diff options
| author | Internet Software Consortium, Inc <@isc.org> | 2011-08-20 17:00:04 -0600 |
|---|---|---|
| committer | Internet Software Consortium, Inc <@isc.org> | 2011-08-20 17:00:04 -0600 |
| commit | b96d0b74187757909006c14942550e922e87f9f9 (patch) | |
| tree | 692f13dda01fd658e397f6e00b4b492fb816698d /lib | |
| parent | 9dcbbb59f37cea46ceed2b8093280e5e23a3f498 (diff) | |
| download | bind9-b96d0b74187757909006c14942550e922e87f9f9.tar.gz | |
9.8.1b2
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/dns/api | 2 | ||||
| -rw-r--r-- | lib/dns/include/dns/db.h | 10 | ||||
| -rw-r--r-- | lib/dns/include/dns/masterdump.h | 7 | ||||
| -rw-r--r-- | lib/dns/include/dns/rdataset.h | 11 | ||||
| -rw-r--r-- | lib/dns/masterdump.c | 58 | ||||
| -rw-r--r-- | lib/dns/message.c | 12 | ||||
| -rw-r--r-- | lib/dns/ncache.c | 9 | ||||
| -rw-r--r-- | lib/dns/nsec3.c | 14 | ||||
| -rw-r--r-- | lib/dns/rbtdb.c | 29 | ||||
| -rw-r--r-- | lib/dns/rdataset.c | 24 | ||||
| -rw-r--r-- | lib/dns/resolver.c | 15 | ||||
| -rw-r--r-- | lib/dns/validator.c | 43 | ||||
| -rw-r--r-- | lib/dns/zone.c | 245 | ||||
| -rw-r--r-- | lib/isccfg/api | 2 | ||||
| -rw-r--r-- | lib/isccfg/namedconf.c | 5 |
15 files changed, 302 insertions, 184 deletions
diff --git a/lib/dns/api b/lib/dns/api index 2a5ab2e3..d4a52070 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -1,3 +1,3 @@ LIBINTERFACE = 83 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 2 diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h index edb1263a..b8136227 100644 --- a/lib/dns/include/dns/db.h +++ b/lib/dns/include/dns/db.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: db.h,v 1.104 2011-01-13 04:59:25 tbox Exp $ */ +/* $Id: db.h,v 1.104.8.1 2011-05-19 04:42:51 each Exp $ */ #ifndef DNS_DB_H #define DNS_DB_H 1 @@ -1441,7 +1441,9 @@ dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, * * Requires: * \li 'db' is a valid zone database. - * \li 'rdataset' to be associated with 'db'. + * \li 'rdataset' is or is to be associated with 'db'. + * \li 'rdataset' is not pending removed from the heap via an + * uncommitted call to dns_db_resigned(). * * Returns: * \li #ISC_R_SUCCESS @@ -1472,7 +1474,9 @@ dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, * Mark 'rdataset' as not being available to be returned by * dns_db_getsigningtime(). If the changes associated with 'version' * are committed this will be permanent. If the version is not committed - * this change will be rolled back when the version is closed. + * this change will be rolled back when the version is closed. Until + * 'version' is either committed or rolled back, 'rdataset' can no longer + * be acted upon by dns_db_setsigningtime(). * * Requires: * \li 'db' is a valid zone database. diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index f12c96cf..e5bfe045 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.h,v 1.42 2008-09-24 02:46:23 marka Exp $ */ +/* $Id: masterdump.h,v 1.42.524.2 2011-05-28 00:27:48 tbox Exp $ */ #ifndef DNS_MASTERDUMP_H #define DNS_MASTERDUMP_H 1 @@ -332,9 +332,6 @@ dns_master_stylecreate(dns_master_style_t **style, unsigned int flags, void dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx); -const char * -dns_trust_totext(dns_trust_t trust); - ISC_LANG_ENDDECLS #endif /* DNS_MASTERDUMP_H */ diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index 3ab30068..492a1cec 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.h,v 1.69 2010-02-25 05:08:01 tbox Exp $ */ +/* $Id: rdataset.h,v 1.69.148.3 2011-06-08 23:02:43 each Exp $ */ #ifndef DNS_RDATASET_H #define DNS_RDATASET_H 1 @@ -203,6 +203,7 @@ struct dns_rdataset { #define DNS_RDATASETATTR_RESIGN 0x00040000 #define DNS_RDATASETATTR_CLOSEST 0x00080000 #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */ +#define DNS_RDATASETATTR_NEGATIVE 0x00200000 /*% * _OMITDNSSEC: @@ -650,6 +651,12 @@ dns_rdataset_expire(dns_rdataset_t *rdataset); * Mark the rdataset to be expired in the backing database. */ +const char * +dns_trust_totext(dns_trust_t trust); +/* + * Display trust in textual form. + */ + ISC_LANG_ENDDECLS #endif /* DNS_RDATASET_H */ diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c index 9de41c96..c137b108 100644 --- a/lib/dns/masterdump.c +++ b/lib/dns/masterdump.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: masterdump.c,v 1.99.258.5 2011-03-18 09:05:28 fdupont Exp $ */ +/* $Id: masterdump.c,v 1.99.258.7 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -410,6 +410,7 @@ rdataset_totext(dns_rdataset_t *rdataset, isc_uint32_t current_ttl; isc_boolean_t current_ttl_valid; dns_rdatatype_t type; + unsigned int type_start; REQUIRE(DNS_RDATASET_VALID(rdataset)); @@ -491,29 +492,26 @@ rdataset_totext(dns_rdataset_t *rdataset, * Type. */ - if (rdataset->type == 0) { + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { type = rdataset->covers; } else { type = rdataset->type; } - { - unsigned int type_start; - INDENT_TO(type_column); - type_start = target->used; - if (rdataset->type == 0) - RETERR(str_totext("\\-", target)); - result = dns_rdatatype_totext(type, target); - if (result != ISC_R_SUCCESS) - return (result); - column += (target->used - type_start); - } + INDENT_TO(type_column); + type_start = target->used; + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + RETERR(str_totext("\\-", target)); + result = dns_rdatatype_totext(type, target); + if (result != ISC_R_SUCCESS) + return (result); + column += (target->used - type_start); /* * Rdata. */ INDENT_TO(rdata_column); - if (rdataset->type == 0) { + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { if (NXDOMAIN(rdataset)) RETERR(str_totext(";-$NXDOMAIN\n", target)); else @@ -835,26 +833,6 @@ dump_order_compare(const void *a, const void *b) { #define MAXSORT 64 -static const char *trustnames[] = { - "none", - "pending-additional", - "pending-answer", - "additional", - "glue", - "answer", - "authauthority", - "authanswer", - "secure", - "local" /* aka ultimate */ -}; - -const char * -dns_trust_totext(dns_trust_t trust) { - if (trust >= sizeof(trustnames)/sizeof(*trustnames)) - return ("bad"); - return (trustnames[trust]); -} - static isc_result_t dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx, @@ -893,13 +871,9 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name, for (i = 0; i < n; i++) { dns_rdataset_t *rds = sorted[i]; - if (ctx->style.flags & DNS_STYLEFLAG_TRUST) { - unsigned int trust = rds->trust; - INSIST(trust < (sizeof(trustnames) / - sizeof(trustnames[0]))); - fprintf(f, "; %s\n", trustnames[trust]); - } - if (rds->type == 0 && + if (ctx->style.flags & DNS_STYLEFLAG_TRUST) + fprintf(f, "; %s\n", dns_trust_totext(rds->trust)); + if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) && (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { /* Omit negative cache entries */ } else { @@ -1064,7 +1038,7 @@ dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_init(&rdataset); dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type == 0 && + if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) && (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { /* Omit negative cache entries */ } else { diff --git a/lib/dns/message.c b/lib/dns/message.c index d298b40f..4ca37b75 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.254.114.2 2011-03-12 04:59:17 tbox Exp $ */ +/* $Id: message.c,v 1.254.114.3 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -2515,7 +2515,7 @@ dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp, isc_result_t dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { - unsigned int first_section; + unsigned int clear_after; isc_result_t result; REQUIRE(DNS_MESSAGE_VALID(msg)); @@ -2527,15 +2527,15 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { msg->opcode != dns_opcode_notify) want_question_section = ISC_FALSE; if (msg->opcode == dns_opcode_update) - first_section = DNS_SECTION_ADDITIONAL; + clear_after = DNS_SECTION_PREREQUISITE; else if (want_question_section) { if (!msg->question_ok) return (DNS_R_FORMERR); - first_section = DNS_SECTION_ANSWER; + clear_after = DNS_SECTION_ANSWER; } else - first_section = DNS_SECTION_QUESTION; + clear_after = DNS_SECTION_QUESTION; msg->from_to_wire = DNS_MESSAGE_INTENTRENDER; - msgresetnames(msg, first_section); + msgresetnames(msg, clear_after); msgresetopt(msg); msgresetsigs(msg, ISC_TRUE); msginitprivate(msg); diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c index 6b86dea0..1ac85e5f 100644 --- a/lib/dns/ncache.c +++ b/lib/dns/ncache.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.50.124.2 2011-02-28 01:20:02 tbox Exp $ */ +/* $Id: ncache.c,v 1.50.124.4 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, */ isc_buffer_availableregion(&buffer, &r); - if (r.length < 2) + if (r.length < 3) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); @@ -243,6 +243,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset) == ISC_R_SUCCESS); ncrdataset.trust = trust; + ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE; if (message->rcode == dns_rcode_nxdomain) ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN; if (optout) @@ -273,6 +274,7 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx, REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == 0); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); savedbuffer = *target; count = 0; @@ -501,6 +503,7 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(name != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); REQUIRE(type != dns_rdatatype_rrsig); @@ -577,6 +580,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(name != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); @@ -676,6 +680,7 @@ dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found, REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(found != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 7bac5e54..d99f90ec 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.c,v 1.19.24.2 2011-03-12 04:59:17 tbox Exp $ */ +/* $Id: nsec3.c,v 1.19.24.3 2011-06-08 23:02:42 each Exp $ */ #include <config.h> @@ -1579,7 +1579,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, isc_result_t dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, - dns_rdatatype_t type, dns_diff_t *diff) + dns_rdatatype_t privatetype, dns_diff_t *diff) { dns_dbnode_t *node = NULL; dns_rdata_nsec3param_t nsec3param; @@ -1624,9 +1624,9 @@ dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_rdataset_disassociate(&rdataset); try_private: - if (type == 0) + if (privatetype == 0) goto success; - result = dns_db_findrdataset(db, node, version, type, 0, 0, + result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, &rdataset, NULL); if (result == ISC_R_NOTFOUND) goto success; @@ -1681,7 +1681,7 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, isc_result_t dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, - isc_boolean_t complete, dns_rdatatype_t type, + isc_boolean_t complete, dns_rdatatype_t privatetype, isc_boolean_t *answer) { dns_dbnode_t *node = NULL; @@ -1730,11 +1730,11 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, *answer = ISC_FALSE; try_private: - if (type == 0 || complete) { + if (privatetype == 0 || complete) { *answer = ISC_FALSE; return (ISC_R_SUCCESS); } - result = dns_db_findrdataset(db, node, version, type, 0, 0, + result = dns_db_findrdataset(db, node, version, privatetype, 0, 0, &rdataset, NULL); dns_db_detachnode(db, &node); diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 9cc26e3c..9d66006b 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.310.8.4 2011-03-11 06:47:04 marka Exp $ */ +/* $Id: rbtdb.c,v 1.310.8.5 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -279,6 +279,7 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t; #define RDATASET_ATTR_RESIGN 0x0020 #define RDATASET_ATTR_STATCOUNT 0x0040 #define RDATASET_ATTR_OPTOUT 0x0080 +#define RDATASET_ATTR_NEGATIVE 0x0100 typedef struct acache_cbarg { dns_rdatasetadditional_t type; @@ -317,6 +318,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_RESIGN) != 0) #define OPTOUT(header) \ (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ @@ -700,11 +703,13 @@ update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, /* At the moment we count statistics only for cache DB */ INSIST(IS_CACHE(rbtdb)); - if (NXDOMAIN(header)) - statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN; - else if (RBTDB_RDATATYPE_BASE(header->type) == 0) { - statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET; - base = RBTDB_RDATATYPE_EXT(header->type); + if (NEGATIVE(header)) { + if (NXDOMAIN(header)) + statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN; + else { + statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET; + base = RBTDB_RDATATYPE_EXT(header->type); + } } else base = RBTDB_RDATATYPE_BASE(header->type); @@ -2789,6 +2794,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdataset->covers = RBTDB_RDATATYPE_EXT(header->type); rdataset->ttl = header->rdh_ttl - now; rdataset->trust = header->trust; + if (NEGATIVE(header)) + rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE; if (NXDOMAIN(header)) rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN; if (OPTOUT(header)) @@ -5016,7 +5023,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, *nodep = node; } - if (RBTDB_RDATATYPE_BASE(found->type) == 0) { + if (NEGATIVE(found)) { /* * We found a negative cache entry. */ @@ -5688,7 +5695,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, if (found == NULL) return (ISC_R_NOTFOUND); - if (RBTDB_RDATATYPE_BASE(found->type) == 0) { + if (NEGATIVE(found)) { /* * We found a negative cache entry. */ @@ -5899,7 +5906,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); - if (rdtype == 0) { + if (NEGATIVE(newheader)) { /* * We're adding a negative cache entry. */ @@ -6441,6 +6448,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, } else { newheader->serial = 1; newheader->resign = 0; + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + newheader->attributes |= RDATASET_ATTR_NEGATIVE; if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) newheader->attributes |= RDATASET_ATTR_NXDOMAIN; if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0) @@ -8172,7 +8181,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) { type = header->type; rdtype = RBTDB_RDATATYPE_BASE(header->type); - if (rdtype == 0) { + if (NEGATIVE(header)) { covers = RBTDB_RDATATYPE_EXT(header->type); negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c index 089bec09..627f20de 100644 --- a/lib/dns/rdataset.c +++ b/lib/dns/rdataset.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.86.148.2 2011-03-12 04:59:17 tbox Exp $ */ +/* $Id: rdataset.c,v 1.86.148.4 2011-06-08 23:02:42 each Exp $ */ /*! \file */ @@ -34,6 +34,26 @@ #include <dns/rdataset.h> #include <dns/compress.h> +static const char *trustnames[] = { + "none", + "pending-additional", + "pending-answer", + "additional", + "glue", + "answer", + "authauthority", + "authanswer", + "secure", + "local" /* aka ultimate */ +}; + +const char * +dns_trust_totext(dns_trust_t trust) { + if (trust >= sizeof(trustnames)/sizeof(*trustnames)) + return ("bad"); + return (trustnames[trust]); +} + void dns_rdataset_init(dns_rdataset_t *rdataset) { @@ -324,7 +344,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, count = 1; result = dns_rdataset_first(rdataset); INSIST(result == ISC_R_NOMORE); - } else if (rdataset->type == 0) { + } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { /* * This is a negative caching rdataset. */ diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index acec04df..717c9321 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.428.6.6 2011-03-11 06:47:05 marka Exp $ */ +/* $Id: resolver.c,v 1.428.6.7 2011-06-08 23:02:43 each Exp $ */ /*! \file */ @@ -435,6 +435,7 @@ struct dns_resolver { FCTX_ADDRINFO_TRIED) != 0) #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) +#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) static void destroy(dns_resolver_t *res); static void empty_bucket(dns_resolver_t *res); @@ -1059,7 +1060,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) { * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && - event->rdataset->type == dns_rdatatype_none) { + NEGATIVE(event->rdataset)) { INSIST(event->result == DNS_R_NCACHENXDOMAIN || event->result == DNS_R_NCACHENXRRSET); } @@ -4163,7 +4164,7 @@ validated(isc_task_t *task, isc_event_t *event) { if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) goto noanswer_response; - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset != NULL && NEGATIVE(ardataset)) { if (NXDOMAIN(ardataset)) eresult = DNS_R_NCACHENXDOMAIN; else @@ -4487,7 +4488,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, result = ISC_R_SUCCESS; if (!need_validation && ardataset != NULL && - ardataset->type == 0) { + NEGATIVE(ardataset)) { /* * The answer in the cache is * better than the answer we @@ -4617,7 +4618,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, if (result == DNS_R_UNCHANGED) { if (ANSWER(rdataset) && ardataset != NULL && - ardataset->type == 0) { + NEGATIVE(ardataset)) { /* * The answer in the cache is better * than the answer we found, and is @@ -4647,7 +4648,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && - event->rdataset->type == dns_rdatatype_none) { + NEGATIVE(event->rdataset)) { INSIST(eresult == DNS_R_NCACHENXDOMAIN || eresult == DNS_R_NCACHENXRRSET); } @@ -4727,7 +4728,7 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, * care about whether it is DNS_R_NCACHENXDOMAIN or * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset->type == 0) { + if (NEGATIVE(ardataset)) { /* * The cache data is a negative cache entry. */ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 16f6d2fa..9c532a24 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.197.14.5 2011-03-11 06:47:06 marka Exp $ */ +/* $Id: validator.c,v 1.197.14.7 2011-06-08 23:02:43 each Exp $ */ #include <config.h> @@ -129,6 +129,8 @@ #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) +#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + static void destroy(dns_validator_t *val); @@ -427,7 +429,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", rdataset->trust); + "keyset with trust %s", + dns_trust_totext(rdataset->trust)); /* * Only extract the dst key if the keyset is secure. */ @@ -504,7 +507,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "dsset with trust %d", rdataset->trust); + "dsset with trust %s", + dns_trust_totext(rdataset->trust)); val->dsset = &val->frdataset; result = validatezonekey(val); if (result != DNS_R_WAIT) @@ -664,7 +668,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", val->frdataset.trust); + "keyset with trust %s", + dns_trust_totext(val->frdataset.trust)); /* * Only extract the dst key if the keyset is secure. */ @@ -735,15 +740,15 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { isc_boolean_t have_dsset; dns_name_t *name; validator_log(val, ISC_LOG_DEBUG(3), - "%s with trust %d", + "%s with trust %s", val->frdataset.type == dns_rdatatype_ds ? "dsset" : "ds non-existance", - val->frdataset.trust); + dns_trust_totext(val->frdataset.trust)); have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds); name = dns_fixedname_name(&val->fname); if ((val->attributes & VALATTR_INSECURITY) != 0 && val->frdataset.covers == dns_rdatatype_ds && - val->frdataset.type == 0 && + NEGATIVE(&val->frdataset) && isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, @@ -810,8 +815,8 @@ cnamevalidated(isc_task_t *task, isc_event_t *event) { if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %d", - val->frdataset.trust); + validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s", + dns_trust_totext(val->frdataset.trust)); result = proveunsecure(val, ISC_FALSE, ISC_TRUE); if (result != DNS_R_WAIT) validator_done(val, result); @@ -1441,8 +1446,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { INSIST(type == dns_rdatatype_dlv); if (val->frdataset.trust != dns_trust_secure) { validator_log(val, ISC_LOG_DEBUG(3), - "covering nsec: trust %u", - val->frdataset.trust); + "covering nsec: trust %s", + dns_trust_totext(val->frdataset.trust)); goto notfound; } result = dns_rdataset_first(&val->frdataset); @@ -1777,8 +1782,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) { * See if we've got the key used in the signature. */ validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %d", - val->frdataset.trust); + "keyset with trust %s", + dns_trust_totext(val->frdataset.trust)); result = get_dst_key(val, siginfo, val->keyset); if (result != ISC_R_SUCCESS) { /* @@ -2552,8 +2557,11 @@ validatezonekey(dns_validator_t *val) { " insecure DS"); return (DNS_R_MUSTBESECURE); } - markanswer(val, "validatezonekey (2)"); - return (ISC_R_SUCCESS); + if (val->view->dlv == NULL || DLVTRIED(val)) { + markanswer(val, "validatezonekey (2)"); + return (ISC_R_SUCCESS); + } + return (startfinddlvsep(val, val->event->name)); } /* @@ -3288,7 +3296,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) { validator_done(val, ISC_R_CANCELED); } else if (eresult == ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "dlvset with trust %d", val->frdataset.trust); + "dlvset with trust %s", + dns_trust_totext(val->frdataset.trust)); dns_rdataset_clone(&val->frdataset, &val->dlv); val->havedlvsep = ISC_TRUE; if (dlv_algorithm_supported(val)) @@ -4038,7 +4047,7 @@ validator_start(isc_task_t *task, isc_event_t *event) { val->attributes |= VALATTR_NEEDNODATA; result = nsecvalidate(val, ISC_FALSE); } else if (val->event->rdataset != NULL && - val->event->rdataset->type == 0) + NEGATIVE(val->event->rdataset)) { /* * This is a nonexistence validation. diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 06c7b581..651289a0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.582.8.16 2011-04-29 21:42:00 each Exp $ */ +/* $Id: zone.c,v 1.582.8.20 2011-05-26 04:25:09 each Exp $ */ /*! \file */ @@ -109,12 +109,20 @@ #define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) +/*% + * Key flags + */ +#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) +#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) +#define ALG(x) dst_key_alg(x) + /* * Default values. */ #define DNS_DEFAULT_IDLEIN 3600 /*%< 1 hour */ #define DNS_DEFAULT_IDLEOUT 3600 /*%< 1 hour */ #define MAX_XFER_TIME (2*3600) /*%< Documented default is 2 hours */ +#define RESIGN_DELAY 3600 /*%< 1 hour */ #ifndef DNS_MAX_EXPIRE #define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */ @@ -213,6 +221,7 @@ struct dns_zone { isc_uint32_t expire; isc_uint32_t minimum; isc_stdtime_t key_expiry; + isc_stdtime_t log_key_expired_timer; char *keydirectory; isc_uint32_t maxrefresh; @@ -660,6 +669,8 @@ static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, dns_diff_t *diff); static void zone_rekey(dns_zone_t *zone); +static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, + dst_key_t **keys, unsigned int nkeys); #define ENTER zone_debuglog(zone, me, 1, "enter") @@ -805,6 +816,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) { zone->timer = NULL; zone->idlein = DNS_DEFAULT_IDLEIN; zone->idleout = DNS_DEFAULT_IDLEOUT; + zone->log_key_expired_timer = 0; ISC_LIST_INIT(zone->notifies); isc_sockaddr_any(&zone->notifysrc4); isc_sockaddr_any6(&zone->notifysrc6); @@ -3582,6 +3594,39 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, resume_signingwithkey(zone); resume_addnsec3chain(zone); } + + if (zone->type == dns_zone_master && + zone_isdynamic(zone) && + dns_db_issecure(db)) { + dns_name_t *name; + dns_fixedname_t fixed; + dns_rdataset_t next; + + dns_rdataset_init(&next); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + result = dns_db_getsigningtime(db, &next, name); + if (result == ISC_R_SUCCESS) { + isc_stdtime_t timenow; + char namebuf[DNS_NAME_FORMATSIZE]; + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + isc_stdtime_get(&timenow); + dns_name_format(name, namebuf, sizeof(namebuf)); + dns_rdatatype_format(next.covers, + typebuf, sizeof(typebuf)); + dns_zone_log(zone, ISC_LOG_DEBUG(3), + "next resign: %s/%s in %d seconds", + namebuf, typebuf, + next.resign - timenow); + dns_rdataset_disassociate(&next); + } else + dns_zone_log(zone, ISC_LOG_WARNING, + "signed dynamic zone has no " + "resign event scheduled"); + } + zone_settimer(zone, &now); } @@ -4513,13 +4558,38 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now) } /* + * Helper function to del_sigs(). We don't want to delete RRSIGs that + * have no new key. + */ +static isc_boolean_t +delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) { + unsigned int i = 0; + + for (i = 0; i < nkeys; i++) { + if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) && + (rrsig_ptr->keyid != dst_key_id(keys[i]))) { + if ((dst_key_isprivate(keys[i])) && !KSK(keys[i])) { + /* + * Success - found a private key, which + * means it is an active key and thus, it + * is OK to delete the RRSIG + */ + return (ISC_TRUE); + } + } + } + + return (ISC_FALSE); +} + +/* * Delete expired RRsigs and any RRsigs we are about to re-sign. * See also update.c:del_keysigs(). */ static isc_result_t del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, - unsigned int nkeys, isc_stdtime_t now) + unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental) { isc_result_t result; dns_dbnode_t *node = NULL; @@ -4561,13 +4631,54 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, RUNTIME_CHECK(result == ISC_R_SUCCESS); if (type != dns_rdatatype_dnskey) { - result = update_one_rr(db, ver, diff, + if(delsig_ok(&rrsig, keys, nkeys)) { + result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN, name, rdataset.ttl, &rdata); - dns_rdata_reset(&rdata); - if (result != ISC_R_SUCCESS) - break; - continue; + if (incremental) + dns_db_resigned(db, &rdataset, ver); + dns_rdata_reset(&rdata); + if (result != ISC_R_SUCCESS) + break; + continue; + } else { + /* + * At this point, we've got an RRSIG, + * which is signed by an inactive key. + * An administrator needs to provide a new + * key/alg, but until that time, we want to + * keep the old RRSIG. Resetting the timer + * here will ensure that we don't + * constantly recheck this expired record. + * + * Note: dns_db_setsigningtime() will + * assert if called after dns_db_resigned(). + */ + if (incremental) { + isc_stdtime_t recheck = now + + RESIGN_DELAY; + dns_db_setsigningtime(db, &rdataset, + recheck); + } + + /* + * log the key id and algorithm of + * the inactive key with no replacement + */ + if((isc_log_getdebuglevel(dns_lctx) > 3) || + (zone->log_key_expired_timer <= now)) { + dns_zone_log(zone, ISC_LOG_WARNING, + "del_sigs(): " + "keyid: %u/algorithm: %u " + "is not active and there " + "is no replacement. " + "Not deleting.", + rrsig.keyid, + rrsig.algorithm); + zone->log_key_expired_timer = now + + 3600; + } + } } /* @@ -4671,10 +4782,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, goto failure; } -#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0) -#define ALG(x) dst_key_alg(x) - for (i = 0; i < nkeys; i++) { isc_boolean_t both = ISC_FALSE; @@ -4813,6 +4920,8 @@ zone_resigninc(dns_zone_t *zone) { while (result == ISC_R_SUCCESS) { resign = rdataset.resign; covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + /* * Stop if we hit the SOA as that means we have walked the * entire zone. The SOA record should always be the most @@ -4820,27 +4929,18 @@ zone_resigninc(dns_zone_t *zone) { */ /* XXXMPA increase number of RRsets signed pre call */ if (covers == dns_rdatatype_soa || i++ > zone->signatures || - resign > stop) { - /* - * Ensure that we don't loop resigning the SOA. - */ - if (covers == dns_rdatatype_soa) - dns_db_resigned(db, &rdataset, version); - dns_rdataset_disassociate(&rdataset); + resign > stop) break; - } - - dns_db_resigned(db, &rdataset, version); - dns_rdataset_disassociate(&rdataset); result = del_sigs(zone, db, version, name, covers, &sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:del_sigs -> %s\n", dns_result_totext(result)); break; } + result = add_sigs(db, version, name, covers, &sig_diff, zone_keys, nkeys, zone->mctx, inception, expire, check_ksk, keyset_kskonly); @@ -4866,7 +4966,7 @@ zone_resigninc(dns_zone_t *zone) { goto failure; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_TRUE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_resigninc:del_sigs -> %s\n", @@ -5583,7 +5683,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version, tuple = ISC_LIST_HEAD(diff->tuples)) { result = del_sigs(zone, db, version, &tuple->name, tuple->rdata.type, sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "update_sigs:del_sigs -> %s\n", @@ -6239,7 +6339,7 @@ zone_nsec3chain(dns_zone_t *zone) { goto done; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:" "del_sigs -> %s\n", dns_result_totext(result)); @@ -6800,7 +6900,7 @@ zone_sign(dns_zone_t *zone) { commit = ISC_TRUE; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, - &sig_diff, zone_keys, nkeys, now); + &sig_diff, zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:del_sigs -> %s\n", @@ -13580,7 +13680,8 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, */ static isc_result_t add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, - dns_dbversion_t *ver, dns_diff_t *diff) + dns_dbversion_t *ver, dns_diff_t *diff, + isc_boolean_t sign_all) { dns_difftuple_t *tuple, *newtuple = NULL; dns_rdata_dnskey_t dnskey; @@ -13619,13 +13720,16 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype, rdata.type = privatetype; rdata.rdclass = tuple->rdata.rdclass; - CHECK(rr_exists(db, ver, name, &rdata, &flag)); - if (flag) - continue; - CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, - name, 0, &rdata, &newtuple)); - CHECK(do_one_tuple(&newtuple, db, ver, diff)); - INSIST(newtuple == NULL); + if (sign_all || tuple->op == DNS_DIFFOP_DEL) { + CHECK(rr_exists(db, ver, name, &rdata, &flag)); + if (flag) + continue; + CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, + name, 0, &rdata, &newtuple)); + CHECK(do_one_tuple(&newtuple, db, ver, diff)); + INSIST(newtuple == NULL); + } + /* * Remove any record which says this operation has already * completed. @@ -13686,7 +13790,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, if (tuple == NULL) { result = del_sigs(zone, db, ver, &zone->origin, dns_rdatatype_dnskey, sig_diff, - zone_keys, nkeys, now); + zone_keys, nkeys, now, ISC_FALSE); if (result != ISC_R_SUCCESS) { dns_zone_log(zone, ISC_LOG_ERROR, "sign_apex:del_sigs -> %s\n", @@ -13862,6 +13966,7 @@ zone_rekey(dns_zone_t *zone) { dns_dnsseckey_t *key; dns_diff_t diff, sig_diff; isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE; + isc_boolean_t newalg = ISC_FALSE; isc_boolean_t fullsign; dns_ttl_t ttl = 3600; const char *dir; @@ -13939,12 +14044,34 @@ zone_rekey(dns_zone_t *zone) { goto trylater; } - /* See if any pre-existing keys have newly become active */ + /* See if any pre-existing keys have newly become active; + * also, see if any new key is for a new algorithm, as in that + * event, we need to sign the zone fully. (If there's a new + * key, but it's for an already-existing algorithm, then + * the zone signing can be handled incrementally.) + */ for (key = ISC_LIST_HEAD(dnskeys); key != NULL; key = ISC_LIST_NEXT(key, link)) { - if (key->first_sign) { - newactive = ISC_TRUE; + if (!key->first_sign) + continue; + + newactive = ISC_TRUE; + + if (!dns_rdataset_isassociated(&keysigs)) { + newalg = ISC_TRUE; + break; + } + + if (signed_with_alg(&keysigs, dst_key_alg(key->key))) { + /* + * This isn't a new algorithm; clear + * first_sign so we won't sign the + * whole zone with this key later + */ + key->first_sign = ISC_FALSE; + } else { + newalg = ISC_TRUE; break; } } @@ -13953,8 +14080,9 @@ zone_rekey(dns_zone_t *zone) { dnskey_sane(zone, db, ver, &diff)) { CHECK(dns_diff_apply(&diff, db, ver)); CHECK(clean_nsec3param(zone, db, ver, &diff)); - CHECK(add_signing_records(db, zone->privatetype, ver, - &diff)); + CHECK(add_signing_records(db, zone->privatetype, + ver, &diff, + ISC_TF(newalg || fullsign))); CHECK(increment_soa_serial(db, ver, &diff, mctx)); CHECK(add_chains(zone, db, ver, &diff)); CHECK(sign_apex(zone, db, ver, &diff, &sig_diff)); @@ -13968,8 +14096,6 @@ zone_rekey(dns_zone_t *zone) { if (commit) { isc_time_t timenow; dns_difftuple_t *tuple; - isc_boolean_t newkey = ISC_FALSE; - isc_boolean_t newalg = ISC_FALSE; LOCK_ZONE(zone); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); @@ -13979,38 +14105,6 @@ zone_rekey(dns_zone_t *zone) { TIME_NOW(&timenow); zone_settimer(zone, &timenow); - /* - * Has a new key become active? If so, is it for - * a new algorithm? In that event, we need to sign the - * zone fully. If there's a new key, but it's for an - * already-existing algorithm, then the zone signing - * can be handled incrementally. - */ - for (key = ISC_LIST_HEAD(dnskeys); - key != NULL; - key = ISC_LIST_NEXT(key, link)) { - if (!key->first_sign) - continue; - - newkey = ISC_TRUE; - if (!dns_rdataset_isassociated(&keysigs)) { - newalg = ISC_TRUE; - break; - } - - if (signed_with_alg(&keysigs, dst_key_alg(key->key))) { - /* - * This isn't a new algorithm; clear - * first_sign so we won't sign the - * whole zone with this key later - */ - key->first_sign = ISC_FALSE; - } else { - newalg = ISC_TRUE; - break; - } - } - /* Remove any signatures from removed keys. */ if (!ISC_LIST_EMPTY(rmkeys)) { for (key = ISC_LIST_HEAD(rmkeys); @@ -14028,7 +14122,6 @@ zone_rekey(dns_zone_t *zone) { } } - if (fullsign) { /* * "rndc sign" was called, so we now sign the zone diff --git a/lib/isccfg/api b/lib/isccfg/api index 7b4c18c4..455e33e4 100644 --- a/lib/isccfg/api +++ b/lib/isccfg/api @@ -1,3 +1,3 @@ LIBINTERFACE = 81 -LIBREVISION = 2 +LIBREVISION = 3 LIBAGE = 1 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index d25f3d8f..46afd168 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.131.8.3 2011-05-07 05:53:24 each Exp $ */ +/* $Id: namedconf.c,v 1.131.8.4 2011-05-23 20:56:11 each Exp $ */ /*! \file */ @@ -542,8 +542,7 @@ static cfg_type_t cfg_type_bracketed_sockaddrlist = { &cfg_rep_list, &cfg_type_sockaddr }; -static const char *autodnssec_enums[] = { "allow", "maintain", "create", - "off", NULL }; +static const char *autodnssec_enums[] = { "allow", "maintain", "off", NULL }; static cfg_type_t cfg_type_autodnssec = { "autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string, &autodnssec_enums |