Commit 35541328 authored by Mark Andrews's avatar Mark Andrews

1558. [func] New DNSSEC 'disable-algorithms'. Support entry into

                        child zones for which we don't have a supported
                        algorithm.  Such child zones are treated as unsigned.

1557.   [func]          Implement missing DNSSEC tests for
                        * NOQNAME proof with wildcard answers.
                        * NOWILDARD proof with NXDOMAIN.
                        Cache and return NOQNAME with wildcard answers.
parent 1f1b47a2
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers.
1556. [placeholder] rt6427
1555. [func] 'rrset-order cyclic' no longer has a random starting
......
......@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.172 2004/01/05 05:14:51 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.173 2004/01/14 02:06:48 marka Exp $ */
#include <config.h>
......@@ -729,19 +729,6 @@ nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
return (answer);
}
static void
warnwild(const char *name) {
static int warned = 0;
fprintf(stderr, "%s: warning: wildcard name seen: %s\n",
program, name);
if (warned++ != 0)
return;
fprintf(stderr, "%s: warning: BIND 9 doesn't properly "
"validate responses containing wildcards.\n",
program);
}
static isc_boolean_t
delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
dns_rdataset_t nsset;
......@@ -782,9 +769,6 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
dns_name_format(name, namestr, sizeof(namestr));
if (dns_name_iswildcard(name))
warnwild(namestr);
atorigin = dns_name_equal(name, gorigin);
/*
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.h,v 1.34 2002/11/27 09:52:46 marka Exp $ */
/* $Id: query.h,v 1.35 2004/01/14 02:06:49 marka Exp $ */
#ifndef NAMED_QUERY_H
#define NAMED_QUERY_H 1
......@@ -64,7 +64,7 @@ struct ns_query {
#define NS_QUERYATTR_QUERYOKVALID 0x0040
#define NS_QUERYATTR_QUERYOK 0x0080
#define NS_QUERYATTR_WANTRECURSION 0x0100
/* unused */
#define NS_QUERYATTR_SECURE 0x0200
#define NS_QUERYATTR_NOAUTHORITY 0x0400
#define NS_QUERYATTR_NOADDITIONAL 0x0800
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.248 2003/10/25 00:31:06 jinmei Exp $ */
/* $Id: query.c,v 1.249 2004/01/14 02:06:48 marka Exp $ */
#include <config.h>
......@@ -69,6 +69,8 @@
NS_QUERYATTR_NOAUTHORITY) != 0)
#define NOADDITIONAL(c) (((c)->query.attributes & \
NS_QUERYATTR_NOADDITIONAL) != 0)
#define SECURE(c) (((c)->query.attributes & \
NS_QUERYATTR_SECURE) != 0)
#if 0
#define CTRACE(m) isc_log_write(ns_g_lctx, \
......@@ -241,7 +243,8 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
query_maybeputqname(client);
client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
NS_QUERYATTR_CACHEOK);
NS_QUERYATTR_CACHEOK |
NS_QUERYATTR_SECURE);
client->query.restarts = 0;
client->query.timerset = ISC_FALSE;
client->query.origqname = NULL;
......@@ -1337,6 +1340,10 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
query_releasename(client, namep);
}
if (rdataset->trust != dns_trust_secure &&
(section == DNS_SECTION_ANSWER ||
section == DNS_SECTION_AUTHORITY))
client->query.attributes &= ~NS_QUERYATTR_SECURE;
/*
* Note: we only add SIGs if we've added the type they cover, so
* we do not need to check if the SIG rdataset is already in the
......@@ -1728,6 +1735,11 @@ query_addbestns(ns_client_t *client) {
(sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
goto cleanup;
if (WANTDNSSEC(client) && SECURE(client) &&
(rdataset->trust == dns_trust_glue ||
(sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
goto cleanup;
query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
DNS_SECTION_AUTHORITY);
......@@ -2245,13 +2257,51 @@ setup_query_sortlist(ns_client_t *client) {
dns_message_setsortorder(client->message, order, order_arg);
}
static void
query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
isc_buffer_t *dbuf, b;
dns_name_t *fname;
dns_rdataset_t *nsec, *nsecsig;
isc_result_t result = ISC_R_NOMEMORY;
CTRACE("query_addnoqnameproof");
fname = NULL;
nsec = NULL;
nsecsig = NULL;
dbuf = query_getnamebuf(client);
if (dbuf == NULL)
goto cleanup;
fname = query_newname(client, dbuf, &b);
nsec = query_newrdataset(client);
nsecsig = query_newrdataset(client);
if (fname == NULL || nsec == NULL || nsecsig == NULL)
goto cleanup;
result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
DNS_SECTION_AUTHORITY);
cleanup:
if (nsec != NULL)
query_putrdataset(client, &nsec);
if (nsecsig != NULL)
query_putrdataset(client, &nsecsig);
if (fname != NULL)
query_releasename(client, &fname);
}
/*
* Do the bulk of query processing for the current query of 'client'.
* If 'event' is non-NULL, we are returning from recursion and 'qtype'
* is ignored. Otherwise, 'qtype' is the query type.
*/
static void
query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) {
query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
{
dns_db_t *db, *zdb;
dns_dbnode_t *node;
dns_rdatatype_t type;
......@@ -2276,6 +2326,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dns_rdata_dname_t dname;
unsigned int options;
isc_boolean_t empty_wild;
dns_rdataset_t *noqname;
CTRACE("query_find");
......@@ -2852,8 +2903,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
NULL);
need_wildcardproof = ISC_TRUE;
}
if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
WANTDNSSEC(client))
noqname = rdataset;
else
noqname = NULL;
query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
DNS_SECTION_ANSWER);
if (noqname != NULL)
query_addnoqnameproof(client, noqname);
/*
* We set the PARTIALANSWER attribute so that if anything goes
* wrong later on, we'll return what we've got so far.
......@@ -3124,8 +3182,15 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
sigrdatasetp = &sigrdataset;
else
sigrdatasetp = NULL;
if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
WANTDNSSEC(client))
noqname = rdataset;
else
noqname = NULL;
query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
DNS_SECTION_ANSWER);
if (noqname != NULL)
query_addnoqnameproof(client, noqname);
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
......@@ -3385,6 +3450,13 @@ ns_query_start(ns_client_t *client) {
client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
}
/*
* Allow glue NS records to be added to the authority section
* if the answer is secure.
*/
if (message->flags & DNS_MESSAGEFLAG_CD)
client->query.attributes &= ~NS_QUERYATTR_SECURE;
/*
* This is an ordinary query.
*/
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.407 2004/01/05 06:56:44 marka Exp $ */
/* $Id: server.c,v 1.408 2004/01/14 02:06:49 marka Exp $ */
#include <config.h>
......@@ -28,6 +28,7 @@
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/lex.h>
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/resource.h>
#include <isc/stdio.h>
......@@ -56,6 +57,7 @@
#include <dns/rdatastruct.h>
#include <dns/resolver.h>
#include <dns/rootns.h>
#include <dns/secalg.h>
#include <dns/stats.h>
#include <dns/tkey.h>
#include <dns/view.h>
......@@ -583,6 +585,52 @@ configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
return (result);
}
static isc_result_t
disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
isc_result_t result;
cfg_obj_t *algorithms;
cfg_listelt_t *element;
const char *str;
dns_fixedname_t fixed;
dns_name_t *name;
isc_buffer_t b;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
algorithms = cfg_tuple_get(disabled, "algorithms");
for (element = cfg_list_first(algorithms);
element != NULL;
element = cfg_list_next(element))
{
isc_textregion_t r;
dns_secalg_t alg;
r.base = cfg_obj_asstring(cfg_listelt_value(element));
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
if (result != ISC_R_SUCCESS) {
isc_uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
alg = ui;
}
if (result != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element),
ns_g_lctx, ISC_LOG_ERROR,
"invalid algorithm");
CHECK(result);
}
CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
}
cleanup:
return (result);
}
/*
* Configure 'view' according to 'vconfig', taking defaults from 'config'
* where values are missing in 'vconfig'.
......@@ -603,6 +651,7 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
cfg_obj_t *forwarders;
cfg_obj_t *alternates;
cfg_obj_t *zonelist;
cfg_obj_t *disabled;
cfg_obj_t *obj;
cfg_listelt_t *element;
in_port_t port;
......@@ -793,6 +842,20 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
if (udpsize > 4096)
udpsize = 4096;
dns_resolver_setudpsize(view->resolver, udpsize);
/*
* Set supported DNSSEC algorithms.
*/
dns_resolver_reset_algorithms(view->resolver);
disabled = NULL;
(void)ns_config_get(maps, "disable-algorithms", &disabled);
if (disabled != NULL) {
for (element = cfg_list_first(disabled);
element != NULL;
element = cfg_list_next(element))
CHECK(disable_algorithms(cfg_listelt_value(element),
view->resolver));
}
/*
* A global or view "forwarders" option, if present,
......
......@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.16 2003/10/26 21:33:45 marka Exp $
# $Id: sign.sh,v 1.17 2004/01/14 02:06:49 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -51,3 +51,4 @@ EOF
cp trusted.conf ../ns2/trusted.conf
cp trusted.conf ../ns3/trusted.conf
cp trusted.conf ../ns4/trusted.conf
cp trusted.conf ../ns6/trusted.conf
......@@ -13,7 +13,7 @@
; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.11 2002/02/20 03:33:53 marka Exp $
; $Id: example.db.in,v 1.12 2004/01/14 02:06:49 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
......@@ -70,3 +70,5 @@ z A 10.0.0.26
keyless NS ns.keyless
ns.keyless A 10.53.0.3
*.wild A 10.0.0.27
......@@ -13,7 +13,7 @@
; NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
; WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
; $Id: private.secure.example.db.in,v 1.6 2001/01/09 21:42:53 bwelling Exp $
; $Id: private.secure.example.db.in,v 1.7 2004/01/14 02:06:49 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
......@@ -30,3 +30,5 @@ a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
private2secure-nxdomain CNAME r.example.
*.wild CNAME s.example.
......@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.41 2002/07/19 06:20:24 marka Exp $
# $Id: tests.sh,v 1.42 2004/01/14 02:06:49 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -48,6 +48,16 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking positive wildcard validation ($n)"
ret=0
$DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS a.wild.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking negative validation ($n)"
ret=0
$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
......@@ -58,6 +68,16 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking negative wildcard validation ($n)"
ret=0
$DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS b.wild.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Check the insecure.example domain
echo "I:checking 1-server insecurity proof ($n)"
......@@ -382,6 +402,45 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that lookups succeed after disabling a algorithm works ($n)"
ret=0
$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth example. SOA @10.53.0.6 \
> dig.out.ns6.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking privately secure wilcard to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
# Run a minimal update test if possible. This is really just
# a regression test for RT #2399; more tests should be added.
......
......@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: ifconfig.sh,v 1.42 2003/07/30 01:38:47 marka Exp $
# $Id: ifconfig.sh,v 1.43 2004/01/14 02:06:49 marka Exp $
#
# Set up interface aliases for bind9 system tests.
......@@ -57,7 +57,7 @@ esac
case "$1" in
start|up)
for ns in 1 2 3 4 5
for ns in 1 2 3 4 5 6
do
if test -n "$base"
then
......@@ -117,7 +117,7 @@ case "$1" in
;;
stop|down)
for ns in 5 4 3 2 1
for ns in 6 5 4 3 2 1
do
if test -n "$base"
then
......
......@@ -2,7 +2,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
<!-- File: $Id: Bv9ARM-book.xml,v 1.231 2003/10/07 03:34:30 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.232 2004/01/14 02:06:49 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
......@@ -2818,6 +2818,7 @@ statement in the <filename>named.conf</filename> file:</para>
<optional> edns-udp-size <replaceable>number</replaceable>; </optional>
<optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
};
<optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
</programlisting>
</sect2>
......@@ -2955,8 +2956,14 @@ options {
};
</programlisting>
</listitem></varlistentry>
</variablelist>
<varlistentry><term><command>disable-algorithms</command></term>
<listitem><para>
Disable the specified DNSSEC algorithms at and below the specified name.
Multiple <command>disable-algorithms</command> statements are allowed.
Only the most specific will be applied.
</para></listitem></varlistentry>
</variablelist>
<sect3 id="boolean_options"><title>Boolean Options</title>
......
......@@ -79,6 +79,7 @@ options {
<integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
edns-udp-size <integer>;
root-delegation-only [ exclude { <quoted_string>; ... } ];
disable-algorithms <string> { <string>; ... };
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
......@@ -255,6 +256,7 @@ view <string> <optional_class> {
<integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
edns-udp-size <integer>;
root-delegation-only [ exclude { <quoted_string>; ... } ];
disable-algorithms <string> { <string>; ... };
allow-query { <address_match_element>; ... };
allow-transfer { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.41 2003/09/25 18:16:47 jinmei Exp $ */
/* $Id: check.c,v 1.42 2004/01/14 02:06:49 marka Exp $ */
#include <config.h>
......@@ -26,6 +26,7 @@
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
......@@ -35,6 +36,7 @@
#include <dns/fixedname.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/secalg.h>
#include <isccfg/cfg.h>
......@@ -219,6 +221,57 @@ check_forward(cfg_obj_t *options, isc_log_t *logctx) {
return (ISC_R_SUCCESS);
}
static isc_result_t
disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
cfg_listelt_t *element;
const char *str;
isc_buffer_t b;
dns_fixedname_t fixed;
dns_name_t *name;
cfg_obj_t *obj;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
obj = cfg_tuple_get(disabled, "name");
str = cfg_obj_asstring(obj);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"bad domain name '%s'", str);
result = tresult;
}
obj = cfg_tuple_get(disabled, "algorithms");
for (element = cfg_list_first(obj);
element != NULL;
element = cfg_list_next(element))
{
isc_textregion_t r;
dns_secalg_t alg;
isc_result_t tresult;
r.base = cfg_obj_asstring(cfg_listelt_value(element));
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
if (tresult != ISC_R_SUCCESS) {
isc_uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
}
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm");
result = tresult;
}
}
return (result);
}
typedef struct {
const char *name;
unsigned int scale;
......@@ -228,8 +281,10 @@ typedef struct {
static isc_result_t
check_options(cfg_obj_t *options, isc_log_t *logctx) {
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
unsigned int i;
cfg_obj_t *obj = NULL;
cfg_listelt_t *element;