Commit 7c3f6531 authored by Michał Kępień's avatar Michał Kępień

Do not call exit() upon check_dnskey() errors

Replace all fatal() and check_result() calls inside check_dnskey() with
zoneverify_log_error() calls and error handling code.  Enable
check_dnskey() to signal errors to the caller using its return value.

Modify the call site of check_dnskey() so that its errors are properly
handled.
parent 1a6525ff
......@@ -1299,7 +1299,7 @@ check_dnskey_sigs(vctx_t *vctx, dns_rdata_dnskey_t *dnskey, dns_rdata_t *rdata,
* Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
* algorithm in it (or, if -x was used, one self-signing KSK).
*/
static void
static isc_result_t
check_dnskey(vctx_t *vctx) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_dnskey_t dnskey;
......@@ -1330,10 +1330,20 @@ check_dnskey(vctx_t *vctx) {
sizeof(namebuf));
isc_buffer_init(&buf, buffer, sizeof(buffer));
result = dns_rdata_totext(&rdata, NULL, &buf);
check_result(result, "dns_rdata_totext");
fatal("revoked KSK is not self signed:\n"
"%s DNSKEY %.*s", namebuf,
(int)isc_buffer_usedlength(&buf), buffer);
if (result != ISC_R_SUCCESS) {
zoneverify_log_error(
vctx,
"dns_rdata_totext: %s",
isc_result_totext(result));
return (ISC_R_FAILURE);
}
zoneverify_log_error(
vctx,
"revoked KSK is not self signed:\n"
"%s DNSKEY %.*s", namebuf,
(int)isc_buffer_usedlength(&buf),
buffer);
return (ISC_R_FAILURE);
}
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
vctx->revoked_ksk[dnskey.algorithm] != 255)
......@@ -1347,6 +1357,8 @@ check_dnskey(vctx_t *vctx) {
dns_rdata_freestruct(&dnskey);
dns_rdata_reset(&rdata);
}
return (ISC_R_SUCCESS);
}
static void
......@@ -1585,7 +1597,10 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
goto done;
}
check_dnskey(&vctx);
result = check_dnskey(&vctx);
if (result != ISC_R_SUCCESS) {
goto done;
}
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment