Commit 3a14450d authored by Michał Kępień's avatar Michał Kępień
Browse files

Move verifyzone() and its dependencies into lib/dns/zoneverify.c

This commit only moves code around, with the following exceptions:

  - the check_dns_dbiterator_current() macro and functions
    is_delegation() and has_dname() were removed from
    bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
    bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
    functions are used both by the code in bin/dnssec/dnssec-signzone.c
    and verifyzone(), but are not a good fit for being exported by a
    code module responsible for zone verification,

  - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
    as static functions which do not use the "program" variable any more
    (as it is only set by the tools in bin/dnssec/); this is a temporary
    step which only aims to prevent compilation from breaking - these
    duplicate functions will be removed once lib/dns/zoneverify.c is
    refactored not to use them,

  - the list of header files included by lib/dns/zoneverify.c was
    expanded to encompass all header files that are actually used by the
    code in that file,

  - a description of the purpose of the commented out "fields" inside
    struct nsec3_chain_fixed was added.
parent ffe8ddd9
......@@ -76,6 +76,7 @@
#include <dns/soa.h>
#include <dns/time.h>
#include <dns/update.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
......@@ -96,6 +97,10 @@ typedef struct hashlist hashlist_t;
static int nsec_datatype = dns_rdatatype_nsec;
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
......@@ -1042,6 +1047,47 @@ secure(dns_name_t *name, dns_dbnode_t *node) {
return (ISC_TF(result == ISC_R_SUCCESS));
}
static isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
{
dns_rdataset_t nsset;
isc_result_t result;
if (dns_name_equal(name, origin))
return (ISC_FALSE);
dns_rdataset_init(&nsset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
0, 0, &nsset, NULL);
if (dns_rdataset_isassociated(&nsset)) {
if (ttlp != NULL)
*ttlp = nsset.ttl;
dns_rdataset_disassociate(&nsset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
static isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
dns_rdataset_t dnameset;
isc_result_t result;
dns_rdataset_init(&dnameset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
&dnameset, NULL);
if (dns_rdataset_isassociated(&dnameset)) {
dns_rdataset_disassociate(&dnameset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
/*%
* Signs all records at a name.
*/
......
......@@ -58,6 +58,7 @@
#include <dns/result.h>
#include <dns/soa.h>
#include <dns/time.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
......
This diff is collapsed.
......@@ -18,11 +18,6 @@
#include <dns/rdatastruct.h>
#include <dst/dst.h>
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
typedef void (fatalcallback_t)(void);
ISC_PLATFORM_NORETURN_PRE void
......@@ -76,22 +71,6 @@ isc_boolean_t
key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
isc_mem_t *mctx, isc_boolean_t *exact);
isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
isc_boolean_t
isoptarg(const char *arg, char **argv, void (*usage)(void));
......
......@@ -77,7 +77,8 @@ DNSOBJS = acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ \
zoneverify.@O@ zt.@O@
PORTDNSOBJS = client.@O@ ecdb.@O@
OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
......@@ -119,7 +120,8 @@ DNSSRCS = acl.c adb.c badcache. byaddr.c \
sdb.c sdlz.c soa.c ssu.c ssu_external.c \
stats.c tcpmsg.c time.c timer.c tkey.c \
tsec.c tsig.c ttl.c update.c validator.c \
version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
version.c view.c xfrin.c zone.c zoneverify.c \
zonekey.c zt.c ${OTHERSRCS}
PORTDNSSRCS = client.c ecdb.c
SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIPLINKSRCS@
......
......@@ -31,7 +31,7 @@ HEADERS = acl.h adb.h badcache.h bit.h byaddr.h \
sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
update.h validator.h version.h view.h xfrin.h \
zone.h zonekey.h zt.h
zone.h zonekey.h zoneverify.h zt.h
GENHEADERS = @DNSTAP_PB_C_H@ enumclass.h enumtype.h rdatastruct.h
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file dns/zoneverify.h */
#include <dns/types.h>
#include <isc/types.h>
ISC_LANG_BEGINDECLS
/*%
* Verify that certain things are sane:
*
* The apex has a DNSKEY record with at least one KSK, and at least
* one ZSK if the -x flag was not used.
*
* The DNSKEY record was signed with at least one of the KSKs in this
* set.
*
* The rest of the zone was signed with at least one of the ZSKs
* present in the DNSKEY RRSET.
*/
void
verifyzone(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
isc_mem_t *mctx, isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly);
ISC_LANG_ENDDECLS
......@@ -1334,6 +1334,7 @@ dns_zonemgr_shutdown
dns_zonemgr_unreachable
dns_zonemgr_unreachableadd
dns_zonemgr_unreachabledel
verifyzone
dns_zt_apply
dns_zt_asyncload
dns_zt_attach
......
This diff is collapsed.
......@@ -3081,6 +3081,7 @@
./lib/dns/include/dns/xfrin.h C 1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018
./lib/dns/include/dns/zone.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/include/dns/zonekey.h C 2001,2004,2005,2006,2007,2016,2018
./lib/dns/include/dns/zoneverify.h C 2018
./lib/dns/include/dns/zt.h C 1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018
./lib/dns/include/dst/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2015,2016,2018
./lib/dns/include/dst/dst.h C 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
......@@ -3421,6 +3422,7 @@
./lib/dns/zone.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/zone_p.h C 2018
./lib/dns/zonekey.c C 2001,2003,2004,2005,2007,2016,2018
./lib/dns/zoneverify.c C 2018
./lib/dns/zt.c C 1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018
./lib/irs/Atffile X 2016,2018
./lib/irs/Kyuafile X 2017,2018
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment