diff --git a/lib/dns/Makefile.am b/lib/dns/Makefile.am index a93feaebfb..d76a2028d2 100644 --- a/lib/dns/Makefile.am +++ b/lib/dns/Makefile.am @@ -136,7 +136,6 @@ libdns_la_HEADERS = \ include/dns/view.h \ include/dns/xfrin.h \ include/dns/zone.h \ - include/dns/zonekey.h \ include/dns/zoneverify.h \ include/dns/zt.h @@ -255,7 +254,6 @@ libdns_la_SOURCES = \ zone.c \ zone_p.h \ zoneverify.c \ - zonekey.c \ zt.c if HAVE_GSSAPI diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index b609f60f66..a463752edb 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1101,6 +1101,41 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name, return false; } +bool +dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) { + return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE && + (key->flags & DNS_KEYTYPE_NOAUTH) == 0 && + (key->protocol == DNS_KEYPROTO_DNSSEC || + key->protocol == DNS_KEYPROTO_ANY); +} + +bool +dns_dnssec_haszonekey(dns_rdataset_t *keyset) { + isc_result_t result; + + REQUIRE(keyset != NULL); + + if (keyset->type != dns_rdatatype_dnskey) { + return false; + } + + for (result = dns_rdataset_first(keyset); result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyset)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_dnskey_t key; + + dns_rdataset_current(keyset, &rdata); + dns_rdata_tostruct(&rdata, &key, NULL); /* can't fail */ + + if (dns_dnssec_iszonekey(&key)) { + return true; + } + } + + return false; +} + void dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp) { diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 56f006f664..400e002338 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -242,6 +242,24 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name, * rrset. dns_dnssec_signs() works on any rrset. */ +bool +dns_dnssec_iszonekey(dns_rdata_dnskey_t *key); +/*%< + * Verify that 'key' is a DNSSEC key with the DNS_KEYOWNER_ZONE flag set. + * + * Requires: + *\li 'key' is not NULL. + */ + +bool +dns_dnssec_haszonekey(dns_rdataset_t *keyset); +/*%< + * Verify that 'keyset' includes at least one zone key. + * + * Requires: + *\li 'keyset' is not NULL. + */ + void dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp); diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h deleted file mode 100644 index 5b1b30a73d..0000000000 --- a/lib/dns/include/dns/zonekey.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once - -/*! \file dns/zonekey.h */ - -#include - -#include - -bool -dns_zonekey_iszonekey(dns_rdata_t *keyrdata); -/*%< - * Determines if the key record contained in the rdata is a zone key. - * - * Requires: - * 'keyrdata' is not NULL. - */ diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 03d0abd73b..5ec6bc66db 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -55,7 +55,6 @@ #include #include #include -#include #include "db_p.h" #include "qpcache_p.h" diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c index d4570d689a..dacd281dfa 100644 --- a/lib/dns/qpzone.c +++ b/lib/dns/qpzone.c @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include @@ -58,7 +59,6 @@ #include #include #include -#include #include "db_p.h" #include "qpzone_p.h" @@ -1143,25 +1143,17 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) { bool hasnsec = false; isc_result_t result; + version->secure = false; + version->havensec3 = false; + dns_rdataset_init(&keyset); result = dns_db_findrdataset(db, origin, (dns_dbversion_t *)version, dns_rdatatype_dnskey, 0, 0, &keyset, NULL); if (result == ISC_R_SUCCESS) { - result = dns_rdataset_first(&keyset); - while (result == ISC_R_SUCCESS) { - dns_rdata_t keyrdata = DNS_RDATA_INIT; - dns_rdataset_current(&keyset, &keyrdata); - if (dns_zonekey_iszonekey(&keyrdata)) { - haszonekey = true; - break; - } - result = dns_rdataset_next(&keyset); - } + haszonekey = dns_dnssec_haszonekey(&keyset); dns_rdataset_disassociate(&keyset); } if (!haszonekey) { - version->secure = false; - version->havensec3 = false; return; } @@ -1181,12 +1173,11 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) { setnsec3parameters(db, version); /* - * Do we have a valid NSEC/NSEC3 chain? + * If we don't have a valid NSEC/NSEC3 chain, + * clear the secure flag. */ if (version->havensec3 || hasnsec) { version->secure = true; - } else { - version->secure = false; } } diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c deleted file mode 100644 index 310bf889bf..0000000000 --- a/lib/dns/zonekey.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/*! \file */ - -#include - -#include -#include -#include - -#include -#include -#include -#include -#include - -bool -dns_zonekey_iszonekey(dns_rdata_t *keyrdata) { - isc_result_t result; - dns_rdata_dnskey_t key; - bool iszonekey = true; - - REQUIRE(keyrdata != NULL); - - result = dns_rdata_tostruct(keyrdata, &key, NULL); - if (result != ISC_R_SUCCESS) { - return false; - } - - if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0) { - iszonekey = false; - } - if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) { - iszonekey = false; - } - if (key.protocol != DNS_KEYPROTO_DNSSEC && - key.protocol != DNS_KEYPROTO_ANY) - { - iszonekey = false; - } - - return iszonekey; -}