move dns_zonekey_iszonekey() to dns_dnssec module

dns_zonekey_iszonekey() was the only function defined in the
dns_zonekey module, and was only called from one place. it
makes more sense to group this with dns_dnssec functions.

lib/dns/Makefile.am

@@ -136,7 +136,6 @@ libdns_la_HEADERS =			\
 	include/dns/view.h		\
 	include/dns/xfrin.h		\
 	include/dns/zone.h		\
-	include/dns/zonekey.h		\
 	include/dns/zoneverify.h	\
 	include/dns/zt.h
 
@@ -255,7 +254,6 @@ libdns_la_SOURCES =			\
 	zone.c				\
 	zone_p.h			\
 	zoneverify.c			\
-	zonekey.c			\
 	zt.c
 
 if HAVE_GSSAPI

lib/dns/dnssec.c

@@ -1101,6 +1101,41 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
 	return false;
 }
 
+bool
+dns_dnssec_iszonekey(dns_rdata_dnskey_t *key) {
+	return (key->flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	       (key->flags & DNS_KEYTYPE_NOAUTH) == 0 &&
+	       (key->protocol == DNS_KEYPROTO_DNSSEC ||
+		key->protocol == DNS_KEYPROTO_ANY);
+}
+
+bool
+dns_dnssec_haszonekey(dns_rdataset_t *keyset) {
+	isc_result_t result;
+
+	REQUIRE(keyset != NULL);
+
+	if (keyset->type != dns_rdatatype_dnskey) {
+		return false;
+	}
+
+	for (result = dns_rdataset_first(keyset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_dnskey_t key;
+
+		dns_rdataset_current(keyset, &rdata);
+		dns_rdata_tostruct(&rdata, &key, NULL); /* can't fail */
+
+		if (dns_dnssec_iszonekey(&key)) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 void
 dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 		     dns_dnsseckey_t **dkp) {

lib/dns/include/dns/dnssec.h

@@ -242,6 +242,24 @@ dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
  * rrset.  dns_dnssec_signs() works on any rrset.
  */
 
+bool
+dns_dnssec_iszonekey(dns_rdata_dnskey_t *key);
+/*%<
+ * Verify that 'key' is a DNSSEC key with the DNS_KEYOWNER_ZONE flag set.
+ *
+ * Requires:
+ *\li		'key' is not NULL.
+ */
+
+bool
+dns_dnssec_haszonekey(dns_rdataset_t *keyset);
+/*%<
+ * Verify that 'keyset' includes at least one zone key.
+ *
+ * Requires:
+ *\li		'keyset' is not NULL.
+ */
+
 void
 dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 		     dns_dnsseckey_t **dkp);

lib/dns/include/dns/zonekey.h

@@ -1,29 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*! \file dns/zonekey.h */
-
-#include <stdbool.h>
-
-#include <dns/types.h>
-
-bool
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
-/*%<
- *	Determines if the key record contained in the rdata is a zone key.
- *
- *	Requires:
- *		'keyrdata' is not NULL.
- */

lib/dns/qpcache.c

@@ -55,7 +55,6 @@
 #include <dns/stats.h>
 #include <dns/time.h>
 #include <dns/view.h>
-#include <dns/zonekey.h>
 
 #include "db_p.h"
 #include "qpcache_p.h"

lib/dns/qpzone.c

@@ -43,6 +43,7 @@
 #include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
 #include <dns/name.h>
@@ -58,7 +59,6 @@
 #include <dns/time.h>
 #include <dns/view.h>
 #include <dns/zone.h>
-#include <dns/zonekey.h>
 
 #include "db_p.h"
 #include "qpzone_p.h"
@@ -1143,25 +1143,17 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) {
 	bool hasnsec = false;
 	isc_result_t result;
 
+	version->secure = false;
+	version->havensec3 = false;
+
 	dns_rdataset_init(&keyset);
 	result = dns_db_findrdataset(db, origin, (dns_dbversion_t *)version,
 				     dns_rdatatype_dnskey, 0, 0, &keyset, NULL);
 	if (result == ISC_R_SUCCESS) {
-		result = dns_rdataset_first(&keyset);
+		haszonekey = dns_dnssec_haszonekey(&keyset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdata_t keyrdata = DNS_RDATA_INIT;
-			dns_rdataset_current(&keyset, &keyrdata);
-			if (dns_zonekey_iszonekey(&keyrdata)) {
-				haszonekey = true;
-				break;
-			}
-			result = dns_rdataset_next(&keyset);
-		}
 		dns_rdataset_disassociate(&keyset);
 	}
 	if (!haszonekey) {
-		version->secure = false;
-		version->havensec3 = false;
 		return;
 	}
 
@@ -1181,12 +1173,11 @@ setsecure(dns_db_t *db, qpz_version_t *version, dns_dbnode_t *origin) {
 	setnsec3parameters(db, version);
 
 	/*
-	 * Do we have a valid NSEC/NSEC3 chain?
+	 * If we don't have a valid NSEC/NSEC3 chain,
+	 * clear the secure flag.
 	 */
 	if (version->havensec3 || hasnsec) {
 		version->secure = true;
-	} else {
-		version->secure = false;
 	}
 }
 

lib/dns/zonekey.c

@@ -1,54 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/types.h>
-#include <dns/zonekey.h>
-
-bool
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
-	isc_result_t result;
-	dns_rdata_dnskey_t key;
-	bool iszonekey = true;
-
-	REQUIRE(keyrdata != NULL);
-
-	result = dns_rdata_tostruct(keyrdata, &key, NULL);
-	if (result != ISC_R_SUCCESS) {
-		return false;
-	}
-
-	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0) {
-		iszonekey = false;
-	}
-	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
-		iszonekey = false;
-	}
-	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
-	    key.protocol != DNS_KEYPROTO_ANY)
-	{
-		iszonekey = false;
-	}
-
-	return iszonekey;
-}