Commit eb17957c authored by Michał Kępień's avatar Michał Kępień

Extract verify_nodes() from dns_zoneverify_dnssec()

Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.
parent dc81d8cb
......@@ -1356,45 +1356,18 @@ determine_active_algorithms(vctx_t *vctx, isc_boolean_t ignore_kskflag,
}
}
void
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly)
{
char algbuf[80];
dns_dbiterator_t *dbiter = NULL;
dns_dbnode_t *node = NULL, *nextnode = NULL;
/*%
* Check that all the records not yet verified were signed by keys that are
* present in the DNSKEY RRset.
*/
static void
verify_nodes(vctx_t *vctx, isc_result_t *vresult) {
dns_fixedname_t fname, fnextname, fprevname, fzonecut;
dns_name_t *name, *nextname, *prevname, *zonecut;
int i;
dns_dbnode_t *node = NULL, *nextnode;
dns_dbiterator_t *dbiter = NULL;
isc_boolean_t done = ISC_FALSE;
isc_boolean_t first = ISC_TRUE;
isc_result_t result, vresult = ISC_R_UNSET;
vctx_t vctx;
result = vctx_init(&vctx, mctx, zone, db, ver, origin);
if (result != ISC_R_SUCCESS) {
return;
}
check_apex_rrsets(&vctx);
check_dnskey(&vctx);
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
fatal("No self-signed DNSKEY found.");
} else if (!vctx.goodksk)
fatal("No self-signed KSK DNSKEY found. Supply an active\n"
"key with the KSK flag set, or use '-P'.");
determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
/*
* Check that all the other records were signed by keys that are
* present in the DNSKEY RRSET.
*/
isc_result_t result;
name = dns_fixedname_initname(&fname);
nextname = dns_fixedname_initname(&fnextname);
......@@ -1403,7 +1376,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_fixedname_init(&fzonecut);
zonecut = NULL;
result = dns_db_createiterator(vctx.db, DNS_DB_NONSEC3, &dbiter);
result = dns_db_createiterator(vctx->db, DNS_DB_NONSEC3, &dbiter);
check_result(result, "dns_db_createiterator()");
result = dns_dbiterator_first(dbiter);
......@@ -1414,9 +1387,9 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
if (!dns_name_issubdomain(name, vctx.origin)) {
check_no_nsec(&vctx, name, node);
dns_db_detachnode(vctx.db, &node);
if (!dns_name_issubdomain(name, vctx->origin)) {
check_no_nsec(vctx, name, node);
dns_db_detachnode(vctx->db, &node);
result = dns_dbiterator_next(dbiter);
if (result == ISC_R_NOMORE)
done = ISC_TRUE;
......@@ -1424,11 +1397,11 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
check_result(result, "dns_dbiterator_next()");
continue;
}
if (is_delegation(&vctx, name, node, NULL)) {
if (is_delegation(vctx, name, node, NULL)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
isdelegation = ISC_TRUE;
} else if (has_dname(&vctx, node)) {
} else if (has_dname(vctx, node)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
}
......@@ -1438,51 +1411,51 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
result = dns_dbiterator_current(dbiter, &nextnode,
nextname);
check_dns_dbiterator_current(result);
if (!dns_name_issubdomain(nextname, vctx.origin) ||
if (!dns_name_issubdomain(nextname, vctx->origin) ||
(zonecut != NULL &&
dns_name_issubdomain(nextname, zonecut)))
{
check_no_nsec(&vctx, nextname, nextnode);
dns_db_detachnode(vctx.db, &nextnode);
check_no_nsec(vctx, nextname, nextnode);
dns_db_detachnode(vctx->db, &nextnode);
result = dns_dbiterator_next(dbiter);
continue;
}
if (is_empty(&vctx, nextnode)) {
dns_db_detachnode(vctx.db, &nextnode);
if (is_empty(vctx, nextnode)) {
dns_db_detachnode(vctx->db, &nextnode);
result = dns_dbiterator_next(dbiter);
continue;
}
dns_db_detachnode(vctx.db, &nextnode);
dns_db_detachnode(vctx->db, &nextnode);
break;
}
if (result == ISC_R_NOMORE) {
done = ISC_TRUE;
nextname = vctx.origin;
nextname = vctx->origin;
} else if (result != ISC_R_SUCCESS)
fatal("iterating through the database failed: %s",
isc_result_totext(result));
result = verifynode(&vctx, name, node, isdelegation,
&vctx.keyset, &vctx.nsecset,
&vctx.nsec3paramset, nextname);
if (vresult == ISC_R_UNSET)
vresult = ISC_R_SUCCESS;
if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
vresult = result;
result = verifynode(vctx, name, node, isdelegation,
&vctx->keyset, &vctx->nsecset,
&vctx->nsec3paramset, nextname);
if (*vresult == ISC_R_UNSET)
*vresult = ISC_R_SUCCESS;
if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
*vresult = result;
if (prevname != NULL) {
result = verifyemptynodes(&vctx, name, prevname,
result = verifyemptynodes(vctx, name, prevname,
isdelegation,
&vctx.nsec3paramset);
&vctx->nsec3paramset);
} else
prevname = dns_fixedname_name(&fprevname);
dns_name_copy(name, prevname, NULL);
if (vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
vresult = result;
dns_db_detachnode(vctx.db, &node);
if (*vresult == ISC_R_SUCCESS && result != ISC_R_SUCCESS)
*vresult = result;
dns_db_detachnode(vctx->db, &node);
}
dns_dbiterator_destroy(&dbiter);
result = dns_db_createiterator(vctx.db, DNS_DB_NSEC3ONLY, &dbiter);
result = dns_db_createiterator(vctx->db, DNS_DB_NSEC3ONLY, &dbiter);
check_result(result, "dns_db_createiterator()");
for (result = dns_dbiterator_first(dbiter);
......@@ -1490,13 +1463,47 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
result = dns_dbiterator_next(dbiter) ) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
result = verifynode(&vctx, name, node, ISC_FALSE, &vctx.keyset,
result = verifynode(vctx, name, node, ISC_FALSE, &vctx->keyset,
NULL, NULL, NULL);
check_result(result, "verifynode");
record_found(&vctx, name, node, &vctx.nsec3paramset);
dns_db_detachnode(vctx.db, &node);
record_found(vctx, name, node, &vctx->nsec3paramset);
dns_db_detachnode(vctx->db, &node);
}
dns_dbiterator_destroy(&dbiter);
}
void
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag,
isc_boolean_t keyset_kskonly)
{
char algbuf[80];
int i;
isc_boolean_t first = ISC_TRUE;
isc_result_t result, vresult = ISC_R_UNSET;
vctx_t vctx;
result = vctx_init(&vctx, mctx, zone, db, ver, origin);
if (result != ISC_R_SUCCESS) {
return;
}
check_apex_rrsets(&vctx);
check_dnskey(&vctx);
if (ignore_kskflag ) {
if (!vctx.goodksk && !vctx.goodzsk)
fatal("No self-signed DNSKEY found.");
} else if (!vctx.goodksk)
fatal("No self-signed KSK DNSKEY found. Supply an active\n"
"key with the KSK flag set, or use '-P'.");
determine_active_algorithms(&vctx, ignore_kskflag, keyset_kskonly);
verify_nodes(&vctx, &vresult);
result = verify_nsec3_chains(&vctx, mctx);
if (vresult == ISC_R_UNSET)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment