Commit e495999c authored by Michał Kępień's avatar Michał Kępień

Merge branch '266-convert-verifyzone-to-a-libdns-function' into 'master'

Convert verifyzone() to a libdns function

Closes #266

See merge request !291
parents c37537cf ad118d6e
Pipeline #2451 passed with stages
in 8 minutes and 9 seconds
4973. [func] verifyzone() and the functions it uses were moved to
libdns and refactored to prevent exit() from being
called upon failure. A side effect of that is that
dnssec-signzone and dnssec-verify now check for memory
leaks upon shutdown. [GL #266]
4972. [func] Declare the 'rdata' argument for dns_rdata_tostruct()
to be const. [GL #341]
......
......@@ -76,6 +76,7 @@
#include <dns/soa.h>
#include <dns/time.h>
#include <dns/update.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
......@@ -96,6 +97,10 @@ typedef struct hashlist hashlist_t;
static int nsec_datatype = dns_rdatatype_nsec;
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
#define IS_NSEC3 (nsec_datatype == dns_rdatatype_nsec3)
#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
......@@ -498,11 +503,11 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
dns_ttl_t ttl;
int i;
char namestr[DNS_NAME_FORMATSIZE];
char typestr[TYPE_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
char sigstr[SIG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
type_format(set->type, typestr, sizeof(typestr));
dns_rdatatype_format(set->type, typestr, sizeof(typestr));
ttl = ISC_MIN(set->ttl, endtime - starttime);
......@@ -1042,6 +1047,47 @@ secure(dns_name_t *name, dns_dbnode_t *node) {
return (ISC_TF(result == ISC_R_SUCCESS));
}
static isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp)
{
dns_rdataset_t nsset;
isc_result_t result;
if (dns_name_equal(name, origin))
return (ISC_FALSE);
dns_rdataset_init(&nsset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_ns,
0, 0, &nsset, NULL);
if (dns_rdataset_isassociated(&nsset)) {
if (ttlp != NULL)
*ttlp = nsset.ttl;
dns_rdataset_disassociate(&nsset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
static isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node) {
dns_rdataset_t dnameset;
isc_result_t result;
dns_rdataset_init(&dnameset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dname, 0, 0,
&dnameset, NULL);
if (dns_rdataset_isassociated(&dnameset)) {
dns_rdataset_disassociate(&dnameset);
}
return (ISC_TF(result == ISC_R_SUCCESS));
}
/*%
* Signs all records at a name.
*/
......@@ -2090,10 +2136,10 @@ rrset_cleanup(dns_name_t *name, dns_rdataset_t *rdataset,
unsigned int count1 = 0;
dns_rdataset_t tmprdataset;
char namestr[DNS_NAME_FORMATSIZE];
char typestr[TYPE_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
type_format(rdataset->type, typestr, sizeof(typestr));
dns_rdatatype_format(rdataset->type, typestr, sizeof(typestr));
dns_rdataset_init(&tmprdataset);
for (result = dns_rdataset_first(rdataset);
......@@ -3181,7 +3227,7 @@ main(int argc, char *argv[]) {
isc_time_t timer_start, timer_finish;
isc_time_t sign_start, sign_finish;
dns_dnsseckey_t *key;
isc_result_t result;
isc_result_t result, vresult;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
......@@ -3866,9 +3912,18 @@ main(int argc, char *argv[]) {
postsign();
TIME_NOW(&sign_finish);
if (!disable_zone_check)
verifyzone(gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
if (disable_zone_check) {
vresult = ISC_R_SUCCESS;
} else {
vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin,
mctx, ignore_kskflag,
keyset_kskonly);
if (vresult != ISC_R_SUCCESS) {
fprintf(output_stdout ? stderr : stdout,
"Zone verification failed (%s)\n",
isc_result_totext(vresult));
}
}
if (outputformat != dns_masterformat_text) {
dns_masterrawheader_t header;
......@@ -3894,12 +3949,16 @@ main(int argc, char *argv[]) {
check_result(result, "isc_stdio_close");
removefile = ISC_FALSE;
result = isc_file_rename(tempfile, output);
if (result != ISC_R_SUCCESS)
fatal("failed to rename temp file to %s: %s",
output, isc_result_totext(result));
printf("%s\n", output);
if (vresult == ISC_R_SUCCESS) {
result = isc_file_rename(tempfile, output);
if (result != ISC_R_SUCCESS) {
fatal("failed to rename temp file to %s: %s",
output, isc_result_totext(result));
}
printf("%s\n", output);
} else {
isc_file_remove(tempfile);
}
}
dns_db_closeversion(gdb, &gversion, ISC_FALSE);
......@@ -3939,5 +3998,5 @@ main(int argc, char *argv[]) {
#ifdef _WIN32
DestroySockets();
#endif
return (0);
return (vresult == ISC_R_SUCCESS ? 0 : 1);
}
......@@ -58,6 +58,7 @@
#include <dns/result.h>
#include <dns/soa.h>
#include <dns/time.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
......@@ -322,8 +323,8 @@ main(int argc, char *argv[]) {
result = dns_db_newversion(gdb, &gversion);
check_result(result, "dns_db_newversion()");
verifyzone(gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
dns_db_closeversion(gdb, &gversion, ISC_FALSE);
dns_db_detach(&gdb);
......@@ -337,5 +338,5 @@ main(int argc, char *argv[]) {
(void) isc_app_finish();
return (0);
return (result == ISC_R_SUCCESS ? 0 : 1);
}
This diff is collapsed.
......@@ -18,11 +18,6 @@
#include <dns/rdatastruct.h>
#include <dst/dst.h>
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
typedef void (fatalcallback_t)(void);
ISC_PLATFORM_NORETURN_PRE void
......@@ -41,10 +36,6 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
ISC_PLATFORM_NORETURN_PRE void
version(const char *program) ISC_PLATFORM_NORETURN_POST;
void
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
#define TYPE_FORMATSIZE 20
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
......@@ -80,22 +71,6 @@ isc_boolean_t
key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
isc_mem_t *mctx, isc_boolean_t *exact);
isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
/*%
* Return ISC_TRUE if version 'ver' of database 'db' contains a DNAME RRset at
* 'node'; return ISC_FALSE otherwise.
*/
isc_boolean_t
has_dname(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node);
void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
isc_boolean_t
isoptarg(const char *arg, char **argv, void (*usage)(void));
......
......@@ -77,7 +77,8 @@ DNSOBJS = acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ \
zoneverify.@O@ zt.@O@
PORTDNSOBJS = client.@O@ ecdb.@O@
OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
......@@ -119,7 +120,8 @@ DNSSRCS = acl.c adb.c badcache. byaddr.c \
sdb.c sdlz.c soa.c ssu.c ssu_external.c \
stats.c tcpmsg.c time.c timer.c tkey.c \
tsec.c tsig.c ttl.c update.c validator.c \
version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
version.c view.c xfrin.c zone.c zoneverify.c \
zonekey.c zt.c ${OTHERSRCS}
PORTDNSSRCS = client.c ecdb.c
SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIPLINKSRCS@
......
......@@ -31,7 +31,7 @@ HEADERS = acl.h adb.h badcache.h bit.h byaddr.h \
sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
update.h validator.h version.h view.h xfrin.h \
zone.h zonekey.h zt.h
zone.h zonekey.h zoneverify.h zt.h
GENHEADERS = @DNSTAP_PB_C_H@ enumclass.h enumtype.h rdatastruct.h
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file dns/zoneverify.h */
#include <dns/types.h>
#include <isc/types.h>
ISC_LANG_BEGINDECLS
/*%
* Verify that certain things are sane:
*
* The apex has a DNSKEY record with at least one KSK, and at least
* one ZSK if the -x flag was not used.
*
* The DNSKEY record was signed with at least one of the KSKs in this
* set.
*
* The rest of the zone was signed with at least one of the ZSKs
* present in the DNSKEY RRSET.
*/
isc_result_t
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly);
ISC_LANG_ENDDECLS
......@@ -1334,6 +1334,7 @@ dns_zonemgr_shutdown
dns_zonemgr_unreachable
dns_zonemgr_unreachableadd
dns_zonemgr_unreachabledel
dns_zoneverify_dnssec
dns_zt_apply
dns_zt_asyncload
dns_zt_attach
......
This diff is collapsed.
......@@ -3081,6 +3081,7 @@
./lib/dns/include/dns/xfrin.h C 1999,2000,2001,2003,2004,2005,2006,2007,2009,2013,2016,2018
./lib/dns/include/dns/zone.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/include/dns/zonekey.h C 2001,2004,2005,2006,2007,2016,2018
./lib/dns/include/dns/zoneverify.h C 2018
./lib/dns/include/dns/zt.h C 1999,2000,2001,2002,2004,2005,2006,2007,2011,2016,2017,2018
./lib/dns/include/dst/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2015,2016,2018
./lib/dns/include/dst/dst.h C 2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
......@@ -3421,6 +3422,7 @@
./lib/dns/zone.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/zone_p.h C 2018
./lib/dns/zonekey.c C 2001,2003,2004,2005,2007,2016,2018
./lib/dns/zoneverify.c C 2018
./lib/dns/zt.c C 1999,2000,2001,2002,2004,2005,2006,2007,2011,2012,2013,2014,2015,2016,2017,2018
./lib/irs/Atffile X 2016,2018
./lib/irs/Kyuafile X 2017,2018
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment