Commit eaf1c0f6 authored by Michał Kępień's avatar Michał Kępień
Browse files

Add dns_zone_verifydb()

Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key.  Define
a new libdns result signifying a zone verification failure.
parent fc3dd703
......@@ -153,8 +153,9 @@
#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115)
#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116)
#define DNS_R_TOOMANYRECORDS (ISC_RESULTCLASS_DNS + 117)
#define DNS_R_VERIFYFAILURE (ISC_RESULTCLASS_DNS + 118)
#define DNS_R_NRESULTS 118 /*%< Number of results */
#define DNS_R_NRESULTS 119 /*%< Number of results */
/*
* DNS wire format rcodes.
......
......@@ -2486,4 +2486,24 @@ dns_zone_ismirror(const dns_zone_t *zone);
* Return ISC_TRUE if 'zone' is a mirror zone, return ISC_FALSE otherwise.
*/
isc_result_t
dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver);
/*%<
* If 'zone' is a mirror zone, perform DNSSEC validation of version 'ver' of
* its database, 'db'. Ensure that the DNSKEY RRset at zone apex is signed by
* at least one trust anchor specified for the view that 'zone' is assigned to.
* If 'ver' is NULL, use the current version of 'db'.
*
* If 'zone' is not a mirror zone, return ISC_R_SUCCESS immediately.
*
* Returns:
*
* \li #ISC_R_SUCCESS either 'zone' is not a mirror zone or 'zone' is
* a mirror zone and all DNSSEC checks succeeded
* and the DNSKEY RRset at zone apex is signed by
* a trusted key
*
* \li #DNS_R_VERIFYFAILURE any other case
*/
#endif /* DNS_ZONE_H */
......@@ -165,6 +165,7 @@ static const char *text[DNS_R_NRESULTS] = {
"TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */
"SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */
"too many records", /*%< 117 DNS_R_TOOMANYRECORDS */
"verify failure", /*%< 118 DNS_R_VERIFYFAILURE */
};
static const char *ids[DNS_R_NRESULTS] = {
......
......@@ -1307,6 +1307,7 @@ dns_zone_setzeronosoattl
dns_zone_signwithkey
dns_zone_synckeyzone
dns_zone_unload
dns_zone_verifydb
dns_zonekey_iszonekey
dns_zonemgr_attach
dns_zonemgr_create
......
......@@ -75,6 +75,7 @@
#include <dns/update.h>
#include <dns/xfrin.h>
#include <dns/zone.h>
#include <dns/zoneverify.h>
#include <dns/zt.h>
#include <dst/dst.h>
......@@ -19330,3 +19331,56 @@ dns_zone_ismirror(const dns_zone_t *zone) {
return (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MIRROR));
}
isc_result_t
dns_zone_verifydb(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver) {
dns_dbversion_t *version = NULL;
dns_keytable_t *secroots = NULL;
isc_result_t result;
dns_name_t *origin;
const char me[] = "dns_zone_verifydb";
ENTER;
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(db != NULL);
if (!dns_zone_ismirror(zone)) {
return (ISC_R_SUCCESS);
}
if (ver == NULL) {
dns_db_currentversion(db, &version);
} else {
version = ver;
}
if (zone->view != NULL) {
result = dns_view_getsecroots(zone->view, &secroots);
if (result != ISC_R_SUCCESS) {
goto done;
}
}
origin = dns_db_origin(db);
result = dns_zoneverify_dnssec(zone, db, version, origin, secroots,
zone->mctx, ISC_FALSE, ISC_FALSE);
done:
if (secroots != NULL) {
dns_keytable_detach(&secroots);
}
if (ver == NULL) {
dns_db_closeversion(db, &version, ISC_FALSE);
}
if (result != ISC_R_SUCCESS) {
dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
"zone verification failed: %s",
isc_result_totext(result));
result = DNS_R_VERIFYFAILURE;
}
return (result);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment