signed (keys offline or inactive?)\n");
if (!dns_rdataset_isassociated(&vctx->soasigs)) {
zoneverify_log_error(vctx,
"SOA is not signed "
"(keys offline or inactive?)");
result = ISC_R_FAILURE;
goto done;
}
if (dns_rdataset_isassociated(&vctx->nsecset) &&
!dns_rdataset_isassociated(&vctx->nsecsigs))
fatal("NSEC is not signed (keys offline or inactive?)\n");
{
zoneverify_log_error(vctx,
"NSEC is not signed "
"(keys offline or inactive?)");
result = ISC_R_FAILURE;
goto done;
}
if (dns_rdataset_isassociated(&vctx->nsec3paramset) &&
!dns_rdataset_isassociated(&vctx->nsec3paramsigs))
fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
{
zoneverify_log_error(vctx,
"NSEC3PARAM is not signed "
"(keys offline or inactive?)");
result = ISC_R_FAILURE;
goto done;
}
if (!dns_rdataset_isassociated(&vctx->nsecset) &&
!dns_rdataset_isassociated(&vctx->nsec3paramset))
fatal("No valid NSEC/NSEC3 chain for testing\n");
{
zoneverify_log_error(vctx,
"No valid NSEC/NSEC3 chain for testing");
result = ISC_R_FAILURE;
goto done;
}
result = ISC_R_SUCCESS;
done:
dns_db_detachnode(vctx->db, &node);
return (result);
}
/*%
......@@ -1537,7 +1580,10 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
return;
}
check_apex_rrsets(&vctx);
result = check_apex_rrsets(&vctx);
if (result != ISC_R_SUCCESS) {
goto done;
}
check_dnskey(&vctx);
......@@ -1568,5 +1614,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
print_summary(&vctx, keyset_kskonly);
}
done:
vctx_destroy(&vctx);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment