Skip to content

GitLab

BIND
BIND
Commit d4f3b14c authored by Michał Kępień's avatar Michał Kępień
Browse files
Options

Extract check_dnskey() from dns_zoneverify_dnssec() 

Extract the part of dns_zoneverify_dnssec() responsible for checking the
DNSKEY RRset at zone apex to a separate function.
parent 097b5774
Hide whitespace changes
Inline Side-by-side
Showing with 68 additions and 61 deletions
lib/dns/zoneverify.c
View file @ d4f3b14c
......@@ -1213,41 +1213,20 @@ check_apex_rrsets(vctx_t *vctx) {
dns_db_detachnode(vctx->db, &node);
}
void
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly)
{
char algbuf[80];
dns_dbiterator_t *dbiter = NULL;
dns_dbnode_t *node = NULL, *nextnode = NULL;
dns_fixedname_t fname, fnextname, fprevname, fzonecut;
dns_name_t *name, *nextname, *prevname, *zonecut;
dns_rdata_dnskey_t dnskey;
/*%
* Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
* algorithm in it (or, if -x was used, one self-signing KSK).
*/
static void
check_dnskey(vctx_t *vctx) {
dns_rdata_t rdata = DNS_RDATA_INIT;
int i;
isc_boolean_t done = ISC_FALSE;
isc_boolean_t first = ISC_TRUE;
isc_result_t result, vresult = ISC_R_UNSET;
vctx_t vctx;
result = vctx_init(&vctx, mctx, zone, db, ver, origin);
if (result != ISC_R_SUCCESS) {
return;
}
check_apex_rrsets(&vctx);
dns_rdata_dnskey_t dnskey;
isc_result_t result;
/*
* Check that the DNSKEY RR has at least one self signing KSK
* and one ZSK per algorithm in it (or, if -x was used, one
* self-signing KSK).
*/
for (result = dns_rdataset_first(&vctx.keyset);
for (result = dns_rdataset_first(&vctx->keyset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&vctx.keyset)) {
dns_rdataset_current(&vctx.keyset, &rdata);
result = dns_rdataset_next(&vctx->keyset)) {
dns_rdataset_current(&vctx->keyset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
check_result(result, "dns_rdata_tostruct");
......@@ -1255,14 +1234,15 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
;
else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
!dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
!dns_dnssec_selfsigns(&rdata, vctx->origin,
&vctx->keyset,
&vctx->keysigs, ISC_FALSE,
vctx->mctx)) {
char namebuf[DNS_NAME_FORMATSIZE];
char buffer[1024];
isc_buffer_t buf;
dns_name_format(vctx.origin, namebuf,
dns_name_format(vctx->origin, namebuf,
sizeof(namebuf));
isc_buffer_init(&buf, buffer, sizeof(buffer));
result = dns_rdata_totext(&rdata, NULL, &buf);
......@@ -1272,40 +1252,67 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
(int)isc_buffer_usedlength(&buf), buffer);
}
if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
vctx.revoked_ksk[dnskey.algorithm] != 255)
vctx.revoked_ksk[dnskey.algorithm]++;
vctx->revoked_ksk[dnskey.algorithm] != 255)
vctx->revoked_ksk[dnskey.algorithm]++;
else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
vctx.revoked_zsk[dnskey.algorithm] != 255)
vctx.revoked_zsk[dnskey.algorithm]++;
vctx->revoked_zsk[dnskey.algorithm] != 255)
vctx->revoked_zsk[dnskey.algorithm]++;
} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
if (dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
if (vctx.ksk_algorithms[dnskey.algorithm] != 255)
vctx.ksk_algorithms[dnskey.algorithm]++;
vctx.goodksk = ISC_TRUE;
if (dns_dnssec_selfsigns(&rdata, vctx->origin,
&vctx->keyset, &vctx->keysigs,
ISC_FALSE, vctx->mctx)) {
if (vctx->ksk_algorithms[dnskey.algorithm] != 255)
vctx->ksk_algorithms[dnskey.algorithm]++;
vctx->goodksk = ISC_TRUE;
} else {
if (vctx.standby_ksk[dnskey.algorithm] != 255)
vctx.standby_ksk[dnskey.algorithm]++;
if (vctx->standby_ksk[dnskey.algorithm] != 255)
vctx->standby_ksk[dnskey.algorithm]++;
}
} else if (dns_dnssec_selfsigns(&rdata, vctx.origin,
&vctx.keyset, &vctx.keysigs,
ISC_FALSE, vctx.mctx)) {
if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
vctx.zsk_algorithms[dnskey.algorithm]++;
vctx.goodzsk = ISC_TRUE;
} else if (dns_dnssec_signs(&rdata, vctx.origin, &vctx.soaset,
&vctx.soasigs, ISC_FALSE,
vctx.mctx)) {
if (vctx.zsk_algorithms[dnskey.algorithm] != 255)
vctx.zsk_algorithms[dnskey.algorithm]++;
} else if (dns_dnssec_selfsigns(&rdata, vctx->origin,
&vctx->keyset, &vctx->keysigs,
ISC_FALSE, vctx->mctx)) {
if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
vctx->zsk_algorithms[dnskey.algorithm]++;
vctx->goodzsk = ISC_TRUE;
} else if (dns_dnssec_signs(&rdata, vctx->origin,
&vctx->soaset, &vctx->soasigs,
ISC_FALSE, vctx->mctx)) {
if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
vctx->zsk_algorithms[dnskey.algorithm]++;
} else {
if (vctx.standby_zsk[dnskey.algorithm] != 255)
vctx.standby_zsk[dnskey.algorithm]++;
if (vctx->standby_zsk[dnskey.algorithm] != 255)
vctx->standby_zsk[dnskey.algorithm]++;
}
dns_rdata_freestruct(&dnskey);
dns_rdata_reset(&rdata);
}
}
void
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly)
{
char algbuf[80];
dns_dbiterator_t *dbiter = NULL;
dns_dbnode_t *node = NULL, *nextnode = NULL;
dns_fixedname_t fname, fnextname, fprevname, fzonecut;
dns_name_t *name, *nextname, *prevname, *zonecut;
int i;
isc_boolean_t done = ISC_FALSE;
isc_boolean_t first = ISC_TRUE;
isc_result_t result, vresult = ISC_R_UNSET;
vctx_t vctx;
result = vctx_init(&vctx, mctx, zone, db, ver, origin);
if (result != ISC_R_SUCCESS) {
return;
}
check_apex_rrsets(&vctx);
check_dnskey(&vctx);
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment