diff options
Diffstat (limited to 'lib/dns')
62 files changed, 1271 insertions, 676 deletions
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 45c5c2a4174ea..5bbf793569f3a 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.176 2011-01-13 01:59:27 marka Exp $ +# $Id: Makefile.in,v 1.176.8.2 2011-03-10 04:29:17 each Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -97,11 +97,13 @@ DNSSRCS = acache.c acl.c adb.c byaddr.c \ stats.c tcpmsg.c time.c timer.c tkey.c \ tsec.c tsig.c ttl.c validator.c \ version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS} + SRCS = ${DSTSRCS} ${DNSSRCS} -SUBDIRS = include +SUBDIRS = include TARGETS = include/dns/enumtype.h include/dns/enumclass.h \ include/dns/rdatastruct.h timestamp +TESTDIRS = @UNITTESTS@ DEPENDEXTRA = ./gen -F include/dns/rdatastruct.h \ -s ${srcdir} -d >> Makefile ; diff --git a/lib/dns/acl.c b/lib/dns/acl.c index 118e3944882be..9880216af4b35 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.c,v 1.53 2009-01-17 23:47:42 tbox Exp $ */ +/* $Id: acl.c,v 1.53.426.2 2011-06-17 23:47:11 tbox Exp $ */ /*! \file */ @@ -99,6 +99,7 @@ static isc_result_t dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) { isc_result_t result; dns_acl_t *acl = NULL; + result = dns_acl_create(mctx, 0, &acl); if (result != ISC_R_SUCCESS) return (result); @@ -341,7 +342,6 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) } } - /* * Merge the iptables. Make sure the destination ACL's * node_count value is set correctly afterward. @@ -439,6 +439,7 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, void dns_acl_attach(dns_acl_t *source, dns_acl_t **target) { REQUIRE(DNS_ACL_VALID(source)); + isc_refcount_increment(&source->refcount, NULL); *target = source; } @@ -446,6 +447,9 @@ dns_acl_attach(dns_acl_t *source, dns_acl_t **target) { static void destroy(dns_acl_t *dacl) { unsigned int i; + + INSIST(!ISC_LINK_LINKED(dacl, nextincache)); + for (i = 0; i < dacl->length; i++) { dns_aclelement_t *de = &dacl->elements[i]; if (de->type == dns_aclelementtype_keyname) { @@ -470,7 +474,9 @@ void dns_acl_detach(dns_acl_t **aclp) { dns_acl_t *acl = *aclp; unsigned int refs; + REQUIRE(DNS_ACL_VALID(acl)); + isc_refcount_decrement(&acl->refcount, &refs); if (refs == 0) destroy(acl); @@ -590,6 +596,7 @@ dns_acl_isinsecure(const dns_acl_t *a) { isc_result_t dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) { isc_result_t result; + env->localhost = NULL; env->localnets = NULL; result = dns_acl_create(mctx, 0, &env->localhost); diff --git a/lib/dns/adb.c b/lib/dns/adb.c index fcc2dd8ecdb98..ba89654863881 100644 --- a/lib/dns/adb.c +++ b/lib/dns/adb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: adb.c,v 1.254 2010-12-21 23:47:08 tbox Exp $ */ +/* $Id: adb.c,v 1.254.14.4 2011-03-13 03:36:47 marka Exp $ */ /*! \file * @@ -910,6 +910,8 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset, if (rdataset->trust == dns_trust_glue || rdataset->trust == dns_trust_additional) rdataset->ttl = ADB_CACHE_MINIMUM; + else if (rdataset->trust == dns_trust_ultimate) + rdataset->ttl = 0; else rdataset->ttl = ttlclamp(rdataset->ttl); @@ -2195,7 +2197,6 @@ check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) { static void check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) { int victims, max_victims; - isc_boolean_t result; dns_adbname_t *victim, *next_victim; isc_boolean_t overmem = isc_mem_isovermem(adb->mctx); int scans = 0; @@ -2217,7 +2218,7 @@ check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) { INSIST(!NAME_DEAD(victim)); scans++; next_victim = ISC_LIST_PREV(victim, plink); - result = check_expire_name(&victim, now); + (void)check_expire_name(&victim, now); if (victim == NULL) { victims++; goto next; @@ -2762,6 +2763,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0); result = ISC_R_UNEXPECTED; + POST(result); wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK); wanted_fetches = 0; query_pending = 0; @@ -2813,6 +2815,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, */ bucket = DNS_ADB_INVALIDBUCKET; adbname = find_name_and_lock(adb, name, find->options, &bucket); + INSIST(bucket != DNS_ADB_INVALIDBUCKET); if (adb->name_sd[bucket]) { DP(DEF_LEVEL, "dns_adb_createfind: returning ISC_R_SHUTTINGDOWN"); @@ -3167,6 +3170,7 @@ dns_adb_cancelfind(dns_adbfind_t *find) { } UNLOCK(&adb->namelocks[unlock_bucket]); bucket = DNS_ADB_INVALIDBUCKET; + POST(bucket); cleanup: @@ -3945,6 +3949,7 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa, result = ISC_R_SUCCESS; bucket = DNS_ADB_INVALIDBUCKET; entry = find_entry_and_lock(adb, sa, &bucket, now); + INSIST(bucket != DNS_ADB_INVALIDBUCKET); if (adb->entry_sd[bucket]) { result = ISC_R_SHUTTINGDOWN; goto unlock; diff --git a/lib/dns/api b/lib/dns/api index 9bac0602bdc16..d724b61654723 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ -LIBINTERFACE = 82 -LIBREVISION = 3 -LIBAGE = 1 +LIBINTERFACE = 84 +LIBREVISION = 1 +LIBAGE = 3 diff --git a/lib/dns/cache.c b/lib/dns/cache.c index bf93da2d0985c..eb32c6c8d38a2 100644 --- a/lib/dns/cache.c +++ b/lib/dns/cache.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.c,v 1.87 2009-11-12 23:43:02 each Exp $ */ +/* $Id: cache.c,v 1.87.262.2 2011-03-03 23:47:09 tbox Exp $ */ /*! \file */ @@ -40,6 +40,8 @@ #include <dns/rdatasetiter.h> #include <dns/result.h> +#include "rbtdb.h" + #define CACHE_MAGIC ISC_MAGIC('$', '$', '$', '$') #define VALID_CACHE(cache) ISC_MAGIC_VALID(cache, CACHE_MAGIC) @@ -121,7 +123,8 @@ struct dns_cache { unsigned int magic; isc_mutex_t lock; isc_mutex_t filelock; - isc_mem_t *mctx; + isc_mem_t *mctx; /* Main cache memory */ + isc_mem_t *hmctx; /* Heap memory */ char *name; /* Locked by 'lock'. */ @@ -168,41 +171,54 @@ cache_create_db(dns_cache_t *cache, dns_db_t **db) { } isc_result_t -dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, +dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, const char *db_type, unsigned int db_argc, char **db_argv, dns_cache_t **cachep) { - return (dns_cache_create2(mctx, taskmgr, timermgr, rdclass, "", + return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass, "", db_type, db_argc, db_argv, cachep)); } isc_result_t -dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, +dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr, + isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, + const char *cachename, const char *db_type, + unsigned int db_argc, char **db_argv, dns_cache_t **cachep) +{ + return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass, + cachename, db_type, db_argc, db_argv, + cachep)); +} + +isc_result_t +dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, const char *cachename, const char *db_type, unsigned int db_argc, char **db_argv, dns_cache_t **cachep) { isc_result_t result; dns_cache_t *cache; - int i; + int i, extra = 0; isc_task_t *dbtask; REQUIRE(cachep != NULL); REQUIRE(*cachep == NULL); - REQUIRE(mctx != NULL); + REQUIRE(cmctx != NULL); + REQUIRE(hmctx != NULL); REQUIRE(cachename != NULL); - cache = isc_mem_get(mctx, sizeof(*cache)); + cache = isc_mem_get(cmctx, sizeof(*cache)); if (cache == NULL) return (ISC_R_NOMEMORY); - cache->mctx = NULL; - isc_mem_attach(mctx, &cache->mctx); + cache->mctx = cache->hmctx = NULL; + isc_mem_attach(cmctx, &cache->mctx); + isc_mem_attach(hmctx, &cache->hmctx); cache->name = NULL; if (cachename != NULL) { - cache->name = isc_mem_strdup(mctx, cachename); + cache->name = isc_mem_strdup(cmctx, cachename); if (cache->name == NULL) { result = ISC_R_NOMEMORY; goto cleanup_mem; @@ -221,26 +237,38 @@ dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, cache->live_tasks = 0; cache->rdclass = rdclass; - cache->db_type = isc_mem_strdup(mctx, db_type); + cache->db_type = isc_mem_strdup(cmctx, db_type); if (cache->db_type == NULL) { result = ISC_R_NOMEMORY; goto cleanup_filelock; } - cache->db_argc = db_argc; - if (cache->db_argc == 0) - cache->db_argv = NULL; - else { - cache->db_argv = isc_mem_get(mctx, + /* + * For databases of type "rbt" we pass hmctx to dns_db_create() + * via cache->db_argv, followed by the rest of the arguments in + * db_argv (of which there really shouldn't be any). + */ + if (strcmp(cache->db_type, "rbt") == 0) + extra = 1; + + cache->db_argc = db_argc + extra; + cache->db_argv = NULL; + + if (cache->db_argc != 0) { + cache->db_argv = isc_mem_get(cmctx, cache->db_argc * sizeof(char *)); if (cache->db_argv == NULL) { result = ISC_R_NOMEMORY; goto cleanup_dbtype; } + for (i = 0; i < cache->db_argc; i++) cache->db_argv[i] = NULL; - for (i = 0; i < cache->db_argc; i++) { - cache->db_argv[i] = isc_mem_strdup(mctx, db_argv[i]); + + cache->db_argv[0] = (char *) hmctx; + for (i = extra; i < cache->db_argc; i++) { + cache->db_argv[i] = isc_mem_strdup(cmctx, + db_argv[i - extra]); if (cache->db_argv[i] == NULL) { result = ISC_R_NOMEMORY; goto cleanup_dbargv; @@ -248,6 +276,9 @@ dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, } } + /* + * Create the database + */ cache->db = NULL; result = cache_create_db(cache, &cache->db); if (result != ISC_R_SUCCESS) @@ -284,29 +315,28 @@ dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, cleanup_db: dns_db_detach(&cache->db); cleanup_dbargv: - for (i = 0; i < cache->db_argc; i++) + for (i = extra; i < cache->db_argc; i++) if (cache->db_argv[i] != NULL) - isc_mem_free(mctx, cache->db_argv[i]); + isc_mem_free(cmctx, cache->db_argv[i]); if (cache->db_argv != NULL) - isc_mem_put(mctx, cache->db_argv, + isc_mem_put(cmctx, cache->db_argv, cache->db_argc * sizeof(char *)); cleanup_dbtype: - isc_mem_free(mctx, cache->db_type); + isc_mem_free(cmctx, cache->db_type); cleanup_filelock: DESTROYLOCK(&cache->filelock); cleanup_lock: DESTROYLOCK(&cache->lock); cleanup_mem: if (cache->name != NULL) - isc_mem_free(mctx, cache->name); - isc_mem_put(mctx, cache, sizeof(*cache)); - isc_mem_detach(&mctx); + isc_mem_free(cmctx, cache->name); + isc_mem_detach(&cache->hmctx); + isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); return (result); } static void cache_free(dns_cache_t *cache) { - isc_mem_t *mctx; int i; REQUIRE(VALID_CACHE(cache)); @@ -337,7 +367,14 @@ cache_free(dns_cache_t *cache) { dns_db_detach(&cache->db); if (cache->db_argv != NULL) { - for (i = 0; i < cache->db_argc; i++) + /* + * We don't free db_argv[0] in "rbt" cache databases + * as it's a pointer to hmctx + */ + int extra = 0; + if (strcmp(cache->db_type, "rbt") == 0) + extra = 1; + for (i = extra; i < cache->db_argc; i++) if (cache->db_argv[i] != NULL) isc_mem_free(cache->mctx, cache->db_argv[i]); isc_mem_put(cache->mctx, cache->db_argv, @@ -352,10 +389,10 @@ cache_free(dns_cache_t *cache) { DESTROYLOCK(&cache->lock); DESTROYLOCK(&cache->filelock); + cache->magic = 0; - mctx = cache->mctx; - isc_mem_put(cache->mctx, cache, sizeof(*cache)); - isc_mem_detach(&mctx); + isc_mem_detach(&cache->hmctx); + isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); } diff --git a/lib/dns/client.c b/lib/dns/client.c index e55ea1f2bc4ba..77a419e20d6fb 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.12 2010-12-03 12:03:22 marka Exp $ */ +/* $Id: client.c,v 1.12.24.2 2011-03-12 04:59:16 tbox Exp $ */ #include <config.h> @@ -721,7 +721,7 @@ view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep, static void client_resfind(resctx_t *rctx, dns_fetchevent_t *event) { isc_mem_t *mctx; - isc_result_t result, tresult; + isc_result_t tresult, result = ISC_R_SUCCESS; isc_result_t vresult = ISC_R_SUCCESS; isc_boolean_t want_restart; isc_boolean_t send_event = ISC_FALSE; @@ -741,7 +741,6 @@ client_resfind(resctx_t *rctx, dns_fetchevent_t *event) { mctx = rctx->view->mctx; - result = ISC_R_SUCCESS; name = dns_fixedname_name(&rctx->name); do { @@ -782,6 +781,7 @@ client_resfind(resctx_t *rctx, dns_fetchevent_t *event) { goto done; } } else { + INSIST(event != NULL); INSIST(event->fetch == rctx->fetch); dns_resolver_destroyfetch(&rctx->fetch); db = event->db; @@ -965,6 +965,7 @@ client_resfind(resctx_t *rctx, dns_fetchevent_t *event) { &rctx->rdataset); if (tresult != ISC_R_SUCCESS) { result = tresult; + POST(result); break; } } @@ -976,6 +977,7 @@ client_resfind(resctx_t *rctx, dns_fetchevent_t *event) { * implementation). */ result = DNS_R_SERVFAIL; /* better code? */ + POST(result); } else { ISC_LIST_APPEND(rctx->namelist, ansname, link); ansname = NULL; @@ -2131,6 +2133,7 @@ receive_soa(isc_task_t *task, isc_event_t *event) { reqev = (dns_requestevent_t *)event; request = reqev->request; result = eresult = reqev->result; + POST(result); uctx = reqev->ev_arg; client = uctx->client; soaquery = uctx->soaquery; @@ -2177,6 +2180,7 @@ receive_soa(isc_task_t *task, isc_event_t *event) { } section = DNS_SECTION_ANSWER; + POST(section); if (rcvmsg->rcode != dns_rcode_noerror && rcvmsg->rcode != dns_rcode_nxdomain) { diff --git a/lib/dns/diff.c b/lib/dns/diff.c index 3dbb5cf6955a3..a2c99c1c160e2 100644 --- a/lib/dns/diff.c +++ b/lib/dns/diff.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: diff.c,v 1.23 2009-12-01 00:47:09 each Exp $ */ +/* $Id: diff.c,v 1.23.248.3 2011-03-25 23:53:52 each Exp $ */ /*! \file */ @@ -264,7 +264,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, dns_rdataset_t rds; dns_rdataset_t ardataset; dns_rdataset_t *modified = NULL; - isc_boolean_t offline; op = t->op; type = t->rdata.type; @@ -301,7 +300,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, CHECK(dns_db_findnsec3node(db, name, ISC_TRUE, &node)); - offline = ISC_FALSE; while (t != NULL && dns_name_equal(&t->name, name) && t->op == op && @@ -323,8 +321,6 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, namebuf, typebuf, classbuf, (unsigned long) t->ttl, (unsigned long) rdl.ttl); - if (t->rdata.flags & DNS_RDATA_OFFLINE) - offline = ISC_TRUE; ISC_LIST_APPEND(rdl.rdata, &t->rdata, link); t = ISC_LIST_NEXT(t, link); } @@ -377,6 +373,15 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver, diff->resign); dns_db_setsigningtime(db, modified, resign); + if (diff->resign == 0 && + (op == DNS_DIFFOP_ADDRESIGN || + op == DNS_DIFFOP_DELRESIGN)) + isc_log_write( + DIFF_COMMON_LOGARGS, + ISC_LOG_WARNING, + "resign requested " + "with 0 resign " + "interval"); } } else if (result == DNS_R_UNCHANGED) { /* @@ -528,7 +533,6 @@ dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) { v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *)); if (v == NULL) return (ISC_R_NOMEMORY); - i = 0; for (i = 0; i < length; i++) { p = ISC_LIST_HEAD(diff->tuples); v[i] = p; diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index c07491129e467..486965e4b1db0 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dispatch.c,v 1.168.248.1.2.1 2011-06-02 23:47:34 tbox Exp $ */ +/* $Id: dispatch.c,v 1.168.248.4 2011-04-06 10:30:08 marka Exp $ */ /*! \file */ @@ -913,6 +913,12 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest, } portentry->refs++; break; + } else if (result == ISC_R_NOPERM) { + char buf[ISC_SOCKADDR_FORMATSIZE]; + isc_sockaddr_format(&localaddr, buf, sizeof(buf)); + dispatch_log(disp, ISC_LOG_WARNING, + "open_socket(%s) -> %s: continuing", + buf, isc_result_totext(result)); } else if (result != ISC_R_ADDRINUSE) break; } @@ -1295,7 +1301,6 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) { * Look at flags. If query, drop it. If response, * look to see where it goes. */ - queue_response = ISC_FALSE; if ((flags & DNS_MESSAGEFLAG_QR) == 0) { /* query */ free_buffer(disp, ev->region.base, ev->region.length); @@ -1554,7 +1559,6 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) { * Look at flags. If query, drop it. If response, * look to see where it goes. */ - queue_response = ISC_FALSE; if ((flags & DNS_MESSAGEFLAG_QR) == 0) { /* * Query. @@ -2373,9 +2377,9 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets, qid->sock_table = isc_mem_get(mgr->mctx, buckets * sizeof(dispsocketlist_t)); if (qid->sock_table == NULL) { - isc_mem_put(mgr->mctx, qid, sizeof(*qid)); isc_mem_put(mgr->mctx, qid->qid_table, buckets * sizeof(dns_displist_t)); + isc_mem_put(mgr->mctx, qid, sizeof(*qid)); return (ISC_R_NOMEMORY); } } @@ -2985,7 +2989,6 @@ dns_dispatch_detach(dns_dispatch_t **dispp) { INSIST(disp->refcount > 0); disp->refcount--; - killit = ISC_FALSE; if (disp->refcount == 0) { if (disp->recv_pending > 0) isc_socket_cancel(disp->socket, disp->task[0], @@ -3258,7 +3261,6 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, disp->requests--; INSIST(disp->refcount > 0); disp->refcount--; - killit = ISC_FALSE; if (disp->refcount == 0) { if (disp->recv_pending > 0) isc_socket_cancel(disp->socket, disp->task[0], diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c index 5a508e9c4bf66..e69fc696ccbeb 100644 --- a/lib/dns/dlz.c +++ b/lib/dns/dlz.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlz.c,v 1.10 2010-12-20 23:47:20 tbox Exp $ */ +/* $Id: dlz.c,v 1.10.14.2 2011-03-12 04:59:16 tbox Exp $ */ /*! \file */ @@ -535,7 +535,6 @@ dns_dlz_writeablezone(dns_view_t *view, const char *zone_name) { isc_buffer_t buffer; dns_fixedname_t fixorigin; dns_name_t *origin; - dns_rdataclass_t zclass; dns_dlzdb_t *dlzdatabase; REQUIRE(DNS_DLZ_VALID(view->dlzdatabase)); @@ -553,8 +552,6 @@ dns_dlz_writeablezone(dns_view_t *view, const char *zone_name) { goto cleanup; origin = dns_fixedname_name(&fixorigin); - zclass = view->rdclass; - /* See if the zone already exists */ result = dns_view_findzone(view, origin, &dupzone); if (result == ISC_R_SUCCESS) { @@ -593,8 +590,6 @@ dns_dlz_writeablezone(dns_view_t *view, const char *zone_name) { */ result = dns_view_addzone(view, zone); - result = ISC_R_SUCCESS; - cleanup: if (zone != NULL) dns_zone_detach(&zone); diff --git a/lib/dns/dns64.c b/lib/dns/dns64.c index 180c0a9bf1505..b2b4138f43c63 100644 --- a/lib/dns/dns64.c +++ b/lib/dns/dns64.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dns64.c,v 1.6 2010-12-09 04:59:09 marka Exp $ */ +/* $Id: dns64.c,v 1.6.22.2 2011-03-12 04:59:16 tbox Exp $ */ #include <config.h> @@ -253,6 +253,8 @@ dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr, */ if (dns64->excluded == NULL) { answer = ISC_TRUE; + if (aaaaok == NULL) + goto done; for (i = 0; i < aaaaoklen; i++) aaaaok[i] = ISC_TRUE; goto done; diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index dc249b73266f7..6dc42a0f1448c 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.119 2010-01-13 23:48:59 tbox Exp $ + * $Id: dnssec.c,v 1.119.170.4 2011-05-06 21:07:50 each Exp $ */ /*! \file */ @@ -543,9 +543,9 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, } static isc_boolean_t -key_active(dst_key_t *key) { +key_active(dst_key_t *key, isc_stdtime_t now) { isc_result_t result; - isc_stdtime_t now, publish, active, revoke, inactive, delete; + isc_stdtime_t publish, active, revoke, inactive, delete; isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE; isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE; isc_boolean_t delset = ISC_FALSE; @@ -553,6 +553,7 @@ key_active(dst_key_t *key) { /* Is this an old-style key? */ result = dst_key_getprivateformat(key, &major, &minor); + RUNTIME_CHECK(result == ISC_R_SUCCESS); /* * Smart signing started with key format 1.3; prior to that, all @@ -561,8 +562,6 @@ key_active(dst_key_t *key) { if (major == 1 && minor <= 2) return (ISC_TRUE); - isc_stdtime_get(&now); - result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish); if (result == ISC_R_SUCCESS) pubset = ISC_TRUE; @@ -610,10 +609,13 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, isc_result_t result; dst_key_t *pubkey = NULL; unsigned int count = 0; + isc_stdtime_t now; REQUIRE(nkeys != NULL); REQUIRE(keys != NULL); + isc_stdtime_get(&now); + *nkeys = 0; dns_rdataset_init(&rdataset); RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, @@ -692,7 +694,7 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, /* * If a key is marked inactive, skip it */ - if (!key_active(keys[count])) { + if (!key_active(keys[count], now)) { dst_key_free(&keys[count]); keys[count] = pubkey; pubkey = NULL; @@ -1016,13 +1018,6 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_boolean_t ignoretime, isc_mem_t *mctx) { - dst_key_t *dstkey = NULL; - dns_keytag_t keytag; - dns_rdata_dnskey_t key; - dns_rdata_rrsig_t sig; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - isc_result_t result; - INSIST(rdataset->type == dns_rdatatype_key || rdataset->type == dns_rdatatype_dnskey); if (rdataset->type == dns_rdatatype_key) { @@ -1033,6 +1028,27 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name, INSIST(sigrdataset->covers == dns_rdatatype_dnskey); } + return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset, + ignoretime, mctx)); + +} + +isc_boolean_t +dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + isc_boolean_t ignoretime, isc_mem_t *mctx) +{ + dst_key_t *dstkey = NULL; + dns_keytag_t keytag; + dns_rdata_dnskey_t key; + dns_rdata_rrsig_t sig; + dns_rdata_t sigrdata = DNS_RDATA_INIT; + isc_result_t result; + + INSIST(sigrdataset->type == dns_rdatatype_rrsig); + if (sigrdataset->covers != rdataset->type) + return (ISC_FALSE); + result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey); if (result != ISC_R_SUCCESS) return (ISC_FALSE); @@ -1095,6 +1111,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, /* Is this an old-style key? */ result = dst_key_getprivateformat(dk->key, &major, &minor); + INSIST(result == ISC_R_SUCCESS); /* Smart signing started with key format 1.3 */ dk->legacy = ISC_TF(major == 1 && minor <= 2); @@ -1673,9 +1690,6 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, /* No match found in keys; add the new key. */ if (key2 == NULL) { - dns_dnsseckey_t *next; - - next = ISC_LIST_NEXT(key1, link); ISC_LIST_UNLINK(*newkeys, key1, link); ISC_LIST_APPEND(*keys, key1, link); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 1ece312766108..4a06486fc92e5 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.57 2011-01-11 23:47:13 tbox Exp $ + * $Id: dst_api.c,v 1.57.10.1 2011-03-21 19:53:34 each Exp $ */ /*! \file */ @@ -1778,5 +1778,6 @@ dst__entropy_status(void) { isc_buffer_t * dst_key_tkeytoken(const dst_key_t *key) { + REQUIRE(VALID_KEY(key)); return (key->key_tkeytoken); } diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index 781085b73a0f0..0fbb1e423e125 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_openssl.h,v 1.9 2009-10-06 04:40:14 tbox Exp $ */ +/* $Id: dst_openssl.h,v 1.9.302.2 2011-03-12 04:59:16 tbox Exp $ */ #ifndef DST_OPENSSL_H #define DST_OPENSSL_H 1 @@ -23,13 +23,28 @@ #include <isc/lang.h> #include <isc/result.h> +#include <openssl/err.h> +#include <openssl/rand.h> +#include <openssl/evp.h> +#include <openssl/conf.h> +#include <openssl/crypto.h> + +#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \ + (OPENSSL_VERSION_NUMBER >= 0x0090707f) +#define USE_ENGINE 1 +#endif + ISC_LANG_BEGINDECLS isc_result_t dst__openssl_toresult(isc_result_t fallback); +#ifdef USE_ENGINE ENGINE * dst__openssl_getengine(const char *engine); +#else +#define dst__openssl_getengine(x) NULL +#endif ISC_LANG_ENDDECLS diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c index e14d0eb971620..c443fcbe24090 100644 --- a/lib/dns/gssapi_link.c +++ b/lib/dns/gssapi_link.c @@ -16,7 +16,7 @@ */ /* - * $Id: gssapi_link.c,v 1.16 2011-01-11 23:47:13 tbox Exp $ + * $Id: gssapi_link.c,v 1.16.10.1 2011-03-28 05:36:05 marka Exp $ */ #include <config.h> @@ -181,7 +181,7 @@ gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) { * allocated space. */ isc_buffer_putmem(sig, gsig.value, gsig.length); - if (gsig.length != 0) + if (gsig.length != 0U) gss_release_buffer(&minor, &gsig); return (ISC_R_SUCCESS); @@ -293,7 +293,7 @@ gssapi_restore(dst_key_t *key, const char *keystr) { isc_result_t result; len = strlen(keystr); - if ((len % 4) != 0) + if ((len % 4) != 0U) return (ISC_R_BADBASE64); len = (len / 4) * 3; @@ -338,7 +338,7 @@ gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) { major, minor); return (ISC_R_FAILURE); } - if (gssbuffer.length == 0) + if (gssbuffer.length == 0U) return (ISC_R_FAILURE); len = ((gssbuffer.length + 2)/3) * 4; buf = isc_mem_get(mctx, len); diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 707745cc3139a..24f4b9c891625 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: gssapictx.c,v 1.26 2011-01-10 03:49:49 marka Exp $ */ +/* $Id: gssapictx.c,v 1.26.12.2 2011-04-07 23:05:01 marka Exp $ */ #include <config.h> @@ -179,7 +179,7 @@ log_cred(const gss_cred_id_t cred) { } if (gret == GSS_S_COMPLETE) { - if (gbuffer.length != 0) { + if (gbuffer.length != 0U) { gret = gss_release_buffer(&minor, &gbuffer); if (gret != GSS_S_COMPLETE) gss_log(3, "failed gss_release_buffer: %s", @@ -604,7 +604,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, /* * RFC 2744 states the a valid output token has a non-zero length. */ - if (gouttoken.length != 0) { + if (gouttoken.length != 0U) { GBUFFER_TO_REGION(gouttoken, r); RETERR(isc_buffer_copyregion(outtoken, &r)); (void)gss_release_buffer(&minor, &gouttoken); @@ -650,8 +650,6 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, REQUIRE(outtoken != NULL && *outtoken == NULL); - log_cred(cred); - REGION_TO_GBUFFER(*intoken, gintoken); if (*ctxout == NULL) @@ -687,6 +685,8 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, #endif } + log_cred(cred); + gret = gss_accept_sec_context(&minor, &context, cred, &gintoken, GSS_C_NO_CHANNEL_BINDINGS, &gname, NULL, &gouttoken, NULL, NULL, NULL); @@ -719,7 +719,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, return (result); } - if (gouttoken.length > 0) { + if (gouttoken.length > 0U) { RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length)); GBUFFER_TO_REGION(gouttoken, r); RETERR(isc_buffer_copyregion(*outtoken, &r)); @@ -741,7 +741,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, * case, since principal names really should not * contain null characters. */ - if (gnamebuf.length > 0 && + if (gnamebuf.length > 0U && ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0') gnamebuf.length--; @@ -755,7 +755,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred, RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname, 0, NULL)); - if (gnamebuf.length != 0) { + if (gnamebuf.length != 0U) { gret = gss_release_buffer(&minor, &gnamebuf); if (gret != GSS_S_COMPLETE) gss_log(3, "failed gss_release_buffer: %s", @@ -836,9 +836,9 @@ gss_error_tostring(isc_uint32_t major, isc_uint32_t minor, snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.", (char *)msg_major.value, (char *)msg_minor.value); - if (msg_major.length != 0) + if (msg_major.length != 0U) (void)gss_release_buffer(&minor_stat, &msg_major); - if (msg_minor.length != 0) + if (msg_minor.length != 0U) (void)gss_release_buffer(&minor_stat, &msg_minor); return(buf); #else diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in index e13d0848bdd9e..3382cc999832c 100644 --- a/lib/dns/include/dns/Makefile.in +++ b/lib/dns/include/dns/Makefile.in @@ -1,4 +1,4 @@ -# Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1998-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.57 2009-10-08 23:48:10 tbox Exp $ +# $Id: Makefile.in,v 1.57.296.2 2011-02-28 01:20:02 tbox Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -29,7 +29,7 @@ HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \ peer.h portlist.h private.h rbt.h rcode.h \ rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \ rdataslab.h rdatatype.h request.h resolver.h result.h \ - rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ + rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \ validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index 04f55773d896d..d066507ef9f51 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.h,v 1.33 2009-01-17 23:47:43 tbox Exp $ */ +/* $Id: acl.h,v 1.33.426.2 2011-06-17 23:47:11 tbox Exp $ */ #ifndef DNS_ACL_H #define DNS_ACL_H 1 @@ -145,9 +145,26 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos); void dns_acl_attach(dns_acl_t *source, dns_acl_t **target); +/*%< + * Attach to acl 'source'. + * + * Requires: + *\li 'source' to be a valid acl. + *\li 'target' to be non NULL and '*target' to be NULL. + */ void dns_acl_detach(dns_acl_t **aclp); +/*%< + * Detach the acl. On final detach the acl must not be linked on any + * list. + * + * Requires: + *\li '*aclp' to be a valid acl. + * + * Insists: + *\li '*aclp' is not linked on final detach. + */ isc_boolean_t dns_acl_isinsecure(const dns_acl_t *a); diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h index e4ea5f4895772..225f3bf989092 100644 --- a/lib/dns/include/dns/cache.h +++ b/lib/dns/include/dns/cache.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: cache.h,v 1.28 2009-01-09 23:47:46 tbox Exp $ */ +/* $Id: cache.h,v 1.28.428.2 2011-03-03 23:47:09 tbox Exp $ */ #ifndef DNS_CACHE_H #define DNS_CACHE_H 1 @@ -61,23 +61,36 @@ ISC_LANG_BEGINDECLS ***/ isc_result_t -dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, +dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, const char *db_type, unsigned int db_argc, char **db_argv, dns_cache_t **cachep); isc_result_t -dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, +dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr, + isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, + const char *cachename, const char *db_type, + unsigned int db_argc, char **db_argv, dns_cache_t **cachep); +isc_result_t +dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, dns_rdataclass_t rdclass, const char *cachename, const char *db_type, unsigned int db_argc, char **db_argv, dns_cache_t **cachep); /*%< - * Create a new DNS cache. dns_cache_create2() will create a named cache. - * dns_cache_create() is a backward compatible version that internally specifies - * an empty name. + * Create a new DNS cache. + * + * dns_cache_create2() will create a named cache. + * + * dns_cache_create3() will create a named cache using two separate memory + * contexts, one for cache data which can be cleaned and a separate one for + * memory allocated for the heap (which can grow without an upper limit and + * has no mechanism for shrinking). + * + * dns_cache_create() is a backward compatible version that internally + * specifies an empty cache name and a single memory context. * * Requires: * - *\li 'mctx' is a valid memory context + *\li 'cmctx' (and 'hmctx' if applicable) is a valid memory context. * *\li 'taskmgr' is a valid task manager and 'timermgr' is a valid timer * manager, or both are NULL. If NULL, no periodic cleaning of the diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index edb1263ab80f8..b81362272f970 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: db.h,v 1.104 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: db.h,v 1.104.8.1 2011-05-19 04:42:51 each Exp $ */ #ifndef DNS_DB_H #define DNS_DB_H 1 @@ -1441,7 +1441,9 @@ dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, * * Requires: * \li 'db' is a valid zone database. - * \li 'rdataset' to be associated with 'db'. + * \li 'rdataset' is or is to be associated with 'db'. + * \li 'rdataset' is not pending removed from the heap via an + * uncommitted call to dns_db_resigned(). * * Returns: * \li #ISC_R_SUCCESS @@ -1472,7 +1474,9 @@ dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, * Mark 'rdataset' as not being available to be returned by * dns_db_getsigningtime(). If the changes associated with 'version' * are committed this will be permanent. If the version is not committed - * this change will be rolled back when the version is closed. + * this change will be rolled back when the version is closed. Until + * 'version' is either committed or rolled back, 'rdataset' can no longer + * be acted upon by dns_db_setsigningtime(). * * Requires: * \li 'db' is a valid zone database. diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h index e04b1b1adc62e..29c292691f790 100644 --- a/lib/dns/include/dns/dlz.h +++ b/lib/dns/include/dns/dlz.h @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2005-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2005-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dlz.h,v 1.12 2010-12-20 23:47:21 tbox Exp $ */ +/* $Id: dlz.h,v 1.12.14.2 2011-03-17 23:47:06 tbox Exp $ */ /*! \file dns/dlz.h */ @@ -318,9 +318,9 @@ dns_dlzunregister(dns_dlzimplementation_t **dlzimp); */ -isc_result_t -dns_dlz_writeablezone(dns_view_t *view, const char *zone_name); - +typedef isc_result_t dns_dlz_writeablezone_t(dns_view_t *view, + const char *zone_name); +dns_dlz_writeablezone_t dns_dlz_writeablezone; /*%< * creates a writeable DLZ zone. Must be called from within the * configure() method of a DLZ driver. diff --git a/lib/dns/include/dns/dlz_dlopen.h b/lib/dns/include/dns/dlz_dlopen.h new file mode 100644 index 0000000000000..3e87d10cdc1c5 --- /dev/null +++ b/lib/dns/include/dns/dlz_dlopen.h @@ -0,0 +1,160 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dlz_dlopen.h,v 1.2.2.2 2011-03-17 09:41:07 fdupont Exp $ */ + +/*! \file dns/dlz_open.h */ + +#ifndef DLZ_DLOPEN_H +#define DLZ_DLOPEN_H + +#include <dns/sdlz.h> + +ISC_LANG_BEGINDECLS + +/* + * This header provides a minimal set of defines and typedefs needed + * for the entry points of an external DLZ module for bind9. + */ + +#define DLZ_DLOPEN_VERSION 1 + +/* + * dlz_dlopen_version() is required for all DLZ external drivers. It + * should return DLZ_DLOPEN_VERSION + */ +typedef int dlz_dlopen_version_t (unsigned int *flags); + +/* + * dlz_dlopen_create() is required for all DLZ external drivers. + */ +typedef isc_result_t dlz_dlopen_create_t (const char *dlzname, + unsigned int argc, + char *argv[], + void **dbdata, + ...); + +/* + * dlz_dlopen_destroy() is optional, and will be called when the + * driver is unloaded if supplied + */ +typedef void dlz_dlopen_destroy_t (void *dbdata); + +/* + * dlz_dlopen_findzonedb() is required for all DLZ external drivers + */ +typedef isc_result_t dlz_dlopen_findzonedb_t (void *dbdata, + const char *name); + +/* + * dlz_dlopen_lookup() is required for all DLZ external drivers + */ +typedef isc_result_t dlz_dlopen_lookup_t (const char *zone, + const char *name, + void *dbdata, + dns_sdlzlookup_t *lookup); + +/* + * dlz_dlopen_authority is optional() if dlz_dlopen_lookup() + * supplies authority information for the dns record + */ +typedef isc_result_t dlz_dlopen_authority_t (const char *zone, + void *dbdata, + dns_sdlzlookup_t *lookup); + +/* + * dlz_dlopen_allowzonexfr() is optional, and should be supplied if + * you want to support zone transfers + */ +typedef isc_result_t dlz_dlopen_allowzonexfr_t (void *dbdata, + const char *name, + const char *client); + +/* + * dlz_dlopen_allnodes() is optional, but must be supplied if supply a + * dlz_dlopen_allowzonexfr() function + */ +typedef isc_result_t dlz_dlopen_allnodes_t (const char *zone, + void *dbdata, + dns_sdlzallnodes_t *allnodes); + +/* + * dlz_dlopen_newversion() is optional. It should be supplied if you + * want to support dynamic updates. + */ +typedef isc_result_t dlz_dlopen_newversion_t (const char *zone, + void *dbdata, + void **versionp); + +/* + * dlz_closeversion() is optional, but must be supplied if you supply + * a dlz_newversion() function + */ +typedef void dlz_dlopen_closeversion_t (const char *zone, + isc_boolean_t commit, + void *dbdata, + void **versionp); + +/* + * dlz_dlopen_configure() is optional, but must be supplied if you + * want to support dynamic updates + */ +typedef isc_result_t dlz_dlopen_configure_t (dns_view_t *view, + void *dbdata); + +/* + * dlz_dlopen_ssumatch() is optional, but must be supplied if you want + * to support dynamic updates + */ +typedef isc_boolean_t dlz_dlopen_ssumatch_t (const char *signer, + const char *name, + const char *tcpaddr, + const char *type, + const char *key, + isc_uint32_t keydatalen, + unsigned char *keydata, + void *dbdata); + +/* + * dlz_dlopen_addrdataset() is optional, but must be supplied if you + * want to support dynamic updates + */ +typedef isc_result_t dlz_dlopen_addrdataset_t (const char *name, + const char *rdatastr, + void *dbdata, + void *version); + +/* + * dlz_dlopen_subrdataset() is optional, but must be supplied if you + * want to support dynamic updates + */ +typedef isc_result_t dlz_dlopen_subrdataset_t (const char *name, + const char *rdatastr, + void *dbdata, + void *version); + +/* + * dlz_dlopen_delrdataset() is optional, but must be supplied if you + * want to support dynamic updates + */ +typedef isc_result_t dlz_dlopen_delrdataset_t (const char *name, + const char *type, + void *dbdata, + void *version); + +ISC_LANG_ENDDECLS + +#endif diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index c6d910b3954e3..354f880336b30 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec.h,v 1.42 2010-01-09 23:48:45 tbox Exp $ */ +/* $Id: dnssec.h,v 1.42.178.2 2011-05-06 23:47:05 tbox Exp $ */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 @@ -220,6 +220,19 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name, isc_boolean_t ignoretime, isc_mem_t *mctx); +isc_boolean_t +dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name, + dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, + isc_boolean_t ignoretime, isc_mem_t *mctx); +/*%< + * Verify that 'rdataset' is validly signed in 'sigrdataset' by + * the key in 'rdata'. + * + * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY + * rrset. dns_dnssec_signs() works on any rrset. + */ + + isc_result_t dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp); diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index 684dd82d53b66..e5bfe045cefde 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.h,v 1.42.596.2 2011-06-02 23:47:35 tbox Exp $ */ +/* $Id: masterdump.h,v 1.42.524.2 2011-05-28 00:27:48 tbox Exp $ */ #ifndef DNS_MASTERDUMP_H #define DNS_MASTERDUMP_H 1 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index 7f50c12db2122..492a1cecec53a 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.h,v 1.69.270.3 2011-06-21 20:15:54 each Exp $ */ +/* $Id: rdataset.h,v 1.69.148.3 2011-06-08 23:02:43 each Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 @@ -653,7 +653,7 @@ dns_rdataset_expire(dns_rdataset_t *rdataset); const char * dns_trust_totext(dns_trust_t trust); -/*%< +/* * Display trust in textual form. */ diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h index 2db1770a6ded0..9c93fdfb62ecb 100644 --- a/lib/dns/include/dns/resolver.h +++ b/lib/dns/include/dns/resolver.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.h,v 1.67.86.1.2.1 2011-06-02 23:47:36 tbox Exp $ */ +/* $Id: resolver.h,v 1.67.86.2 2011-02-28 01:20:02 tbox Exp $ */ #ifndef DNS_RESOLVER_H #define DNS_RESOLVER_H 1 diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h index b917cc078b62e..76eff3cad2344 100644 --- a/lib/dns/include/dns/sdlz.h +++ b/lib/dns/include/dns/sdlz.h @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdlz.h,v 1.14 2011-01-13 08:50:29 tbox Exp $ */ +/* $Id: sdlz.h,v 1.14.8.2 2011-03-17 23:47:06 tbox Exp $ */ /*! \file dns/sdlz.h */ @@ -317,25 +317,33 @@ dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp); * function is called. */ -isc_result_t -dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name, - const char *type, dns_ttl_t ttl, const char *data); +typedef isc_result_t dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes, + const char *name, + const char *type, + dns_ttl_t ttl, + const char *data); +dns_sdlz_putnamedrr_t dns_sdlz_putnamedrr; + /*%< * Add a single resource record to the allnodes structure to be later * parsed into a zone transfer response. */ -isc_result_t -dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl, - const char *data); +typedef isc_result_t dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup, + const char *type, + dns_ttl_t ttl, + const char *data); +dns_sdlz_putrr_t dns_sdlz_putrr; /*%< * Add a single resource record to the lookup structure to be later * parsed into a query response. */ -isc_result_t -dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname, - isc_uint32_t serial); +typedef isc_result_t dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup, + const char *mname, + const char *rname, + isc_uint32_t serial); +dns_sdlz_putsoa_t dns_sdlz_putsoa; /*%< * This function may optionally be called from the 'authority' * callback to simplify construction of the SOA record for 'zone'. It @@ -347,9 +355,11 @@ dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname, */ -isc_result_t -dns_sdlz_setdb(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass, - dns_name_t *name, dns_db_t **dbp); +typedef isc_result_t dns_sdlz_setdb_t(dns_dlzdb_t *dlzdatabase, + dns_rdataclass_t rdclass, + dns_name_t *name, + dns_db_t **dbp); +dns_sdlz_setdb_t dns_sdlz_setdb; /*%< * Create the database pointers for a writeable SDLZ zone */ diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 67756d92cb6bb..a8b78dc0faa7a 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.182 2010-12-18 01:56:22 each Exp $ */ +/* $Id: zone.h,v 1.182.16.2 2011-07-08 23:47:16 tbox Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -1380,7 +1380,8 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr, dns_zonemgr_t **zmgrp); /*%< - * Create a zone manager. + * Create a zone manager. Note: the zone manager will not be able to + * manage any zones until dns_zonemgr_setsize() has been run. * * Requires: *\li 'mctx' to be a valid memory context. @@ -1390,6 +1391,18 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, */ isc_result_t +dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones); +/*%< + * Set the size of the zone manager task pool. This must be run + * before zmgr can be used for managing zones. Currently, it can only + * be run once; the task pool cannot be resized. + * + * Requires: + *\li zmgr is a valid zone manager. + *\li zmgr->zonetasks has been initialized. + */ + +isc_result_t dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone); /*%< * Bring the zone under control of a zone manager. diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 3c999f6876dba..eec9b39bdcba5 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.31 2011-01-11 23:47:14 tbox Exp $ */ +/* $Id: dst.h,v 1.31.10.1 2011-03-21 19:53:35 each Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -844,6 +844,9 @@ dst_key_tkeytoken(const dst_key_t *key); /*%< * Return the token from the TKEY request, if any. If this key was * not negotiated via TKEY, return NULL. + * + * Requires: + * "key" is a valid key. */ diff --git a/lib/dns/journal.c b/lib/dns/journal.c index a6d630edc4c70..27e9bdb66ee89 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.112 2010-11-17 23:47:08 tbox Exp $ */ +/* $Id: journal.c,v 1.112.38.2 2011-03-12 04:59:17 tbox Exp $ */ #include <config.h> @@ -163,7 +163,7 @@ dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx, dns_rdataset_disassociate(&rdataset); dns_db_detachnode(db, &node); - return (ISC_R_SUCCESS); + return (result); freenode: dns_db_detachnode(db, &node); @@ -2170,6 +2170,7 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial, CHECK(journal_fsync(new)); indexend = new->header.end.offset; + POST(indexend); } /* diff --git a/lib/dns/master.c b/lib/dns/master.c index e90a74cfd6b19..1e9fead687e52 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: master.c,v 1.178 2009-09-01 00:22:26 jinmei Exp $ */ +/* $Id: master.c,v 1.178.346.2 2011-03-12 04:59:17 tbox Exp $ */ /*! \file */ @@ -1205,9 +1205,10 @@ load_text(dns_loadctx_t *lctx) { goto insist_and_cleanup; } ictx = lctx->inc; - line = isc_lex_getsourceline(lctx->lex); source = isc_lex_getsourcename(lctx->lex); + line = isc_lex_getsourceline(lctx->lex); + POST(line); continue; } /* @@ -1417,8 +1418,9 @@ load_text(dns_loadctx_t *lctx) { goto insist_and_cleanup; } ictx = lctx->inc; - line = isc_lex_getsourceline(lctx->lex); source = isc_lex_getsourcename(lctx->lex); + line = isc_lex_getsourceline(lctx->lex); + POST(line); continue; } @@ -2123,6 +2125,7 @@ load_raw(dns_loadctx_t *lctx) { /* Empty read: currently, we do not use dumptime */ dumptime = isc_buffer_getuint32(&target); + POST(dumptime); lctx->first = ISC_FALSE; } @@ -2295,7 +2298,6 @@ load_raw(dns_loadctx_t *lctx) { isc_buffer_forward(&target, consumed_name); rdcount -= i; - i = 0; goto continue_read; } @@ -2679,7 +2681,6 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len, return (NULL); ISC_LIST_INIT(save); - this = ISC_LIST_HEAD(*current); while ((this = ISC_LIST_HEAD(*current)) != NULL) { ISC_LIST_UNLINK(*current, this, link); ISC_LIST_APPEND(save, this, link); @@ -2692,7 +2693,6 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len, } ISC_LIST_INIT(save); - this = ISC_LIST_HEAD(*glue); while ((this = ISC_LIST_HEAD(*glue)) != NULL) { ISC_LIST_UNLINK(*glue, this, link); ISC_LIST_APPEND(save, this, link); diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c index e2adf9b24ddaf..c137b108a3a85 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.c,v 1.99.328.3 2011-06-21 20:15:47 each Exp $ */ +/* $Id: masterdump.c,v 1.99.258.7 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -871,9 +871,8 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name, for (i = 0; i < n; i++) { dns_rdataset_t *rds = sorted[i]; - if (ctx->style.flags & DNS_STYLEFLAG_TRUST) { + if (ctx->style.flags & DNS_STYLEFLAG_TRUST) fprintf(f, "; %s\n", dns_trust_totext(rds->trust)); - } if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) && (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { /* Omit negative cache entries */ @@ -1047,6 +1046,8 @@ dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name, buffer, f); } dns_rdataset_disassociate(&rdataset); + if (result != ISC_R_SUCCESS) + return (result); } if (result == ISC_R_NOMORE) @@ -1356,23 +1357,24 @@ dumptostreaminc(dns_dumpctx_t *dctx) { isc_buffer_region(&buffer, &r); isc_buffer_putuint32(&buffer, dns_masterformat_raw); isc_buffer_putuint32(&buffer, DNS_RAWFORMAT_VERSION); - if (sizeof(now32) != sizeof(dctx->now)) { - /* - * We assume isc_stdtime_t is a 32-bit integer, - * which should be the case on most cases. - * If it turns out to be uncommon, we'll need - * to bump the version number and revise the - * header format. - */ - isc_log_write(dns_lctx, - ISC_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_MASTERDUMP, - ISC_LOG_INFO, - "dumping master file in raw " - "format: stdtime is not 32bits"); - now32 = 0; - } else - now32 = dctx->now; +#if !defined(STDTIME_ON_32BITS) || (STDTIME_ON_32BITS + 0) != 1 + /* + * We assume isc_stdtime_t is a 32-bit integer, + * which should be the case on most cases. + * If it turns out to be uncommon, we'll need + * to bump the version number and revise the + * header format. + */ + isc_log_write(dns_lctx, + ISC_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTERDUMP, + ISC_LOG_INFO, + "dumping master file in raw " + "format: stdtime is not 32bits"); + now32 = 0; +#else + now32 = dctx->now; +#endif isc_buffer_putuint32(&buffer, now32); INSIST(isc_buffer_usedlength(&buffer) <= sizeof(rawheader)); @@ -1742,6 +1744,14 @@ dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version, result = dns_master_dumpnodetostream(mctx, db, version, node, name, style, f); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR, + "dumping master file: %s: dump: %s", filename, + isc_result_totext(result)); + (void)isc_stdio_close(f); + return (ISC_R_UNEXPECTED); + } result = isc_stdio_close(f); if (result != ISC_R_SUCCESS) { diff --git a/lib/dns/message.c b/lib/dns/message.c index b58c139994922..4ca37b7580af7 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.254.186.3 2011-06-21 20:15:47 each Exp $ */ +/* $Id: message.c,v 1.254.114.3 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -1194,7 +1194,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, skip_name_search = ISC_FALSE; skip_type_search = ISC_FALSE; - free_name = ISC_FALSE; free_rdataset = ISC_FALSE; name = isc_mempool_get(msg->namepool); @@ -2930,6 +2929,7 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { dns_rdataset_current(msg->tsig, &rdata); result = dns_rdata_tostruct(&rdata, &tsig, NULL); + INSIST(result == ISC_R_SUCCESS); if (msg->tsigstatus != dns_rcode_noerror) result = DNS_R_TSIGVERIFYFAILURE; else if (tsig.error != dns_rcode_noerror) diff --git a/lib/dns/name.c b/lib/dns/name.c index f88f281b61886..23835138a7895 100644 --- a/lib/dns/name.c +++ b/lib/dns/name.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: name.c,v 1.174 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: name.c,v 1.174.8.1 2011-03-11 06:47:04 marka Exp $ */ /*! \file */ @@ -1024,12 +1024,13 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, const dns_name_t *origin, unsigned int options, isc_buffer_t *target) { - unsigned char *ndata, *label; + unsigned char *ndata, *label = NULL; char *tdata; char c; ft_state state; - unsigned int value, count; - unsigned int n1, n2, tlen, nrem, nused, digits, labels, tused; + unsigned int value = 0, count = 0; + unsigned int n1 = 0, n2 = 0; + unsigned int tlen, nrem, nused, digits = 0, labels, tused; isc_boolean_t done; unsigned char *offsets; dns_offsets_t odata; @@ -1063,16 +1064,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, offsets[0] = 0; /* - * Initialize things to make the compiler happy; they're not required. - */ - n1 = 0; - n2 = 0; - label = NULL; - digits = 0; - value = 0; - count = 0; - - /* * Make 'name' empty in case of failure. */ MAKE_EMPTY(name); @@ -1171,6 +1162,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, return (DNS_R_BADLABELTYPE); } state = ft_escape; + POST(state); /* FALLTHROUGH */ case ft_escape: if (!isdigit(c & 0xff)) { @@ -1236,6 +1228,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source, label = origin->ndata; n1 = origin->length; nrem -= n1; + POST(nrem); while (n1 > 0) { n2 = *label++; INSIST(n2 <= 63); /* no bitstring support */ diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index 420a1180eb231..1ac85e5f90654 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.50.124.1.2.3 2011-06-21 20:15:47 each Exp $ */ +/* $Id: ncache.c,v 1.50.124.4 2011-06-08 23:02:42 each Exp $ */ /*! \file */ diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 94c5163ecc7da..506f5b78d1cf5 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec.c,v 1.13 2009-01-06 23:47:57 tbox Exp $ */ +/* $Id: nsec.c,v 1.13.428.2 2011-03-12 04:59:17 tbox Exp $ */ /*! \file */ @@ -182,7 +182,7 @@ dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, 0, NULL); if (result == DNS_R_UNCHANGED) result = ISC_R_SUCCESS; - RETERR(result); + failure: if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index e75e7440abc00..d99f90ecc509a 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2008-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2006, 2008-2011 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.c,v 1.19.96.1 2011-06-21 20:15:48 each Exp $ */ +/* $Id: nsec3.c,v 1.19.24.3 2011-06-08 23:02:42 each Exp $ */ #include <config.h> @@ -557,7 +557,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; int pass; - isc_boolean_t exists; + isc_boolean_t exists = ISC_FALSE; isc_boolean_t maybe_remove_unsecure = ISC_FALSE; isc_uint8_t flags; isc_buffer_t buffer; diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 8c733f68a0c39..49670b1a474c9 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssl_link.c,v 1.29 2010-09-15 12:38:36 tbox Exp $ + * $Id: openssl_link.c,v 1.29.54.2 2011-03-12 04:59:17 tbox Exp $ */ #ifdef OPENSSL @@ -50,16 +50,6 @@ #include "dst_internal.h" #include "dst_openssl.h" -#include <openssl/err.h> -#include <openssl/rand.h> -#include <openssl/evp.h> -#include <openssl/conf.h> -#include <openssl/crypto.h> - -#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090707f) -#define USE_ENGINE 1 -#endif - #ifdef USE_ENGINE #include <openssl/engine.h> #endif @@ -308,19 +298,19 @@ dst__openssl_toresult(isc_result_t fallback) { return (result); } +#if defined(USE_ENGINE) ENGINE * dst__openssl_getengine(const char *engine) { if (engine == NULL) return (NULL); -#if defined(USE_ENGINE) if (e == NULL) return (NULL); if (strcmp(engine, ENGINE_get_id(e)) == 0) return (e); -#endif return (NULL); } +#endif #else /* OPENSSL */ diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index ae88d4c998177..c266a26eeb2fe 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: openssldsa_link.c,v 1.20 2011-01-11 23:47:13 tbox Exp $ */ +/* $Id: openssldsa_link.c,v 1.20.10.1 2011-03-11 06:47:04 marka Exp $ */ #ifdef OPENSSL #ifndef USE_EVP @@ -252,7 +252,6 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); cp += ISC_SHA1_DIGESTLENGTH; dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); - cp += ISC_SHA1_DIGESTLENGTH; #if 0 pkey = EVP_PKEY_new(); diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index fcdc9f06b8d90..098529a827767 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.39 2011-01-11 23:47:13 tbox Exp $ + * $Id: opensslrsa_link.c,v 1.39.10.2 2011-03-11 02:57:35 marka Exp $ */ #ifdef OPENSSL #include <config.h> @@ -51,7 +51,9 @@ #if OPENSSL_VERSION_NUMBER > 0x00908000L #include <openssl/bn.h> #endif +#ifdef USE_ENGINE #include <openssl/engine.h> +#endif /* * We don't use configure for windows so enforce the OpenSSL version @@ -1138,10 +1140,14 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { isc_result_t ret; int i; RSA *rsa = NULL, *pubrsa = NULL; +#ifdef USE_ENGINE ENGINE *e = NULL; +#endif isc_mem_t *mctx = key->mctx; const char *engine = NULL, *label = NULL; +#if defined(USE_ENGINE) || USE_EVP EVP_PKEY *pkey = NULL; +#endif #if USE_EVP if (pub != NULL && pub->keydata.pkey != NULL) @@ -1175,6 +1181,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { * See if we can fetch it. */ if (label != NULL) { +#ifdef USE_ENGINE if (engine == NULL) DST_RET(DST_R_NOENGINE); e = dst__openssl_getengine(engine); @@ -1209,6 +1216,9 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); return (ISC_R_SUCCESS); +#else + DST_RET(DST_R_NOENGINE); +#endif } rsa = RSA_new(); @@ -1303,6 +1313,7 @@ static isc_result_t opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, const char *pin) { +#ifdef USE_ENGINE ENGINE *e = NULL; isc_result_t ret; EVP_PKEY *pkey = NULL; @@ -1366,6 +1377,13 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (pkey != NULL) EVP_PKEY_free(pkey); return (ret); +#else + UNUSED(key); + UNUSED(engine); + UNUSED(label); + UNUSED(pin); + return(DST_R_NOENGINE); +#endif } static dst_func_t opensslrsa_functions = { diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c index 6c14e8e702a0e..c733e505d152d 100644 --- a/lib/dns/rbt.c +++ b/lib/dns/rbt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbt.c,v 1.146 2009-10-27 04:46:58 marka Exp $ */ +/* $Id: rbt.c,v 1.146.278.2 2011-03-12 04:59:17 tbox Exp $ */ /*! \file */ @@ -718,6 +718,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname, */ compared = dns_namereln_none; last_compared = NULL; + order = 0; } dns_fixedname_init(&fixedcallbackname); @@ -1084,6 +1085,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname, ¤t_name, &order, &common_labels); + POST(compared); last_compared = current; @@ -1526,7 +1528,7 @@ rehash(dns_rbt_t *rbt) { oldsize = rbt->hashsize; oldtable = rbt->hashtable; - rbt->hashsize *= 2 + 1; + rbt->hashsize = rbt->hashsize * 2 + 1; rbt->hashtable = isc_mem_get(rbt->mctx, rbt->hashsize * sizeof(dns_rbtnode_t *)); if (rbt->hashtable == NULL) { @@ -1683,6 +1685,7 @@ dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, } child = root; + POST(child); dns_name_init(&add_name, add_offsets); NODENAME(node, &add_name); diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index d4415d8906d62..9d66006b4712b 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.310.8.1.2.1 2011-06-21 20:15:48 each Exp $ */ +/* $Id: rbtdb.c,v 1.310.8.5 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -436,8 +436,12 @@ typedef struct { rbtnodelist_t *deadnodes; /* - * Heaps. Each of these is used for TTL based expiry. + * Heaps. These are used for TTL based expiry in a cache, + * or for zone resigning in a zone DB. hmctx is the memory + * context to use for the heap (which differs from the main + * database memory context in the case of a cache). */ + isc_mem_t * hmctx; isc_heap_t **heaps; /* Locked by tree_lock. */ @@ -955,9 +959,8 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { if (rbtdb->heaps != NULL) { for (i = 0; i < rbtdb->node_lock_count; i++) isc_heap_destroy(&rbtdb->heaps[i]); - isc_mem_put(rbtdb->common.mctx, rbtdb->heaps, - rbtdb->node_lock_count * - sizeof(isc_heap_t *)); + isc_mem_put(rbtdb->hmctx, rbtdb->heaps, + rbtdb->node_lock_count * sizeof(isc_heap_t *)); } if (rbtdb->rrsetstats != NULL) @@ -979,6 +982,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { rbtdb->common.magic = 0; rbtdb->common.impmagic = 0; ondest = rbtdb->common.ondest; + isc_mem_detach(&rbtdb->hmctx); isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb)); isc_ondestroy_notify(&ondest, rbtdb); } @@ -2691,10 +2695,15 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) { /* * Did we find anything? */ - if (dname_header != NULL) { + if (!IS_CACHE(search->rbtdb) && !IS_STUB(search->rbtdb) && + ns_header != NULL) { /* - * Note that DNAME has precedence over NS if both exist. + * Note that NS has precedence over DNAME if both exist + * in a zone. Otherwise DNAME take precedence over NS. */ + found = ns_header; + search->zonecut_sigrdataset = NULL; + } else if (dname_header != NULL) { found = dname_header; search->zonecut_sigrdataset = sigdname_header; } else if (ns_header != NULL) { @@ -4103,6 +4112,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, */ if (search.need_cleanup) { node = search.zonecut; + INSIST(node != NULL); lock = &(search.rbtdb->node_locks[node->locknum].lock); NODE_LOCK(lock, isc_rwlocktype_read); @@ -4404,6 +4414,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; + POST(locktype); } if (need_headerupdate(found, search->now)) update_header(search->rbtdb, found, @@ -4908,15 +4919,9 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, cname_ok && cnamesig != NULL) { /* - * If we've already got the CNAME RRSIG, - * use it, otherwise change sigtype - * so that we find it. + * If we've already got the + * CNAME RRSIG, use it. */ - if (cnamesig != NULL) - foundsig = cnamesig; - else - sigtype = - RBTDB_RDATATYPE_SIGCNAME; foundsig = cnamesig; } } else if (header->type == sigtype) { @@ -5062,6 +5067,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; + POST(locktype); } if (update != NULL && need_headerupdate(update, search.now)) update_header(search.rbtdb, update, search.now); @@ -5079,6 +5085,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, */ if (search.need_cleanup) { node = search.zonecut; + INSIST(node != NULL); lock = &(search.rbtdb->node_locks[node->locknum].lock); NODE_LOCK(lock, isc_rwlocktype_read); @@ -5244,6 +5251,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, NODE_UNLOCK(lock, locktype); NODE_LOCK(lock, isc_rwlocktype_write); locktype = isc_rwlocktype_write; + POST(locktype); } if (need_headerupdate(found, search.now)) update_header(search.rbtdb, found, search.now); @@ -7463,16 +7471,21 @@ dns_rbtdb_create int i; dns_name_t name; isc_boolean_t (*sooner)(void *, void *); + isc_mem_t *hmctx = mctx; /* Keep the compiler happy. */ - UNUSED(argc); - UNUSED(argv); UNUSED(driverarg); rbtdb = isc_mem_get(mctx, sizeof(*rbtdb)); if (rbtdb == NULL) return (ISC_R_NOMEMORY); + /* + * If argv[0] exists, it points to a memory context to use for heap + */ + if (argc != 0) + hmctx = (isc_mem_t *) argv[0]; + memset(rbtdb, '\0', sizeof(*rbtdb)); dns_name_init(&rbtdb->common.origin, NULL); rbtdb->common.attributes = 0; @@ -7537,7 +7550,7 @@ dns_rbtdb_create /* * Create the heaps. */ - rbtdb->heaps = isc_mem_get(mctx, rbtdb->node_lock_count * + rbtdb->heaps = isc_mem_get(hmctx, rbtdb->node_lock_count * sizeof(isc_heap_t *)); if (rbtdb->heaps == NULL) { result = ISC_R_NOMEMORY; @@ -7547,7 +7560,7 @@ dns_rbtdb_create rbtdb->heaps[i] = NULL; sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner; for (i = 0; i < (int)rbtdb->node_lock_count; i++) { - result = isc_heap_create(mctx, sooner, set_index, 0, + result = isc_heap_create(hmctx, sooner, set_index, 0, &rbtdb->heaps[i]); if (result != ISC_R_SUCCESS) goto cleanup_heaps; @@ -7591,6 +7604,7 @@ dns_rbtdb_create * mctx won't disappear out from under us. */ isc_mem_attach(mctx, &rbtdb->common.mctx); + isc_mem_attach(hmctx, &rbtdb->hmctx); /* * Must be initialized before free_rbtdb() is called. diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h index f4249af255ad7..efa3944c5d273 100644 --- a/lib/dns/rbtdb.h +++ b/lib/dns/rbtdb.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.h,v 1.18 2007-06-19 23:47:16 tbox Exp $ */ +/* $Id: rbtdb.h,v 1.18.814.2 2011-03-03 23:47:09 tbox Exp $ */ #ifndef DNS_RBTDB_H #define DNS_RBTDB_H 1 @@ -39,6 +39,19 @@ dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type, dns_rdataclass_t rdclass, unsigned int argc, char *argv[], void *driverarg, dns_db_t **dbp); +/*%< + * Create a new database of type "rbt" (or "rbt64"). Called via + * dns_db_create(); see documentation for that function for more details. + * + * If argv[0] is set, it points to a valid memory context to be used for + * allocation of heap memory. Generally this is used for cache databases + * only. + * + * Requires: + * + * \li argc == 0 or argv[0] is a valid memory context. + */ + ISC_LANG_ENDDECLS #endif /* DNS_RBTDB_H */ diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index 18fedcdefcd4f..81a4549ccd9c5 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rcode.c,v 1.16 2010-12-23 04:07:58 marka Exp $ */ +/* $Id: rcode.c,v 1.16.14.2 2011-02-28 01:20:02 tbox Exp $ */ #include <config.h> #include <ctype.h> @@ -494,6 +494,9 @@ dns_rdataclass_format(dns_rdataclass_t rdclass, isc_result_t result; isc_buffer_t buf; + if (size == 0U) + return; + isc_buffer_init(&buf, array, size); result = dns_rdataclass_totext(rdclass, &buf); /* @@ -505,8 +508,6 @@ dns_rdataclass_format(dns_rdataclass_t rdclass, else result = ISC_R_NOSPACE; } - if (result != ISC_R_SUCCESS) { - snprintf(array, size, "<unknown>"); - array[size - 1] = '\0'; - } + if (result != ISC_R_SUCCESS) + strlcpy(array, "<unknown>", size); } diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index c282b033cfc8f..063b1f6609758 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdata.c,v 1.209 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: rdata.c,v 1.209.8.2 2011-03-11 06:47:05 marka Exp $ */ /*! \file */ @@ -708,6 +708,7 @@ rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, if (use_default) { strlcpy(buf, "\\# ", sizeof(buf)); result = str_totext(buf, target); + INSIST(result == ISC_R_SUCCESS); dns_rdata_toregion(rdata, &sr); INSIST(sr.length < 65536); snprintf(buf, sizeof(buf), "%u", sr.length); @@ -963,6 +964,9 @@ dns_rdatatype_format(dns_rdatatype_t rdtype, isc_result_t result; isc_buffer_t buf; + if (size == 0U) + return; + isc_buffer_init(&buf, array, size); result = dns_rdatatype_totext(rdtype, &buf); /* @@ -974,10 +978,8 @@ dns_rdatatype_format(dns_rdatatype_t rdtype, else result = ISC_R_NOSPACE; } - if (result != ISC_R_SUCCESS) { - snprintf(array, size, "<unknown>"); - array[size - 1] = '\0'; - } + if (result != ISC_R_SUCCESS) + strlcpy(array, "<unknown>", size); } /* diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c index d30aff966ade3..dcf6b453a6cdc 100644 --- a/lib/dns/rdatalist.c +++ b/lib/dns/rdatalist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdatalist.c,v 1.40 2010-11-16 05:38:31 marka Exp $ */ +/* $Id: rdatalist.c,v 1.40.40.2 2011-02-28 01:20:02 tbox Exp $ */ /*! \file */ @@ -54,6 +54,8 @@ static dns_rdatasetmethods_t methods = { void dns_rdatalist_init(dns_rdatalist_t *rdatalist) { + REQUIRE(rdatalist != NULL); + /* * Initialize rdatalist. */ @@ -125,6 +127,8 @@ isc_result_t isc__rdatalist_next(dns_rdataset_t *rdataset) { dns_rdata_t *rdata; + REQUIRE(rdataset != NULL); + rdata = rdataset->private2; if (rdata == NULL) return (ISC_R_NOMORE); @@ -141,6 +145,8 @@ void isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { dns_rdata_t *list_rdata; + REQUIRE(rdataset != NULL); + list_rdata = rdataset->private2; INSIST(list_rdata != NULL); @@ -149,6 +155,10 @@ isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { void isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) { + + REQUIRE(source != NULL); + REQUIRE(target != NULL); + *target = *source; /* @@ -163,6 +173,8 @@ isc__rdatalist_count(dns_rdataset_t *rdataset) { dns_rdata_t *rdata; unsigned int count; + REQUIRE(rdataset != NULL); + rdatalist = rdataset->private1; count = 0; @@ -181,6 +193,8 @@ isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) { dns_rdataset_t *rdset; dns_ttl_t ttl; + REQUIRE(rdataset != NULL); + for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) @@ -228,7 +242,9 @@ isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *tnegsig = NULL; dns_name_t *noqname = rdataset->private6; + REQUIRE(rdataset != NULL); REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0); + (void)dns_name_dynamic(noqname); /* Sanity Check. */ for (rdataset = ISC_LIST_HEAD(noqname->list); @@ -268,6 +284,8 @@ isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) { dns_rdataset_t *rdset; dns_ttl_t ttl; + REQUIRE(rdataset != NULL); + for (rdset = ISC_LIST_HEAD(name->list); rdset != NULL; rdset = ISC_LIST_NEXT(rdset, link)) @@ -315,7 +333,9 @@ isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *tnegsig = NULL; dns_name_t *closest = rdataset->private7; + REQUIRE(rdataset != NULL); REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0); + (void)dns_name_dynamic(closest); /* Sanity Check. */ for (rdataset = ISC_LIST_HEAD(closest->list); diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index fdd7669b2e872..627f20de1bf1d 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.86.220.3 2011-06-21 20:15:53 each Exp $ */ +/* $Id: rdataset.c,v 1.86.148.4 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -319,7 +319,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_rdata_t rdata = DNS_RDATA_INIT; isc_region_t r; isc_result_t result; - unsigned int i, count, added, choice; + unsigned int i, count = 0, added, choice; isc_buffer_t savedbuffer, rdlen, rrbuffer; unsigned int headlen; isc_boolean_t question = ISC_FALSE; @@ -339,7 +339,6 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, REQUIRE((order == NULL) == (order_arg == NULL)); REQUIRE(cctx != NULL && cctx->mctx != NULL); - count = 0; if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) { question = ISC_TRUE; count = 1; diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c index 932f8de31df95..a41f16f7684a2 100644 --- a/lib/dns/rdataslab.c +++ b/lib/dns/rdataslab.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataslab.c,v 1.52.148.1.2.1 2011-06-02 23:47:35 tbox Exp $ */ +/* $Id: rdataslab.c,v 1.52.148.2 2011-02-28 01:20:02 tbox Exp $ */ /*! \file */ diff --git a/lib/dns/request.c b/lib/dns/request.c index b5d624824e83c..bc378afa61fa8 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: request.c,v 1.87 2010-03-04 23:50:34 tbox Exp $ */ +/* $Id: request.c,v 1.87.148.2 2011-03-12 04:59:17 tbox Exp $ */ /*! \file */ @@ -428,12 +428,10 @@ req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) { isc_region_t r; isc_socket_t *socket; isc_result_t result; - unsigned int dispattr; req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request); REQUIRE(VALID_REQUEST(request)); - dispattr = dns_dispatch_getattributes(request->dispatch); socket = req_getsocket(request); isc_buffer_usedregion(request->query, &r); /* diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 6d9ab700f1748..717c93214bfd4 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.428.6.5.2.1 2011-06-21 20:15:53 each Exp $ */ +/* $Id: resolver.c,v 1.428.6.7 2011-06-08 23:02:43 each Exp $ */ /*! \file */ @@ -2545,7 +2545,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { isc_result_t result; dns_resolver_t *res; isc_stdtime_t now; - unsigned int stdoptions; + unsigned int stdoptions = 0; isc_sockaddr_t *sa; dns_adbaddrinfo_t *ai; isc_boolean_t all_bad; @@ -2564,7 +2564,6 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { } res = fctx->res; - stdoptions = 0; /* Keep compiler happy. */ /* * Forwarders. @@ -4247,6 +4246,8 @@ validated(isc_task_t *task, isc_event_t *event) { sigrdataset, 0, NULL); dns_db_detachnode(fctx->cache, &nsnode); + if (result != ISC_R_SUCCESS) + continue; } result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); @@ -4309,6 +4310,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, res = fctx->res; need_validation = ISC_FALSE; + POST(need_validation); secure_domain = ISC_FALSE; have_answer = ISC_FALSE; eresult = ISC_R_SUCCESS; @@ -4776,6 +4778,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, res = fctx->res; need_validation = ISC_FALSE; + POST(need_validation); secure_domain = ISC_FALSE; eresult = ISC_R_SUCCESS; name = &fctx->name; @@ -5684,6 +5687,7 @@ answer_response(fetchctx_t *fctx) { chaining = ISC_FALSE; have_answer = ISC_FALSE; want_chaining = ISC_FALSE; + POST(want_chaining); if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) aa = ISC_TRUE; else @@ -5907,6 +5911,7 @@ answer_response(fetchctx_t *fctx) { } found = ISC_TRUE; want_chaining = ISC_TRUE; + POST(want_chaining); aflag = DNS_RDATASETATTR_ANSWER; result = dname_target(fctx, rdataset, qname, name, @@ -5918,6 +5923,7 @@ answer_response(fetchctx_t *fctx) { * try to continue. */ want_chaining = ISC_FALSE; + POST(want_chaining); } else if (result != ISC_R_SUCCESS) return (result); else @@ -6782,6 +6788,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { unsigned int version; resend = ISC_TRUE; + INSIST(opt != NULL); version = (opt->ttl >> 16) & 0xff; flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) | DNS_FETCHOPT_EDNSVERSIONSET; @@ -8276,10 +8283,8 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, resolver->badcache = isc_mem_get(resolver->mctx, sizeof(*resolver->badcache) * DNS_BADCACHE_SIZE); - if (resolver->badcache == NULL) { - result = ISC_R_NOMEMORY; + if (resolver->badcache == NULL) goto cleanup; - } resolver->badhash = DNS_BADCACHE_SIZE; memset(resolver->badcache, 0, sizeof(*resolver->badcache) * resolver->badhash); @@ -8309,10 +8314,8 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name, if (bad == NULL) { isc_buffer_t buffer; bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length); - if (bad == NULL) { - result = ISC_R_NOMEMORY; + if (bad == NULL) goto cleanup; - } bad->type = type; bad->hashval = hashval; isc_buffer_init(&buffer, bad + 1, name->length); diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c index d27007d3e6b36..f64499117875a 100644 --- a/lib/dns/sdb.c +++ b/lib/dns/sdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdb.c,v 1.76 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: sdb.c,v 1.76.8.1 2011-03-14 13:40:14 fdupont Exp $ */ /*! \file */ @@ -1334,7 +1334,7 @@ dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type, cleanup_origin: dns_name_free(&sdb->common.origin, mctx); cleanup_lock: - isc_mutex_destroy(&sdb->lock); + (void)isc_mutex_destroy(&sdb->lock); cleanup_mctx: isc_mem_put(mctx, sdb, sizeof(dns_sdb_t)); isc_mem_detach(&mctx); diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c index e684e1dacca36..ba61872163766 100644 --- a/lib/dns/sdlz.c +++ b/lib/dns/sdlz.c @@ -50,7 +50,7 @@ * USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sdlz.c,v 1.31 2011-01-13 06:29:16 marka Exp $ */ +/* $Id: sdlz.c,v 1.31.8.2 2011-03-21 19:53:34 each Exp $ */ /*! \file */ @@ -336,7 +336,7 @@ destroy(dns_sdlz_db_t *sdlz) { sdlz->common.magic = 0; sdlz->common.impmagic = 0; - isc_mutex_destroy(&sdlz->refcnt_lock); + (void)isc_mutex_destroy(&sdlz->refcnt_lock); dns_name_free(&sdlz->common.origin, mctx); @@ -1680,7 +1680,7 @@ dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, char b_addr[ISC_NETADDR_FORMATSIZE]; char b_type[DNS_RDATATYPE_FORMATSIZE]; char b_key[DST_KEY_FORMATSIZE]; - isc_buffer_t *tkey_token; + isc_buffer_t *tkey_token = NULL; isc_region_t token_region; isc_uint32_t token_len = 0; isc_boolean_t ret; @@ -1695,28 +1695,27 @@ dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, * Format the request elements. sdlz operates on strings, not * structures */ - if (signer) + if (signer != NULL) dns_name_format(signer, b_signer, sizeof(b_signer)); else b_signer[0] = 0; dns_name_format(name, b_name, sizeof(b_name)); - if (tcpaddr) + if (tcpaddr != NULL) isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr)); else b_addr[0] = 0; dns_rdatatype_format(type, b_type, sizeof(b_type)); - if (key) + if (key != NULL) { dst_key_format(key, b_key, sizeof(b_key)); - else + tkey_token = dst_key_tkeytoken(key); + } else b_key[0] = 0; - tkey_token = dst_key_tkeytoken(key); - - if (tkey_token) { + if (tkey_token != NULL) { isc_buffer_region(tkey_token, &token_region); token_len = token_region.length; } @@ -1724,7 +1723,7 @@ dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, MAYBE_LOCK(imp); ret = imp->methods->ssumatch(b_signer, b_name, b_addr, b_type, b_key, token_len, - token_len ? token_region.base : NULL, + token_len != 0 ? token_region.base : NULL, imp->driverarg, dbdata); MAYBE_UNLOCK(imp); return (ret); diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c index 5ad492ce4c256..883242d2c6ef5 100644 --- a/lib/dns/spnego.c +++ b/lib/dns/spnego.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: spnego.c,v 1.16 2011-01-11 23:47:13 tbox Exp $ */ +/* $Id: spnego.c,v 1.16.10.2 2011-04-04 11:10:57 marka Exp $ */ /*! \file * \brief @@ -377,7 +377,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID oid) unsigned char *p; size_t len; - if (token->length == 0) + if (token->length == 0U) return (GSS_S_DEFECTIVE_TOKEN); p = token->value; @@ -385,7 +385,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID oid) return (GSS_S_DEFECTIVE_TOKEN); len = *p++; if (len & 0x80) { - if ((len & 0x7f) > 4) + if ((len & 0x7f) > 4U) return (GSS_S_DEFECTIVE_TOKEN); p += len & 0x7f; } @@ -531,7 +531,7 @@ send_accept(OM_uint32 * minor_status, *minor_status = ENOMEM; return (GSS_S_FAILURE); } - if (mech_token != NULL && mech_token->length != 0) { + if (mech_token != NULL && mech_token->length != 0U) { resp.responseToken = malloc(sizeof(*resp.responseToken)); if (resp.responseToken == NULL) { free_NegTokenResp(&resp); @@ -675,7 +675,7 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status, ot = &obuf; } ret = send_accept(&minor_status2, output_token, ot, pref); - if (ot != NULL && ot->length != 0) + if (ot != NULL && ot->length != 0U) gss_release_buffer(&minor_status2, ot); return (ret); @@ -692,7 +692,7 @@ gssapi_verify_mech_header(u_char ** str, int e; u_char *p = *str; - if (total_len < 1) + if (total_len < 1U) return (GSS_S_DEFECTIVE_TOKEN); if (*p++ != 0x60) return (GSS_S_DEFECTIVE_TOKEN); @@ -792,7 +792,7 @@ der_get_int(const unsigned char *p, size_t len, int val = 0; size_t oldlen = len; - if (len > 0) { + if (len > 0U) { val = (signed char)*p++; while (--len) val = val * 256 + *p++; @@ -809,11 +809,11 @@ der_get_length(const unsigned char *p, size_t len, { size_t v; - if (len <= 0) + if (len <= 0U) return (ASN1_OVERRUN); --len; v = *p++; - if (v < 128) { + if (v < 128U) { *val = v; if (size) *size = 1; @@ -822,7 +822,7 @@ der_get_length(const unsigned char *p, size_t len, size_t l; unsigned tmp; - if (v == 0x80) { + if (v == 0x80U) { *val = ASN1_INDEFINITE; if (size) *size = 1; @@ -847,7 +847,7 @@ der_get_octet_string(const unsigned char *p, size_t len, { data->length = len; data->data = malloc(len); - if (data->data == NULL && data->length != 0) + if (data->data == NULL && data->length != 0U) return (ENOMEM); memcpy(data->data, p, len); if (size) @@ -862,23 +862,23 @@ der_get_oid(const unsigned char *p, size_t len, int n; size_t oldlen = len; - if (len < 1) + if (len < 1U) return (ASN1_OVERRUN); data->components = malloc(len * sizeof(*data->components)); - if (data->components == NULL && len != 0) + if (data->components == NULL && len != 0U) return (ENOMEM); data->components[0] = (*p) / 40; data->components[1] = (*p) % 40; --len; ++p; - for (n = 2; len > 0; ++n) { + for (n = 2; len > 0U; ++n) { unsigned u = 0; do { --len; u = u * 128 + (*p++ % 128); - } while (len > 0 && p[-1] & 0x80); + } while (len > 0U && p[-1] & 0x80); data->components[n] = u; } if (p[-1] & 0x80) { @@ -896,7 +896,7 @@ der_get_tag(const unsigned char *p, size_t len, Der_class *class, Der_type *type, int *tag, size_t *size) { - if (len < 1) + if (len < 1U) return (ASN1_OVERRUN); *class = (Der_class) (((*p) >> 6) & 0x03); *type = (Der_type) (((*p) >> 5) & 0x01); @@ -1086,7 +1086,7 @@ len_unsigned(unsigned val) static size_t length_len(size_t len) { - if (len < 128) + if (len < 128U) return (1); else return (len_unsigned(len) + 1); @@ -1108,7 +1108,7 @@ der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size) unsigned char *base = p; if (val) { - while (len > 0 && val) { + while (len > 0U && val) { *p-- = val % 256; val /= 256; --len; @@ -1119,7 +1119,7 @@ der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size) *size = base - p; return (0); } - } else if (len < 1) + } else if (len < 1U) return (ASN1_OVERFLOW); else { *p = 0; @@ -1135,14 +1135,14 @@ der_put_int(unsigned char *p, size_t len, int val, size_t *size) if (val >= 0) { do { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = val % 256; len--; val /= 256; } while (val); if (p[1] >= 128) { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = 0; len--; @@ -1150,14 +1150,14 @@ der_put_int(unsigned char *p, size_t len, int val, size_t *size) } else { val = ~val; do { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = ~(val % 256); len--; val /= 256; } while (val); if (p[1] < 128) { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = 0xff; len--; @@ -1170,9 +1170,9 @@ der_put_int(unsigned char *p, size_t len, int val, size_t *size) static int der_put_length(unsigned char *p, size_t len, size_t val, size_t *size) { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); - if (val < 128) { + if (val < 128U) { *p = val; *size = 1; return (0); @@ -1213,20 +1213,20 @@ der_put_oid(unsigned char *p, size_t len, for (n = data->length - 1; n >= 2; --n) { unsigned u = data->components[n]; - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = u % 128; u /= 128; --len; while (u > 0) { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = 128 + u % 128; u /= 128; --len; } } - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p-- = 40 * data->components[0] + data->components[1]; *size = base - p; @@ -1237,7 +1237,7 @@ static int der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type, int tag, size_t *size) { - if (len < 1) + if (len < 1U) return (ASN1_OVERFLOW); *p = (class << 6) | (type << 5) | tag; /* XXX */ *size = 1; @@ -1403,7 +1403,7 @@ gssapi_spnego_encapsulate(OM_uint32 * minor_status, } p = gssapi_mech_make_header(output_token->value, len, mech); if (p == NULL) { - if (output_token->length != 0) + if (output_token->length != 0U) gss_release_buffer(minor_status, output_token); return (GSS_S_FAILURE); } @@ -1451,7 +1451,7 @@ gssapi_krb5_get_mech(const u_char *ptr, const u_char *p = ptr; int e; - if (total_len < 1) + if (total_len < 1U) return (-1); if (*p++ != 0x60) return (-1); @@ -1521,7 +1521,7 @@ spnego_initial(OM_uint32 *minor_status, ret = major_status; goto end; } - if (krb5_output_token.length > 0) { + if (krb5_output_token.length > 0U) { token_init.mechToken = malloc(sizeof(*token_init.mechToken)); if (token_init.mechToken == NULL) { *minor_status = ENOMEM; @@ -1588,7 +1588,7 @@ end: token_init.mechToken = NULL; } free_NegTokenInit(&token_init); - if (krb5_output_token.length != 0) + if (krb5_output_token.length != 0U) gss_release_buffer(&minor_status2, &krb5_output_token); if (buf) free(buf); @@ -1758,7 +1758,7 @@ gss_init_sec_context_spnego(OM_uint32 *minor_status, /* Figure out whether we're starting over or processing a reply */ - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) + if (input_token == GSS_C_NO_BUFFER || input_token->length == 0U) return (spnego_initial(minor_status, initiator_cred_handle, context_handle, diff --git a/lib/dns/ssu_external.c b/lib/dns/ssu_external.c index ac72a1f85daa3..3cb0d3eceba3d 100644 --- a/lib/dns/ssu_external.c +++ b/lib/dns/ssu_external.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ssu_external.c,v 1.7 2011-01-13 07:05:57 marka Exp $ */ +/* $Id: ssu_external.c,v 1.7.8.1 2011-03-21 19:53:34 each Exp $ */ /* * This implements external update-policy rules. This allows permission @@ -128,7 +128,7 @@ dns_ssu_external_match(dns_name_t *identity, char b_addr[ISC_NETADDR_FORMATSIZE]; char b_type[DNS_RDATATYPE_FORMATSIZE]; char b_key[DST_KEY_FORMATSIZE]; - isc_buffer_t *tkey_token; + isc_buffer_t *tkey_token = NULL; int fd; const char *sock_path; size_t req_len; @@ -154,33 +154,32 @@ dns_ssu_external_match(dns_name_t *identity, if (fd == -1) return (ISC_FALSE); - tkey_token = dst_key_tkeytoken(key); + if (key != NULL) { + dst_key_format(key, b_key, sizeof(b_key)); + tkey_token = dst_key_tkeytoken(key); + } else + b_key[0] = 0; + + if (tkey_token != NULL) { + isc_buffer_region(tkey_token, &token_region); + token_len = token_region.length; + } /* Format the request elements */ - if (signer) + if (signer != NULL) dns_name_format(signer, b_signer, sizeof(b_signer)); else b_signer[0] = 0; dns_name_format(name, b_name, sizeof(b_name)); - if (tcpaddr) + if (tcpaddr != NULL) isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr)); else b_addr[0] = 0; dns_rdatatype_format(type, b_type, sizeof(b_type)); - if (key) - dst_key_format(key, b_key, sizeof(b_key)); - else - b_key[0] = 0; - - if (tkey_token) { - isc_buffer_region(tkey_token, &token_region); - token_len = token_region.length; - } - /* Work out how big the request will be */ req_len = sizeof(isc_uint32_t) + /* Format version */ sizeof(isc_uint32_t) + /* Length */ diff --git a/lib/dns/time.c b/lib/dns/time.c index 3f55f1937499a..a20a93629d5f6 100644 --- a/lib/dns/time.c +++ b/lib/dns/time.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.35 2010-04-21 23:51:22 tbox Exp $ */ +/* $Id: time.c,v 1.35.132.2 2011-03-09 23:46:55 tbox Exp $ */ /*! \file */ @@ -28,6 +28,7 @@ #include <isc/print.h> #include <isc/region.h> +#include <isc/serial.h> #include <isc/stdtime.h> #include <isc/util.h> @@ -44,13 +45,21 @@ dns_time64_totext(isc_int64_t t, isc_buffer_t *target) { unsigned int l; isc_region_t region; - REQUIRE(t >= 0); - +/* + * Warning. Do NOT use arguments with side effects with these macros. + */ #define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0) #define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400) #define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400) tm.tm_year = 70; + while (t < 0) { + if (tm.tm_year == 0) + return (ISC_R_RANGE); + tm.tm_year--; + secs = year_secs(tm.tm_year + 1900); + t += secs; + } while ((secs = year_secs(tm.tm_year + 1900)) <= t) { t -= secs; tm.tm_year++; @@ -98,7 +107,6 @@ isc_result_t dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) { isc_stdtime_t now; isc_int64_t start; - isc_int64_t base; isc_int64_t t; /* @@ -109,12 +117,10 @@ dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) { */ isc_stdtime_get(&now); start = (isc_int64_t) now; - start -= 0x7fffffff; - base = 0; - while ((t = (base + value)) < start) { - base += 0x80000000; - base += 0x80000000; - } + if (isc_serial_gt(value, now)) + t = start + (value - now); + else + t = start - (now - value); return (dns_time64_totext(t, target)); } @@ -145,7 +151,7 @@ dns_time64_fromtext(const char *source, isc_int64_t *target) { &year, &month, &day, &hour, &minute, &second) != 6) return (DNS_R_SYNTAX); - RANGE(1970, 9999, year); + RANGE(0, 9999, year); RANGE(1, 12, month); RANGE(1, days[month - 1] + ((month == 2 && is_leap(year)) ? 1 : 0), day); @@ -154,16 +160,24 @@ dns_time64_fromtext(const char *source, isc_int64_t *target) { RANGE(0, 60, second); /* 60 == leap second. */ /* - * Calculate seconds since epoch. + * Calculate seconds from epoch. + * Note: this uses a idealized calendar. */ value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400); for (i = 0; i < (month - 1); i++) value += days[i] * 86400; if (is_leap(year) && month > 2) value += 86400; - for (i = 1970; i < year; i++) { - secs = (is_leap(i) ? 366 : 365) * 86400; - value += secs; + if (year < 1970) { + for (i = 1969; i >= year; i--) { + secs = (is_leap(i) ? 366 : 365) * 86400; + value -= secs; + } + } else { + for (i = 1970; i < year; i++) { + secs = (is_leap(i) ? 366 : 365) * 86400; + value += secs; + } } *target = value; diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index a861ee3b7aae4..887c356d1eae7 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -16,7 +16,7 @@ */ /* - * $Id: tkey.c,v 1.100 2011-01-08 23:47:01 tbox Exp $ + * $Id: tkey.c,v 1.100.12.1 2011-03-11 06:47:05 marka Exp $ */ /*! \file */ #include <config.h> @@ -75,7 +75,9 @@ _dns_tkey_dumpmessage(dns_message_t *msg) { isc_buffer_init(&outbuf, output, sizeof(output)); result = dns_message_totext(msg, &dns_master_style_debug, 0, &outbuf); - /* XXXMLG ignore result */ + if (result != ISC_R_SUCCESS) + fprintf(stderr, "Warning: dns_message_totext returned: %s\n", + dns_result_totext(result)); fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf), (char *)isc_buffer_base(&outbuf)); } @@ -179,8 +181,10 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata, failure: if (newrdata != NULL) { - if (ISC_LINK_LINKED(newrdata, link)) + if (ISC_LINK_LINKED(newrdata, link)) { + INSIST(newlist != NULL); ISC_LIST_UNLINK(newlist->rdata, newrdata, link); + } dns_message_puttemprdata(msg, &newrdata); } if (newname != NULL) @@ -518,7 +522,7 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin, tkeyout->expire = expire; } else { tkeyout->inception = tsigkey->inception; - tkeyout->expire = tkeyout->expire; + tkeyout->expire = tsigkey->expire; dns_tsigkey_detach(&tsigkey); } diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index cec5222f2f8b2..74ef8d424a2d1 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.147 2011-01-11 23:47:13 tbox Exp $ + * $Id: tsig.c,v 1.147.10.1 2011-03-21 19:53:34 each Exp $ */ /*! \file */ #include <config.h> @@ -619,7 +619,7 @@ restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) { result = dns_tsigkey_createfromkey(name, algorithm, dstkey, ISC_TRUE, creator, inception, expire, ring->mctx, ring, NULL); - if (result != ISC_R_SUCCESS && dstkey != NULL) + if (dstkey != NULL) dst_key_free(&dstkey); return (result); } diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c index 3e41d63b3b250..d31503ec3cb09 100644 --- a/lib/dns/ttl.c +++ b/lib/dns/ttl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ttl.c,v 1.29 2007-06-19 23:47:16 tbox Exp $ */ +/* $Id: ttl.c,v 1.29.814.2 2011-03-12 04:59:18 tbox Exp $ */ /*! \file */ @@ -86,6 +86,7 @@ dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose, isc_buffer_t *target) { hours = src % 24; src /= 24; days = src % 7; src /= 7; weeks = src; src = 0; + POST(src); x = 0; if (weeks != 0) { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 6c0d38dc71a5c..9c532a24541f9 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.197.40.3 2011-06-21 20:15:54 each Exp $ */ +/* $Id: validator.c,v 1.197.14.7 2011-06-08 23:02:43 each Exp $ */ #include <config.h> @@ -330,7 +330,6 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, dns_fixedname_init(&fixed); dns_name_downcase(name, dns_fixedname_name(&fixed), NULL); name = dns_fixedname_name(&fixed); - result = dns_rdataset_first(rdataset); for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) @@ -514,7 +513,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) { result = validatezonekey(val); if (result != DNS_R_WAIT) validator_done(val, result); - } else if (eresult == DNS_R_NXRRSET || + } else if (eresult == DNS_R_CNAME || + eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET || eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */ { @@ -582,12 +582,16 @@ dsfetched2(isc_task_t *task, isc_event_t *event) { LOCK(&val->lock); if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); - } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) { + } else if (eresult == DNS_R_CNAME || + eresult == DNS_R_NXRRSET || + eresult == DNS_R_NCACHENXRRSET) + { /* * There is no DS. If this is a delegation, we're done. */ tname = dns_fixedname_name(&devent->foundname); - if (isdelegation(tname, &val->frdataset, eresult)) { + if (eresult != DNS_R_CNAME && + isdelegation(tname, &val->frdataset, eresult)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure, no DS" @@ -781,6 +785,60 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { } /*% + * Callback when the CNAME record has been validated. + * + * Resumes validation of the unsecure zone proof. + */ +static void +cnamevalidated(isc_task_t *task, isc_event_t *event) { + dns_validatorevent_t *devent; + dns_validator_t *val; + isc_boolean_t want_destroy; + isc_result_t result; + isc_result_t eresult; + + UNUSED(task); + INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE); + + devent = (dns_validatorevent_t *)event; + val = devent->ev_arg; + eresult = devent->result; + + isc_event_free(&event); + dns_validator_destroy(&val->subvalidator); + + INSIST(val->event != NULL); + INSIST((val->attributes & VALATTR_INSECURITY) != 0); + + validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated"); + LOCK(&val->lock); + if (CANCELED(val)) { + validator_done(val, ISC_R_CANCELED); + } else if (eresult == ISC_R_SUCCESS) { + validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s", + dns_trust_totext(val->frdataset.trust)); + result = proveunsecure(val, ISC_FALSE, ISC_TRUE); + if (result != DNS_R_WAIT) + validator_done(val, result); + } else { + if (eresult != DNS_R_BROKENCHAIN) { + if (dns_rdataset_isassociated(&val->frdataset)) + dns_rdataset_expire(&val->frdataset); + if (dns_rdataset_isassociated(&val->fsigrdataset)) + dns_rdataset_expire(&val->fsigrdataset); + } + validator_log(val, ISC_LOG_DEBUG(3), + "cnamevalidated: got %s", + isc_result_totext(eresult)); + validator_done(val, DNS_R_BROKENCHAIN); + } + want_destroy = exit_check(val); + UNLOCK(&val->lock); + if (want_destroy) + destroy(val); +} + +/*% * Return ISC_R_SUCCESS if we can determine that the name doesn't exist * or we can determine whether there is data or not at the name. * If the name does not exist return the wildcard name. @@ -1236,7 +1294,6 @@ authvalidated(isc_task_t *task, isc_event_t *event) { dns_validatorevent_t *devent; dns_validator_t *val; dns_rdataset_t *rdataset; - dns_rdataset_t *sigrdataset; isc_boolean_t want_destroy; isc_result_t result; isc_boolean_t exists, data; @@ -1246,7 +1303,6 @@ authvalidated(isc_task_t *task, isc_event_t *event) { devent = (dns_validatorevent_t *)event; rdataset = devent->rdataset; - sigrdataset = devent->sigrdataset; val = devent->ev_arg; result = devent->result; dns_validator_destroy(&val->subvalidator); @@ -2004,7 +2060,8 @@ validate(dns_validator_t *val, isc_boolean_t resume) { isc_stdtime_get(&now); ttl = ISC_MIN(event->rdataset->ttl, - val->siginfo->timeexpire - now); + ISC_MIN(val->siginfo->originalttl, + val->siginfo->timeexpire - now)); event->rdataset->ttl = ttl; event->sigrdataset->ttl = ttl; } @@ -2454,8 +2511,10 @@ validatezonekey(dns_validator_t *val) { validator_log(val, ISC_LOG_DEBUG(2), "unsigned DS record"); return (DNS_R_NOVALIDSIG); - } else + } else { result = ISC_R_SUCCESS; + POST(result); + } } else if (result == ISC_R_NOTFOUND) { /* * We don't have the DS. Find it. @@ -2466,11 +2525,12 @@ validatezonekey(dns_validator_t *val) { if (result != ISC_R_SUCCESS) return (result); return (DNS_R_WAIT); - } else if (result == DNS_R_NCACHENXDOMAIN || + } else if (result == DNS_R_NCACHENXDOMAIN || result == DNS_R_NCACHENXRRSET || result == DNS_R_EMPTYNAME || result == DNS_R_NXDOMAIN || - result == DNS_R_NXRRSET) + result == DNS_R_NXRRSET || + result == DNS_R_CNAME) { /* * The DS does not exist. @@ -2855,6 +2915,7 @@ findnsec3proofs(dns_validator_t *val) { } if (result != ISC_R_NOMORE) result = ISC_R_SUCCESS; + POST(result); if (dns_name_countlabels(zonename) == 0) return (ISC_R_SUCCESS); @@ -2987,13 +3048,11 @@ validate_authority(dns_validator_t *val, isc_boolean_t resume) { * infinite loop. Avoid that. */ if (val->event->type == dns_rdatatype_dnskey && + rdataset->type == dns_rdatatype_nsec && dns_name_equal(name, val->event->name)) { dns_rdata_t nsec = DNS_RDATA_INIT; - if (rdataset->type != dns_rdatatype_nsec) - continue; - result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); @@ -3067,13 +3126,11 @@ validate_ncache(dns_validator_t *val, isc_boolean_t resume) { * infinite loop. Avoid that. */ if (val->event->type == dns_rdatatype_dnskey && + rdataset->type == dns_rdatatype_nsec && dns_name_equal(name, val->event->name)) { dns_rdata_t nsec = DNS_RDATA_INIT; - if (rdataset->type != dns_rdatatype_nsec) - continue; - result = dns_rdataset_first(rdataset); if (result != ISC_R_SUCCESS) return (result); @@ -3744,6 +3801,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) return (startfinddlvsep(val, tname)); } continue; + } else if (result == DNS_R_CNAME) { + if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { + result = create_validator(val, tname, + dns_rdatatype_cname, + &val->frdataset, + NULL, cnamevalidated, + "proveunsecure " + "(cname)"); + if (result != ISC_R_SUCCESS) + goto out; + return (DNS_R_WAIT); + } + continue; } else if (result == ISC_R_SUCCESS) { /* * There is a DS here. Verify that it's secure and @@ -4014,9 +4085,9 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp) { - isc_result_t result; + isc_result_t result = ISC_R_FAILURE; dns_validator_t *val; - isc_task_t *tclone; + isc_task_t *tclone = NULL; dns_validatorevent_t *event; REQUIRE(name != NULL); @@ -4024,9 +4095,6 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, (rdataset == NULL && sigrdataset == NULL && message != NULL)); REQUIRE(validatorp != NULL && *validatorp == NULL); - tclone = NULL; - result = ISC_R_FAILURE; - val = isc_mem_get(view->mctx, sizeof(*val)); if (val == NULL) return (ISC_R_NOMEMORY); diff --git a/lib/dns/view.c b/lib/dns/view.c index 24f925a010edd..034c44eaf9bf5 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.178 2011-01-13 09:53:04 marka Exp $ */ +/* $Id: view.c,v 1.178.8.1 2011-03-11 06:47:06 marka Exp $ */ /*! \file */ @@ -1160,7 +1160,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, { isc_result_t result; dns_db_t *db; - isc_boolean_t is_cache, use_zone, try_hints, is_staticstub_zone; + isc_boolean_t is_cache, use_zone, try_hints; dns_zone_t *zone; dns_name_t *zfname; dns_rdataset_t zrdataset, zsigrdataset; @@ -1172,7 +1172,6 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, db = NULL; zone = NULL; use_zone = ISC_FALSE; - is_staticstub_zone = ISC_FALSE; try_hints = ISC_FALSE; zfname = NULL; @@ -1188,11 +1187,8 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, */ #ifdef BIND9 result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); - if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) result = dns_zone_getdb(zone, &db); - if (dns_zone_gettype(zone) == dns_zone_staticstub) - is_staticstub_zone = ISC_TRUE; - } #else result = ISC_R_NOTFOUND; #endif @@ -1391,6 +1387,7 @@ dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, if (result == DNS_R_PARTIALMATCH) { dns_zone_detach(zp); result = ISC_R_NOTFOUND; + POST(result); } if (zone2 != NULL) { diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 210bca9f831fc..f87344b1e5ff5 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrin.c,v 1.166.522.2.2.1 2011-06-02 23:47:35 tbox Exp $ */ +/* $Id: xfrin.c,v 1.166.522.4 2011-03-11 06:47:06 marka Exp $ */ /*! \file */ @@ -1247,7 +1247,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { result = DNS_R_UNEXPECTEDID; if (xfr->reqtype == dns_rdatatype_axfr || xfr->reqtype == dns_rdatatype_soa) - FAIL(result); + goto failure; xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR", isc_result_totext(result)); try_axfr: @@ -1283,7 +1283,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { if (result != ISC_R_SUCCESS) { xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s", isc_result_totext(result)); - FAIL(result); + goto failure; } for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c727c2e220672..9e05684ee4ec0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.582.8.7 2011-02-18 23:23:08 each Exp $ */ +/* $Id: zone.c,v 1.582.8.26 2011-08-09 02:34:24 marka Exp $ */ /*! \file */ @@ -109,12 +109,20 @@ #define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) +/*% + * Key flags + */ +#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) +#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) +#define ALG(x) dst_key_alg(x) + /* * Default values. */ #define DNS_DEFAULT_IDLEIN 3600 /*%< 1 hour */ #define DNS_DEFAULT_IDLEOUT 3600 /*%< 1 hour */ #define MAX_XFER_TIME (2*3600) /*%< Documented default is 2 hours */ +#define RESIGN_DELAY 3600 /*%< 1 hour */ #ifndef DNS_MAX_EXPIRE #define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */ @@ -213,6 +221,7 @@ struct dns_zone { isc_uint32_t expire; isc_uint32_t minimum; isc_stdtime_t key_expiry; + isc_stdtime_t log_key_expired_timer; char *keydirectory; isc_uint32_t maxrefresh; @@ -660,6 +669,8 @@ static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, dns_diff_t *diff); static void zone_rekey(dns_zone_t *zone); +static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, + dst_key_t **keys, unsigned int nkeys); #define ENTER zone_debuglog(zone, me, 1, "enter") @@ -805,6 +816,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) { zone->timer = NULL; zone->idlein = DNS_DEFAULT_IDLEIN; zone->idleout = DNS_DEFAULT_IDLEOUT; + zone->log_key_expired_timer = 0; ISC_LIST_INIT(zone->notifies); isc_sockaddr_any(&zone->notifysrc4); isc_sockaddr_any6(&zone->notifysrc6); @@ -1379,6 +1391,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) { isc_time_t now; isc_time_t loadtime, filetime; dns_db_t *db = NULL; + isc_boolean_t rbt; REQUIRE(DNS_ZONE_VALID(zone)); @@ -1394,14 +1407,15 @@ zone_load(dns_zone_t *zone, unsigned int flags) { goto cleanup; } - if (zone->db != NULL && zone->masterfile == NULL) { + + INSIST(zone->db_argc >= 1); + + rbt = strcmp(zone->db_argv[0], "rbt") == 0 || + strcmp(zone->db_argv[0], "rbt64") == 0; + + if (zone->db != NULL && zone->masterfile == NULL && rbt) { /* - * The zone has no master file configured, but it already - * has a database. It could be the built-in - * version.bind. CH zone, a zone with a persistent - * database being reloaded, or maybe a zone that - * used to have a master file but whose configuration - * was changed so that it no longer has one. Do nothing. + * The zone has no master file configured. */ result = ISC_R_SUCCESS; goto cleanup; @@ -1420,7 +1434,6 @@ zone_load(dns_zone_t *zone, unsigned int flags) { goto cleanup; } - /* * Store the current time before the zone is loaded, so that if the * file changes between the time of the load and the time that @@ -1463,21 +1476,20 @@ zone_load(dns_zone_t *zone, unsigned int flags) { } } - INSIST(zone->db_argc >= 1); - /* - * Built in zones don't need to be reloaded. + * Built in zones (with the exception of empty zones) don't need + * to be reloaded. */ if (zone->type == dns_zone_master && strcmp(zone->db_argv[0], "_builtin") == 0 && + (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) && DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) { result = ISC_R_SUCCESS; goto cleanup; } if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) && - (strcmp(zone->db_argv[0], "rbt") == 0 || - strcmp(zone->db_argv[0], "rbt64") == 0)) { + rbt) { if (zone->masterfile == NULL || !isc_file_exists(zone->masterfile)) { if (zone->masterfile != NULL) { @@ -1993,8 +2005,7 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, dns_rdataset_disassociate(&aaaa); return (answer); } - } else - tresult = result; + } dns_name_format(owner, ownerbuf, sizeof ownerbuf); dns_name_format(name, namebuf, sizeof namebuf); @@ -2840,16 +2851,15 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, } /* - * Add key to the security roots for all views. + * Add key to the security roots. */ static void -trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, +trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; unsigned char data[4096]; isc_buffer_t buffer; - dns_view_t *view; dns_keytable_t *sr = NULL; dst_key_t *dstkey = NULL; @@ -2858,17 +2868,13 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, dns_rdatatype_dnskey, dnskey, &buffer); - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) { - - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; + result = dns_view_getsecroots(zone->view, &sr); + if (result != ISC_R_SUCCESS) + goto failure; - CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); - CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); - dns_keytable_detach(&sr); - } + CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); + CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); + dns_keytable_detach(&sr); failure: if (dstkey != NULL) @@ -2879,37 +2885,16 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, } /* - * Remove key from the security roots for all views. - */ -static void -untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx, - dns_rdata_dnskey_t *dnskey) -{ - dns_view_t *view; - - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) - dns_view_untrust(view, keyname, dnskey, mctx); -} - -/* - * Add a null key to the security roots for all views, so that all queries + * Add a null key to the security roots for so that all queries * to the zone will fail. */ static void -fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) { +fail_secure(dns_zone_t *zone, dns_name_t *keyname) { isc_result_t result; - dns_view_t *view; - - for (view = ISC_LIST_HEAD(*viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - dns_keytable_t *sr = NULL; - - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; + dns_keytable_t *sr = NULL; + result = dns_view_getsecroots(zone->view, &sr); + if (result == ISC_R_SUCCESS) { dns_keytable_marksecure(sr, keyname); dns_keytable_detach(&sr); } @@ -2917,8 +2902,7 @@ fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) { /* * Scan a set of KEYDATA records from the key zone. The ones that are - * valid (i.e., the add holddown timer has expired) become trusted keys for - * all views. + * valid (i.e., the add holddown timer has expired) become trusted keys. */ static void load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { @@ -2927,22 +2911,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { dns_rdata_keydata_t keydata; dns_rdata_dnskey_t dnskey; isc_mem_t *mctx = zone->mctx; - dns_view_t *view = zone->view; - dns_viewlist_t *viewlist = view->viewlist; int trusted = 0, revoked = 0, pending = 0; isc_stdtime_t now; + dns_keytable_t *sr = NULL; isc_stdtime_get(&now); - /* For each view, delete references to this key from secroots. */ - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) { - dns_keytable_t *sr = NULL; - - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; - + result = dns_view_getsecroots(zone->view, &sr); + if (result == ISC_R_SUCCESS) { dns_keytable_delete(sr, name); dns_keytable_detach(&sr); } @@ -2980,7 +2956,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* Add to keytables. */ trusted++; - trust_key(viewlist, name, &dnskey, mctx); + trust_key(zone, name, &dnskey, mctx); } if (trusted == 0 && pending != 0) { @@ -2993,7 +2969,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { revoked, pending); dns_zone_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail", namebuf); - fail_secure(viewlist, name); + fail_secure(zone, name); } } @@ -3167,6 +3143,7 @@ static isc_result_t sync_keyzone(dns_zone_t *zone, dns_db_t *db) { isc_result_t result = ISC_R_SUCCESS; isc_boolean_t changed = ISC_FALSE; + isc_boolean_t commit = ISC_FALSE; dns_rbtnodechain_t chain; dns_fixedname_t fn; dns_name_t foundname, *origin; @@ -3288,12 +3265,12 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { if (changed) { /* Write changes to journal file. */ - result = increment_soa_serial(db, ver, &diff, zone->mctx); - if (result == ISC_R_SUCCESS) - zone_journal(zone, &diff, "sync_keyzone"); + CHECK(increment_soa_serial(db, ver, &diff, zone->mctx)); + CHECK(zone_journal(zone, &diff, "sync_keyzone")); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); zone_needdump(zone, 30); + commit = ISC_TRUE; } failure: @@ -3302,7 +3279,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { if (sr != NULL) dns_keytable_detach(&sr); if (ver != NULL) - dns_db_closeversion(db, &ver, changed); + dns_db_closeversion(db, &ver, commit); dns_diff_clear(&diff); return (result); @@ -3500,7 +3477,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, dns_zone_log(zone, ISC_LOG_ERROR, "zone serial (%u/%u) has gone " "backwards", serial, oldserial); - else if (serial == oldserial && !hasinclude) + else if (serial == oldserial && !hasinclude && + strcmp(zone->db_argv[0], "_builtin") != 0) dns_zone_log(zone, ISC_LOG_ERROR, "zone serial (%u) unchanged. " "zone may fail to transfer " @@ -3617,6 +3595,39 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, resume_signingwithkey(zone); resume_addnsec3chain(zone); } + + if (zone->type == dns_zone_master && + zone_isdynamic(zone) && + dns_db_issecure(db)) { + dns_name_t *name; + dns_fixedname_t fixed; + dns_rdataset_t next; + + dns_rdataset_init(&next); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + result = dns_db_getsigningtime(db, &next, name); + if (result == ISC_R_SUCCESS) { + isc_stdtime_t timenow; + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + isc_stdtime_get(&timenow); + dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(next.covers, + typebuf, sizeof(typebuf)); + dns_zone_log(zone, ISC_LOG_DEBUG(3), + "next resign: %s/%s in %d seconds", + namebuf, typebuf, + next.resign - timenow); + dns_rdataset_disassociate(&next); + } else + dns_zone_log(zone, ISC_LOG_WARNING, + "signed dynamic zone has no " + "resign event scheduled"); + } + zone_settimer(zone, &now); } @@ -4520,6 +4531,7 @@ static void set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now) { unsigned int delta; + char timebuf[80]; zone->key_expiry = when; if (when <= now) { @@ -4527,20 +4539,57 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now) "DNSKEY RRSIG(s) have expired"); isc_time_settoepoch(&zone->keywarntime); } else if (when < now + 7 * 24 * 3600) { + isc_time_t t; + isc_time_set(&t, when, 0); + isc_time_formattimestamp(&t, timebuf, 80); dns_zone_log(zone, ISC_LOG_WARNING, - "DNSKEY RRSIG(s) will expire at %u", - when); /* XXXMPA convert to date. */ + "DNSKEY RRSIG(s) will expire within 7 days: %s", + timebuf); delta = when - now; delta--; /* loop prevention */ delta /= 24 * 3600; /* to whole days */ delta *= 24 * 3600; /* to seconds */ isc_time_set(&zone->keywarntime, when - delta, 0); } else { - dns_zone_log(zone, ISC_LOG_NOTICE, /* XXMPA ISC_LOG_DEBUG(1) */ - "setting keywarntime to %u - 7 days", - when); /* XXXMPA convert to date. */ isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0); + isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); + dns_zone_log(zone, ISC_LOG_NOTICE, + "setting keywarntime to %s", timebuf); + } +} + +/* + * Helper function to del_sigs(). We don't want to delete RRSIGs that + * have no new key. + */ +static isc_boolean_t +delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) { + unsigned int i = 0; + + /* + * It's okay to delete a signature if there is an active ZSK + * with the same algorithm + */ + for (i = 0; i < nkeys; i++) { + if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) && + (dst_key_isprivate(keys[i])) && !KSK(keys[i])) + return (ISC_TRUE); + } + + /* + * Failing that, it is *not* okay to delete a signature + * if the associated public key is still in the DNSKEY RRset + */ + for (i = 0; i < nkeys; i++) { + if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && + (rrsig_ptr->keyid == dst_key_id(keys[i]))) + return (ISC_FALSE); } + + /* + * But if the key is gone, then go ahead. + */ + return (ISC_TRUE); } /* @@ -4550,7 +4599,7 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now) static isc_result_t del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, - unsigned int nkeys, isc_stdtime_t now) + unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental) { isc_result_t result; dns_dbnode_t *node = NULL; @@ -4558,7 +4607,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdata_t rdata = DNS_RDATA_INIT; unsigned int i; dns_rdata_rrsig_t rrsig; - isc_boolean_t found; + isc_boolean_t found, changed; isc_stdtime_t warn = 0, maybe = 0; dns_rdataset_init(&rdataset); @@ -4584,6 +4633,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, goto failure; } + changed = ISC_FALSE; for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&rdataset)) { @@ -4592,12 +4642,56 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (type != dns_rdatatype_dnskey) { - result = update_one_rr(db, ver, diff, + if (delsig_ok(&rrsig, keys, nkeys)) { + result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) - break; + if (incremental) + changed = ISC_TRUE; + dns_rdata_reset(&rdata); + if (result != ISC_R_SUCCESS) + break; + } else { + /* + * At this point, we've got an RRSIG, + * which is signed by an inactive key. + * An administrator needs to provide a new + * key/alg, but until that time, we want to + * keep the old RRSIG. Marking the key as + * offline will prevent us spinning waiting + * for the private part. + */ + if (incremental) { + result = offline(db, ver, diff, name, + rdataset.ttl, &rdata); + changed = ISC_TRUE; + if (result != ISC_R_SUCCESS) + break; + } + + /* + * Log the key id and algorithm of + * the inactive key with no replacement + */ + if (zone->log_key_expired_timer <= now) { + char origin[DNS_NAME_FORMATSIZE]; + char algbuf[DNS_NAME_FORMATSIZE]; + dns_name_format(&zone->origin, origin, + sizeof(origin)); + dns_secalg_format(rrsig.algorithm, + algbuf, + sizeof(algbuf)); + dns_zone_log(zone, ISC_LOG_WARNING, + "Key %s/%s/%d " + "missing or inactive " + "and has no replacement: " + "retaining signatures.", + origin, algbuf, + rrsig.keyid); + zone->log_key_expired_timer = now + + 3600; + } + } continue; } @@ -4641,6 +4735,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, break; } } + /* * If there is not a matching DNSKEY then * delete the RRSIG. @@ -4653,6 +4748,10 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (result != ISC_R_SUCCESS) break; } + + if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0) + dns_db_resigned(db, &rdataset, ver); + dns_rdataset_disassociate(&rdataset); if (result == ISC_R_NOMORE) result = ISC_R_SUCCESS; @@ -4702,10 +4801,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, goto failure; } -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) -#define ALG(x) dst_key_alg(x) - for (i = 0; i < nkeys; i++) { isc_boolean_t both = ISC_FALSE; @@ -4844,6 +4939,8 @@ zone_resigninc(dns_zone_t *zone) { while (result == ISC_R_SUCCESS) { resign = rdataset.resign; covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + /* * Stop if we hit the SOA as that means we have walked the * entire zone. The SOA record should always be the most @@ -4851,27 +4948,18 @@ zone_resigninc(dns_zone_t *zone) { */ /* XXXMPA increase number of RRsets signed pre call */ if (covers == dns_rdatatype_soa || i++ > zone->signatures || - resign > stop) { - /* - * Ensure that we don't loop resigning the SOA. - */ - if (covers == dns_rdatatype_soa) - dns_db_resigned(db, &rdataset, version); - dns_rdataset_disassociate(&rdataset); + resign > stop) break; - } - - dns_db_resigned(db, &rdataset, version); - dns_rdataset_disassociate(&rdataset); result = del_sigs(zone, db, version, name, covers, &sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:del_sigs -> %s\n", dns_result_totext(result)); break; } + result = add_sigs(db, version, name, covers, &sig_diff, zone_keys, nkeys, zone->mctx, inception, expire, check_ksk, keyset_kskonly); @@ -4897,7 +4985,7 @@ zone_resigninc(dns_zone_t *zone) { goto failure; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:del_sigs -> %s\n", @@ -4905,6 +4993,13 @@ zone_resigninc(dns_zone_t *zone) { goto failure; } + /* + * Did we change anything in the zone? + */ + if (ISC_LIST_EMPTY(sig_diff.tuples)) + goto failure; + + /* Increment SOA serial if we have made changes */ result = increment_soa_serial(db, version, &sig_diff, zone->mctx); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, @@ -4928,7 +5023,7 @@ zone_resigninc(dns_zone_t *zone) { } /* Write changes to journal file. */ - zone_journal(zone, &sig_diff, "zone_resigninc"); + CHECK(zone_journal(zone, &sig_diff, "zone_resigninc")); /* Everything has succeeded. Commit the changes. */ dns_db_closeversion(db, &version, ISC_TRUE); @@ -5614,7 +5709,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, tuple = ISC_LIST_HEAD(diff->tuples)) { result = del_sigs(zone, db, version, &tuple->name, tuple->rdata.type, sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "update_sigs:del_sigs -> %s\n", @@ -5668,11 +5763,11 @@ zone_nsec3chain(dns_zone_t *zone) { dns_nsec3chainlist_t cleanup; dst_key_t *zone_keys[MAXZONEKEYS]; isc_int32_t signatures; - isc_boolean_t check_ksk, keyset_kskonly, is_ksk; + isc_boolean_t check_ksk, keyset_kskonly; isc_boolean_t delegation; isc_boolean_t first; isc_result_t result; - isc_stdtime_t now, inception, soaexpire, expire, stop; + isc_stdtime_t now, inception, soaexpire, expire; isc_uint32_t jitter; unsigned int i; unsigned int nkeys = 0; @@ -5737,7 +5832,6 @@ zone_nsec3chain(dns_zone_t *zone) { */ isc_random_get(&jitter); expire = soaexpire - jitter % 3600; - stop = now + 5; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); @@ -5783,8 +5877,6 @@ zone_nsec3chain(dns_zone_t *zone) { if (NSEC3REMOVE(nsec3chain->nsec3param.flags)) goto next_addchain; - is_ksk = ISC_FALSE; - delegation = ISC_FALSE; dns_dbiterator_current(nsec3chain->dbiterator, &node, name); if (nsec3chain->delete_nsec) { @@ -6170,6 +6262,12 @@ zone_nsec3chain(dns_zone_t *zone) { result = dns_db_getoriginnode(db, &node); RUNTIME_CHECK(result == ISC_R_SUCCESS); result = dns_db_allrdatasets(db, node, version, 0, &iterator); + if (result != ISC_R_SUCCESS) { + dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" + "dns_db_allrdatasets -> %s\n", + dns_result_totext(result)); + goto failure; + } for (result = dns_rdatasetiter_first(iterator); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(iterator)) { @@ -6267,7 +6365,7 @@ zone_nsec3chain(dns_zone_t *zone) { goto done; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" "del_sigs -> %s\n", dns_result_totext(result)); @@ -6292,10 +6390,11 @@ zone_nsec3chain(dns_zone_t *zone) { } /* Write changes to journal file. */ - zone_journal(zone, &sig_diff, "zone_nsec3chain"); + CHECK(zone_journal(zone, &sig_diff, "zone_nsec3chain")); LOCK_ZONE(zone); zone_needdump(zone, DNS_DUMP_DELAY); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); UNLOCK_ZONE(zone); done: @@ -6502,12 +6601,11 @@ zone_sign(dns_zone_t *zone) { isc_boolean_t build_nsec3 = ISC_FALSE; isc_boolean_t first; isc_result_t result; - isc_stdtime_t now, inception, soaexpire, expire, stop; + isc_stdtime_t now, inception, soaexpire, expire; isc_uint32_t jitter; unsigned int i, j; unsigned int nkeys = 0; isc_uint32_t nodes; - isc_boolean_t was_ksk; dns_rdataset_init(&rdataset); dns_fixedname_init(&fixed); @@ -6559,7 +6657,6 @@ zone_sign(dns_zone_t *zone) { */ isc_random_get(&jitter); expire = soaexpire - jitter % 3600; - stop = now + 5; /* * We keep pulling nodes off each iterator in turn until @@ -6604,8 +6701,6 @@ zone_sign(dns_zone_t *zone) { delegation = ISC_FALSE; - was_ksk = ISC_FALSE; - if (first && signing->delete) { /* * Remove the key we are deleting from consideration. @@ -6831,7 +6926,7 @@ zone_sign(dns_zone_t *zone) { commit = ISC_TRUE; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s\n", @@ -6864,9 +6959,7 @@ zone_sign(dns_zone_t *zone) { /* * Write changes to journal file. */ - result = zone_journal(zone, &sig_diff, "zone_sign"); - if (result != ISC_R_SUCCESS) - goto failure; + CHECK(zone_journal(zone, &sig_diff, "zone_sign")); pauseall: /* @@ -7048,6 +7141,7 @@ refresh_time(dns_keyfetch_t *kfetch, isc_boolean_t retry) { dns_rdataset_current(rdset, &sigrr); result = dns_rdata_tostruct(&sigrr, &sig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); if (!retry) { t = sig.originalttl / 2; @@ -7215,8 +7309,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_keytable_t *secroots = NULL; dns_dbversion_t *ver = NULL; dns_diff_t diff; - isc_boolean_t changed = ISC_FALSE; isc_boolean_t alldone = ISC_FALSE; + isc_boolean_t commit = ISC_FALSE; dns_name_t *keyname; dns_rdata_t sigrr = DNS_RDATA_INIT; dns_rdata_t dnskeyrr = DNS_RDATA_INIT; @@ -7232,6 +7326,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { isc_stdtime_t now; int pending = 0; isc_boolean_t secure; + isc_boolean_t free_needed; UNUSED(task); INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE); @@ -7253,15 +7348,20 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { isc_event_free(&event); dns_resolver_destroyfetch(&kfetch->fetch); + LOCK_ZONE(zone); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL) + goto cleanup; + isc_stdtime_get(&now); dns_name_format(keyname, namebuf, sizeof(namebuf)); result = dns_view_getsecroots(zone->view, &secroots); INSIST(result == ISC_R_SUCCESS); - LOCK_ZONE(zone); - dns_db_newversion(kfetch->db, &ver); dns_diff_init(mctx, &diff); + diff.resign = zone->sigresigninginterval; + + CHECK(dns_db_newversion(kfetch->db, &ver)); zone->refreshkeycount--; alldone = ISC_TF(zone->refreshkeycount == 0); @@ -7276,8 +7376,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { "Unable to fetch DNSKEY set " "'%s': %s", namebuf, dns_result_totext(eresult)); CHECK(minimal_update(kfetch, ver, &diff)); - changed = ISC_TRUE; - goto failure; + goto done; } /* No RRSIGs found */ @@ -7286,8 +7385,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { "No DNSKEY RRSIGs found for " "'%s': %s", namebuf, dns_result_totext(eresult)); CHECK(minimal_update(kfetch, ver, &diff)); - changed = ISC_TRUE; - goto failure; + goto done; } /* @@ -7415,7 +7513,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_DEL, keyname, 0, &keydatarr)); - changed = ISC_TRUE; } if (!secure || deletekey) @@ -7431,7 +7528,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_ADD, keyname, 0, &keydatarr)); - changed = ISC_TRUE; set_refreshkeytimer(zone, &keydata, now); } @@ -7486,8 +7582,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { deletekey = ISC_TRUE; } else if (keydata.removehd == 0) { /* Remove from secroots */ - untrust_key(zone->view->viewlist, - keyname, mctx, &dnskey); + dns_view_untrust(zone->view, keyname, + &dnskey, mctx); /* If initializing, delete now */ if (keydata.addhd == 0) @@ -7555,12 +7651,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } /* Delete old version */ - if (deletekey || !newkey) { + if (deletekey || !newkey) CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_DEL, keyname, 0, &keydatarr)); - changed = ISC_TRUE; - } if (updatekey) { /* Set refresh timer */ @@ -7575,7 +7669,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_ADD, keyname, 0, &keydatarr)); - changed = ISC_TRUE; } else if (newkey) { /* Convert DNSKEY to KEYDATA */ dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); @@ -7593,14 +7686,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { CHECK(update_one_rr(kfetch->db, ver, &diff, DNS_DIFFOP_ADD, keyname, 0, &keydatarr)); - changed = ISC_TRUE; } if (trustkey) { - /* Trust this key in all views */ + /* Trust this key. */ dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); - trust_key(zone->view->viewlist, keyname, &dnskey, - mctx); + trust_key(zone, keyname, &dnskey, mctx); } if (!deletekey) @@ -7617,27 +7708,32 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * the security roots; then all queries to the zone will fail. */ if (pending != 0) - fail_secure(zone->view->viewlist, keyname); + fail_secure(zone, keyname); + + done: + + if (!ISC_LIST_EMPTY(diff.tuples)) { + /* Write changes to journal file. */ + CHECK(increment_soa_serial(kfetch->db, ver, &diff, mctx)); + CHECK(zone_journal(zone, &diff, "keyfetch_done")); + commit = ISC_TRUE; - failure: - if (changed) { DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); zone_needdump(zone, 30); } - UNLOCK_ZONE(zone); - - /* Write changes to journal file. */ - if (alldone) { - result = increment_soa_serial(kfetch->db, ver, &diff, mctx); - if (result == ISC_R_SUCCESS) - result = zone_journal(zone, &diff, "keyfetch_done"); - } + failure: dns_diff_clear(&diff); - dns_db_closeversion(kfetch->db, &ver, changed); + if (ver != NULL) + dns_db_closeversion(kfetch->db, &ver, commit); + + cleanup: dns_db_detach(&kfetch->db); - dns_zone_detach(&kfetch->zone); + + INSIST(zone->irefs > 0); + zone->irefs--; + kfetch->zone = NULL; if (dns_rdataset_isassociated(&kfetch->keydataset)) dns_rdataset_disassociate(&kfetch->keydataset); @@ -7652,6 +7748,11 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { if (secroots != NULL) dns_keytable_detach(&secroots); + + free_needed = exit_check(zone); + UNLOCK_ZONE(zone); + if (free_needed) + zone_free(zone); } /* @@ -7676,14 +7777,21 @@ zone_refreshkeys(dns_zone_t *zone) { isc_stdtime_get(&now); + LOCK_ZONE(zone); + if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { + isc_time_settoepoch(&zone->refreshkeytime); + UNLOCK_ZONE(zone); + return; + } + ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); dns_db_attach(zone->db, &db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); - LOCK_ZONE(zone); - dns_db_newversion(db, &ver); dns_diff_init(zone->mctx, &diff); + CHECK(dns_db_newversion(db, &ver)); + DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING); dns_rriterator_init(&rrit, db, ver, 0); @@ -7738,8 +7846,9 @@ zone_refreshkeys(dns_zone_t *zone) { zone->refreshkeycount++; kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t)); - kfetch->zone = NULL; - dns_zone_attach(zone, &kfetch->zone); + kfetch->zone = zone; + zone->irefs++; + INSIST(zone->irefs != 0); dns_fixedname_init(&kfetch->name); dns_name_dup(name, zone->mctx, dns_fixedname_name(&kfetch->name)); @@ -7763,17 +7872,20 @@ zone_refreshkeys(dns_zone_t *zone) { } if (!ISC_LIST_EMPTY(diff.tuples)) { CHECK(increment_soa_serial(db, ver, &diff, zone->mctx)); + CHECK(zone_journal(zone, &diff, "sync_keyzone")); commit = ISC_TRUE; - zone_journal(zone, &diff, "sync_keyzone"); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED); zone_needdump(zone, 30); } + failure: UNLOCK_ZONE(zone); - dns_rriterator_destroy(&rrit); dns_diff_clear(&diff); - dns_db_closeversion(db, &ver, commit); + if (ver != NULL) { + dns_rriterator_destroy(&rrit); + dns_db_closeversion(db, &ver, commit); + } dns_db_detach(&db); } @@ -7988,7 +8100,7 @@ dns_zone_refresh(dns_zone_t *zone) { isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4), 0); result = isc_time_nowplusinterval(&zone->refreshtime, &i); - if (result |= ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) dns_zone_log(zone, ISC_LOG_WARNING, "isc_time_nowplusinterval() failed: %s", dns_result_totext(result)); @@ -9342,7 +9454,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { goto tcp_transfer; } dns_zone_log(zone, ISC_LOG_DEBUG(1), - "refresh: skipped tcp fallback" + "refresh: skipped tcp fallback " "as master %s (source %s) is " "unreachable (cached)", master, source); @@ -9523,6 +9635,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) { } else zone_debuglog(zone, me, 1, "serial: new %u, old not loaded", serial); + if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) || isc_serial_gt(serial, oldserial)) { @@ -10066,7 +10179,13 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { dns_db_settask(stub->db, zone->task); } - dns_db_newversion(stub->db, &stub->version); + result = dns_db_newversion(stub->db, &stub->version); + if (result != ISC_R_SUCCESS) { + dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: " + "dns_db_newversion() failed: %s", + dns_result_totext(result)); + goto cleanup; + } /* * Update SOA record. @@ -10074,8 +10193,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE, &node); if (result != ISC_R_SUCCESS) { - dns_zone_log(zone, ISC_LOG_INFO, - "refreshing stub: " + dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: " "dns_db_findnode() failed: %s", dns_result_totext(result)); goto cleanup; @@ -10097,6 +10215,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { * XXX Optimisation: Create message when zone is setup and reuse. */ result = create_query(zone, dns_rdatatype_ns, &message); + INSIST(result == ISC_R_SUCCESS); INSIST(zone->masterscnt > 0); INSIST(zone->curmaster < zone->masterscnt); @@ -10170,6 +10289,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) { break; default: result = ISC_R_NOTIMPLEMENTED; + POST(result); goto cleanup; } timeout = 15; @@ -12360,16 +12480,10 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, zmgr->transfersin = 10; zmgr->transfersperns = 2; - /* Create the zone task pool. */ - result = isc_taskpool_create(taskmgr, mctx, - 8 /* XXX */, 2, &zmgr->zonetasks); - if (result != ISC_R_SUCCESS) - goto free_rwlock; - /* Create a single task for queueing of SOA queries. */ result = isc_task_create(taskmgr, 1, &zmgr->task); if (result != ISC_R_SUCCESS) - goto free_taskpool; + goto free_rwlock; isc_task_setname(zmgr->task, "zmgr", zmgr); result = isc_ratelimiter_create(mctx, timermgr, zmgr->task, &zmgr->rl); @@ -12403,8 +12517,6 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, isc_ratelimiter_detach(&zmgr->rl); free_task: isc_task_detach(&zmgr->task); - free_taskpool: - isc_taskpool_destroy(&zmgr->zonetasks); free_rwlock: isc_rwlock_destroy(&zmgr->rwlock); free_mem: @@ -12420,16 +12532,16 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(DNS_ZONEMGR_VALID(zmgr)); + if (zmgr->zonetasks == NULL) + return (ISC_R_FAILURE); + RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); LOCK_ZONE(zone); REQUIRE(zone->task == NULL); REQUIRE(zone->timer == NULL); REQUIRE(zone->zmgr == NULL); - isc_taskpool_gettask(zmgr->zonetasks, - dns_name_hash(dns_zone_getorigin(zone), - ISC_FALSE), - &zone->task); + isc_taskpool_gettask(zmgr->zonetasks, &zone->task); /* * Set the task name. The tag will arbitrarily point to one @@ -12522,6 +12634,7 @@ dns_zonemgr_detach(dns_zonemgr_t **zmgrp) { if (free_now) zonemgr_free(zmgr); + *zmgrp = NULL; } isc_result_t @@ -12573,6 +12686,35 @@ dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) { isc_taskpool_destroy(&zmgr->zonetasks); } +isc_result_t +dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones) { + isc_result_t result; + int ntasks = num_zones / 100; + isc_taskpool_t *pool = NULL; + + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); + + /* + * For anything fewer than 1000 zones we use 10 tasks in + * the task pool. More than that, and we'll scale at one + * task per 100 zones. + */ + if (ntasks < 10) + ntasks = 10; + + /* Create or resize the zone task pool. */ + if (zmgr->zonetasks == NULL) + result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx, + ntasks, 2, &pool); + else + result = isc_taskpool_expand(&zmgr->zonetasks, ntasks, &pool); + + if (result == ISC_R_SUCCESS) + zmgr->zonetasks = pool; + + return (result); +} + static void zonemgr_free(dns_zonemgr_t *zmgr) { isc_mem_t *mctx; @@ -13586,7 +13728,8 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, */ static isc_result_t add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, - dns_dbversion_t *ver, dns_diff_t *diff) + dns_dbversion_t *ver, dns_diff_t *diff, + isc_boolean_t sign_all) { dns_difftuple_t *tuple, *newtuple = NULL; dns_rdata_dnskey_t dnskey; @@ -13625,13 +13768,16 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, rdata.type = privatetype; rdata.rdclass = tuple->rdata.rdclass; - CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) - continue; - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, - name, 0, &rdata, &newtuple)); - CHECK(do_one_tuple(&newtuple, db, ver, diff)); - INSIST(newtuple == NULL); + if (sign_all || tuple->op == DNS_DIFFOP_DEL) { + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) + continue; + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + } + /* * Remove any record which says this operation has already * completed. @@ -13692,7 +13838,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, if (tuple == NULL) { result = del_sigs(zone, db, ver, &zone->origin, dns_rdatatype_dnskey, sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:del_sigs -> %s\n", @@ -13868,6 +14014,7 @@ zone_rekey(dns_zone_t *zone) { dns_dnsseckey_t *key; dns_diff_t diff, sig_diff; isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE; + isc_boolean_t newalg = ISC_FALSE; isc_boolean_t fullsign; dns_ttl_t ttl = 3600; const char *dir; @@ -13890,6 +14037,7 @@ zone_rekey(dns_zone_t *zone) { mctx = zone->mctx; dns_diff_init(mctx, &diff); dns_diff_init(mctx, &sig_diff); + sig_diff.resign = zone->sigresigninginterval; CHECK(dns_zone_getdb(zone, &db)); CHECK(dns_db_newversion(db, &ver)); @@ -13944,12 +14092,34 @@ zone_rekey(dns_zone_t *zone) { goto trylater; } - /* See if any pre-existing keys have newly become active */ + /* See if any pre-existing keys have newly become active; + * also, see if any new key is for a new algorithm, as in that + * event, we need to sign the zone fully. (If there's a new + * key, but it's for an already-existing algorithm, then + * the zone signing can be handled incrementally.) + */ for (key = ISC_LIST_HEAD(dnskeys); key != NULL; key = ISC_LIST_NEXT(key, link)) { - if (key->first_sign) { - newactive = ISC_TRUE; + if (!key->first_sign) + continue; + + newactive = ISC_TRUE; + + if (!dns_rdataset_isassociated(&keysigs)) { + newalg = ISC_TRUE; + break; + } + + if (signed_with_alg(&keysigs, dst_key_alg(key->key))) { + /* + * This isn't a new algorithm; clear + * first_sign so we won't sign the + * whole zone with this key later + */ + key->first_sign = ISC_FALSE; + } else { + newalg = ISC_TRUE; break; } } @@ -13958,8 +14128,9 @@ zone_rekey(dns_zone_t *zone) { dnskey_sane(zone, db, ver, &diff)) { CHECK(dns_diff_apply(&diff, db, ver)); CHECK(clean_nsec3param(zone, db, ver, &diff)); - CHECK(add_signing_records(db, zone->privatetype, ver, - &diff)); + CHECK(add_signing_records(db, zone->privatetype, + ver, &diff, + ISC_TF(newalg || fullsign))); CHECK(increment_soa_serial(db, ver, &diff, mctx)); CHECK(add_chains(zone, db, ver, &diff)); CHECK(sign_apex(zone, db, ver, &diff, &sig_diff)); @@ -13973,8 +14144,6 @@ zone_rekey(dns_zone_t *zone) { if (commit) { isc_time_t timenow; dns_difftuple_t *tuple; - isc_boolean_t newkey = ISC_FALSE; - isc_boolean_t newalg = ISC_FALSE; LOCK_ZONE(zone); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); @@ -13984,43 +14153,6 @@ zone_rekey(dns_zone_t *zone) { TIME_NOW(&timenow); zone_settimer(zone, &timenow); - /* - * Has a new key become active? If so, is it for - * a new algorithm? - */ - for (tuple = ISC_LIST_HEAD(sig_diff.tuples); - tuple != NULL; - tuple = ISC_LIST_NEXT(tuple, link)) { - dns_rdata_dnskey_t dnskey; - - if (tuple->rdata.type != dns_rdatatype_dnskey) - continue; - - newkey = ISC_TRUE; - if (!dns_rdataset_isassociated(&keysigs)) { - newalg = ISC_TRUE; - break; - } - - result = dns_rdata_tostruct(&tuple->rdata, - &dnskey, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (!signed_with_alg(&keysigs, - dnskey.algorithm)) { - newalg = ISC_TRUE; - break; - } - } - - /* - * If we found a new algorithm, we need to sign the - * zone fully. If there's a new key, but it's for an - * already-existing algorithm, then the zone signing - * can be handled incrementally. - */ - if (newkey && !newalg) - set_resigntime(zone); - /* Remove any signatures from removed keys. */ if (!ISC_LIST_EMPTY(rmkeys)) { for (key = ISC_LIST_HEAD(rmkeys); @@ -14038,7 +14170,6 @@ zone_rekey(dns_zone_t *zone) { } } - if (fullsign) { /* * "rndc sign" was called, so we now sign the zone @@ -14064,30 +14195,19 @@ zone_rekey(dns_zone_t *zone) { /* * We haven't been told to sign fully, but a new * algorithm was added to the DNSKEY. We sign - * the full zone, but only with the newly-added + * the full zone, but only with newly active * keys. */ - for (tuple = ISC_LIST_HEAD(sig_diff.tuples); - tuple != NULL; - tuple = ISC_LIST_NEXT(tuple, link)) { - dns_rdata_dnskey_t dnskey; - dns_secalg_t algorithm; - isc_region_t r; - isc_uint16_t keyid; - - if (tuple->rdata.type != dns_rdatatype_dnskey || - tuple->op == DNS_DIFFOP_DEL) + for (key = ISC_LIST_HEAD(dnskeys); + key != NULL; + key = ISC_LIST_NEXT(key, link)) { + if (!key->first_sign) continue; - result = dns_rdata_tostruct(&tuple->rdata, - &dnskey, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - dns_rdata_toregion(&tuple->rdata, &r); - algorithm = dnskey.algorithm; - keyid = dst_region_computeid(&r, algorithm); - - result = zone_signwithkey(zone, algorithm, - keyid, ISC_FALSE); + result = zone_signwithkey(zone, + dst_key_alg(key->key), + dst_key_id(key->key), + ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_signwithkey failed: %s", @@ -14132,51 +14252,59 @@ zone_rekey(dns_zone_t *zone) { dns_result_totext(result)); } } + + /* + * Schedule the next resigning event + */ + set_resigntime(zone); UNLOCK_ZONE(zone); } + /* + * If we are doing automatic key maintenance and the key metadata + * indicates there is a key change event scheduled in the future, + * set the key refresh timer. + */ isc_stdtime_get(&now); TIME_NOW(&timenow); isc_time_settoepoch(&zone->refreshkeytime); - for (key = ISC_LIST_HEAD(dnskeys); - key != NULL; - key = ISC_LIST_NEXT(key, link)) { - isc_stdtime_t then; + + /* + * If we're doing key maintenance, set the key refresh timer to + * the next scheduled key event or to one hour in the future, + * whichever is sooner. + */ + if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) { isc_time_t timethen; + isc_stdtime_t then; - /* - * If we are doing automatic key maintenance and the - * key metadata indicates there is a key change event - * scheduled in the future, set the key refresh timer. - */ - if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) - break; + LOCK_ZONE(zone); + DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen); + zone->refreshkeytime = timethen; + UNLOCK_ZONE(zone); - then = now; - result = next_keyevent(key->key, &then); - if (result != ISC_R_SUCCESS) - continue; + for (key = ISC_LIST_HEAD(dnskeys); + key != NULL; + key = ISC_LIST_NEXT(key, link)) { + then = now; + result = next_keyevent(key->key, &then); + if (result != ISC_R_SUCCESS) + continue; - DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); - LOCK_ZONE(zone); - if (isc_time_isepoch(&zone->refreshkeytime) || - isc_time_compare(&timethen, &zone->refreshkeytime) < 0) { - zone->refreshkeytime = timethen; - zone_settimer(zone, &timenow); + DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen); + LOCK_ZONE(zone); + if (isc_time_compare(&timethen, + &zone->refreshkeytime) < 0) { + zone->refreshkeytime = timethen; + } + UNLOCK_ZONE(zone); } - UNLOCK_ZONE(zone); - } - /* - * If no key event is scheduled, we should still check the key - * repository for updates every so often. (Currently this is - * hard-coded to 12 hours, but it could be configurable.) - */ - if (isc_time_isepoch(&zone->refreshkeytime)) - DNS_ZONE_TIME_ADD(&timenow, (3600 * 12), &zone->refreshkeytime); + zone_settimer(zone, &timenow); - isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); - dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); + isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); + dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); + } failure: dns_diff_clear(&diff); diff --git a/lib/dns/zt.c b/lib/dns/zt.c index fd6af2884e944..23b3e8338a2d1 100644 --- a/lib/dns/zt.c +++ b/lib/dns/zt.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zt.c,v 1.47 2007-06-19 23:47:16 tbox Exp $ */ +/* $Id: zt.c,v 1.47.814.3 2011-03-19 23:47:24 tbox Exp $ */ /*! \file */ |