diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 3d3e6f80f1..2747c627fd 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3227,7 +3227,7 @@ main(int argc, char *argv[]) { isc_time_t timer_start, timer_finish; isc_time_t sign_start, sign_finish; dns_dnsseckey_t *key; - isc_result_t result; + isc_result_t result, vresult; isc_log_t *log = NULL; #ifdef USE_PKCS11 const char *engine = PKCS11_ENGINE; @@ -3912,9 +3912,18 @@ main(int argc, char *argv[]) { postsign(); TIME_NOW(&sign_finish); - if (!disable_zone_check) - dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx, - ignore_kskflag, keyset_kskonly); + if (disable_zone_check) { + vresult = ISC_R_SUCCESS; + } else { + vresult = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, + mctx, ignore_kskflag, + keyset_kskonly); + if (vresult != ISC_R_SUCCESS) { + fprintf(output_stdout ? stderr : stdout, + "Zone verification failed (%s)\n", + isc_result_totext(vresult)); + } + } if (outputformat != dns_masterformat_text) { dns_masterrawheader_t header; @@ -3940,12 +3949,16 @@ main(int argc, char *argv[]) { check_result(result, "isc_stdio_close"); removefile = ISC_FALSE; - result = isc_file_rename(tempfile, output); - if (result != ISC_R_SUCCESS) - fatal("failed to rename temp file to %s: %s", - output, isc_result_totext(result)); - - printf("%s\n", output); + if (vresult == ISC_R_SUCCESS) { + result = isc_file_rename(tempfile, output); + if (result != ISC_R_SUCCESS) { + fatal("failed to rename temp file to %s: %s", + output, isc_result_totext(result)); + } + printf("%s\n", output); + } else { + isc_file_remove(tempfile); + } } dns_db_closeversion(gdb, &gversion, ISC_FALSE); @@ -3985,5 +3998,5 @@ main(int argc, char *argv[]) { #ifdef _WIN32 DestroySockets(); #endif - return (0); + return (vresult == ISC_R_SUCCESS ? 0 : 1); } diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index 48b9e0b186..3fb5fa2c49 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -323,8 +323,8 @@ main(int argc, char *argv[]) { result = dns_db_newversion(gdb, &gversion); check_result(result, "dns_db_newversion()"); - dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx, - ignore_kskflag, keyset_kskonly); + result = dns_zoneverify_dnssec(NULL, gdb, gversion, gorigin, mctx, + ignore_kskflag, keyset_kskonly); dns_db_closeversion(gdb, &gversion, ISC_FALSE); dns_db_detach(&gdb); @@ -338,5 +338,5 @@ main(int argc, char *argv[]) { (void) isc_app_finish(); - return (0); + return (result == ISC_R_SUCCESS ? 0 : 1); } diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h index 090fcc2f9b..0e491c23dd 100644 --- a/lib/dns/include/dns/zoneverify.h +++ b/lib/dns/include/dns/zoneverify.h @@ -31,7 +31,7 @@ ISC_LANG_BEGINDECLS * The rest of the zone was signed with at least one of the ZSKs * present in the DNSKEY RRSET. */ -void +isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, isc_mem_t *mctx, isc_boolean_t ignore_kskflag, diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 7c847d17c3..b3437156e9 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -1809,7 +1809,7 @@ print_summary(const vctx_t *vctx, isc_boolean_t keyset_kskonly) { } } -void +isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, isc_mem_t *mctx, isc_boolean_t ignore_kskflag, @@ -1820,7 +1820,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, result = vctx_init(&vctx, mctx, zone, db, ver, origin); if (result != ISC_R_SUCCESS) { - return; + return (result); } result = check_apex_rrsets(&vctx); @@ -1879,4 +1879,6 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, done: vctx_destroy(&vctx); + + return (result); }