Changes to support keys inside views.

bin/tests/named.conf

@@ -15,188 +15,151 @@
 // watch out for ";" -- it's important!
 
 options {
-	request-ixfr yes;
-	provide-ixfr yes;
-	listen-on { 
-		10/24;
-		10.0.0.3; 1:2:3:4:5:6:7:8; 			
-	};
-	transfer-source 10.0.0.5;
-	transfer-source-v6 4:3:2:1:5:6:7:8;
-
-	directory ".";			// use current directory
+	version "my version string";
+	directory "/tmp";
 
 # Obsolete
-#	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
+	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
 
 	dump-file "named_dump.db";  	// _PATH_DUMPFILE
 	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
 	statistics-file "named.stats";  // _PATH_STATS
 	memstatistics-file "named.memstats";	// _PATH_MEMSTATS
 
-	tcp-clients	143;
-	recursive-clients	777;
-	rfc2308-type1	no;
-	tkey-domain	"foo.com";
-	tkey-dhkey	"xyz" 666 ;
-	check-names master fail;
-	check-names slave warn;
-	check-names response ignore;
-	host-statistics no;
-	serial-queries 10;
-	min-roots 15;
-	treat-cr-as-space false;
-
-# Obsolete
-#	deallocate-on-exit no;		// Painstakingly deallocate all
-#					// objects when exiting instead of
-#					// letting the OS clean up for us.
-#					// Useful a memory leak is suspected.
-#					// Final statistics are written to the
-#					// memstatistics-file.
-
-	datasize default;
-	stacksize default;
-	coresize default;
-	files unlimited;
-	recursion yes;
-	expert-mode true;		// don't issue warnings for some things
-	fetch-glue yes;
-
-# Obsolete
-#	fake-iquery no;
-
-	notify yes;			// send NOTIFY messages.  You can set
-					// notify on a zone-by-zone
-					// basis in the "zone" statement
-					// see (below)
 	auth-nxdomain yes;		// always set AA on NXDOMAIN.
 					// don't set this to 'no' unless
 					// you know what you're doing -- older
 					// servers won't like it.
 
 # Obsolete
-#	multiple-cnames no;		// if yes, then a name my have more
-#					// than one CNAME RR.  This use
-#					// is non-standard and is not
-#					// recommended, but it is available
-#					// because previous releases supported
-#					// it and it was used by large sites
-#					// for load balancing.
+	deallocate-on-exit no;		// Painstakingly deallocate all
+					// objects when exiting instead of
+					// letting the OS clean up for us.
+					// Useful a memory leak is suspected.
+					// Final statistics are written to the
+					// memstatistics-file.
+	dialup yes;
 
-	allow-query { any; };
-	allow-transfer { any; };
-	transfers-in 10;		// DEFAULT_XFERS_RUNNING, cannot be
-					// set > than MAX_XFERS_RUNNING (20)
-	transfers-per-ns 2;		// DEFAULT_XFERS_PER_NS
-	transfers-out 0;		// not implemented
-	max-transfer-time-in 300;	// MAX_XFER_TIME; the default number
-					// of minutes an inbound zone transfer
-					// may run.  May be set on a per-zone
-					// basis.
-	max-transfer-time-out 10;	// MAX_XFER_TIME; the default number
-	max-transfer-idle-in 100;	// MAX_XFER_TIME; the default number
-	max-transfer-idle-out 11;	// MAX_XFER_TIME; the default number
-	/*
-	 * The "transfer-format" option specifies the way outbound zone
-	 * transfers (i.e. from us to them) are formatted.  Two values are
-	 * allowed:
-	 *
-	 *	one-answer		Each RR gets its own DNS message.
-	 *				This format is not very efficient,
-	 *				but is widely understood.  All
-	 *				versions of BIND prior to 8.1 generate
-	 *				this format for outbound zone 
-	 *				and require it on inbound transfers.
-	 *
-	 *	many-answers		As many RRs as will fit are put into
-	 *				each DNS message.  This format is
-	 *				the most efficient, but is only known
-	 *				to work with BIND 8.  Patches to
-	 *				BIND 4.9.5 named-xfer that enable it
-	 *				to understand 'many-answers' will be
-	 *				available.
-	 *
-	 * If you are going to be doing zone transfers to older servers, you
-	 * shouldn't use 'many-answers'.  'transfer-format' may also be set
-	 * on a host-by-host basis using the 'server' statement (see below).
-	 */
-	transfer-format one-answer;
-	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
-	query-source port * address 10.0.0.54  ;
-	/*
-	 * The "forward" option is only meaningful if you've defined
-	 * forwarders.  "first" gives the normal BIND
-	 * forwarding behavior, i.e. ask the forwarders first, and if that
-	 * doesn't work then do the full lookup.  You can also say
-	 * "forward only;" which is what used to be specified with
-	 * "slave" or "options forward-only".  "only" will never attempt
-	 * a full lookup; only the forwarders will be used.
-	 */
+# Obsolete
+	fake-iquery no;
+
+	fetch-glue yes;
+	has-old-clients yes;
+	host-statistics no;
+
+# Obsolete
+	multiple-cnames no;		// if yes, then a name my have more
+					// than one CNAME RR.  This use
+					// is non-standard and is not
+					// recommended, but it is available
+					// because previous releases supported
+					// it and it was used by large sites
+					// for load balancing.
+
+	notify yes;			// send NOTIFY messages.  You can set
+					// notify on a zone-by-zone
+					// basis in the "zone" statement
+					// see (below)
+	recursion yes;
+	rfc2308-type1	no;
+
+# Obsolete
+	use-id-pool yes;
+
+# Obsolete
+	treat-cr-as-space yes;
+
+	also-notify { 10.0.2.3; };
+
+	// The "forward" option is only meaningful if you've defined
+	// forwarders.  "first" gives the normal BIND
+	// forwarding behavior, i.e. ask the forwarders first, and if that
+	// doesn't work then do the full lookup.  You can also say
+	// "forward only;" which is what used to be specified with
+	// "slave" or "options forward-only".  "only" will never attempt
+	// a full lookup; only the forwarders will be used.
 	forward first;
-	forwarders { };			// default is no forwarders
-	/*
-	 * Here's a forwarders example that isn't trivial
-	 */
-	/*
 	forwarders {
 		1.2.3.4;
 		5.6.7.8;
 	};
-	*/
-//	topology { localhost; localnets; };	// prefer local nameservers
-	/*
-	 * Here's a more complicated topology example; it's commented out
-	 * because only one topology block is allowed.
-	 */
-	topology {
-		10/8;			// prefer network 10.0.0.0
-					// netmask 255.0.0.0 most
-		!1.2.3/24;		// don't like 1.2.3.0 netmask
-					// 255.255.255.0 at all
-		{ 1.2/16; 3/8; };	// like 1.2.0.0 netmask 255.255.0.0
-					// and 3.0.0.0 netmask 255.0.0.0
-					// equally well, but less than 10/8
+
+	check-names master fail;
+	check-names slave warn;
+	check-names response ignore;
+
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-recursion { !any; };
+	blackhole { 45/24; };
+
+	listen-on { 
+		10/24;
+		10.0.0.3; 1:2:3:4:5:6:7:8; 			
 	};
 
+	listen-on port 53 { any; };	
+					
+	listen-on { 5.6.7.8; };		
+					
+	listen-on port 1234 {		
+		!1.2.3.4;		
+		1.2.3/24;		
+	};				
 
-	listen-on port 53 { any; };	// listen for queries on port 53 on
-					// any interface on the system
-					// (i.e. all interfaces).  The
-					// "port 53" is optional; if you
-					// don't specify a port, port 53
-					// is assumed.
-	/*
-	 * Multiple listen-on statements are allowed.  Here's a more
-	 * complicated example:
-	 */
+	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
+	query-source port * address 10.0.0.54  ;
 
-	listen-on { 5.6.7.8; };		// listen on port 53 on interface
-					// 5.6.7.8
-	listen-on port 1234 {		// listen on port 1234 on any
-		!1.2.3.4;		// interface on network 1.2.3
-		1.2.3/24;		// netmask 255.255.255.0, except for
-	};				// interface 1.2.3.4.
+	lame-ttl 477;
 
+	max-transfer-time-in 300;
+	max-transfer-time-out 10;
+	max-transfer-idle-in 100;
+	max-transfer-idle-out 11;
+	
+	max-ncache-ttl 333;
+	min-roots 15;
+	serial-queries 34;
 
-	/*
-	 * Interval Timers
-	 */
-	cleaning-interval 60;		// clean the cache of expired RRs
-					// every 'cleaning-interval' minutes
-	interface-interval 60;		// scan for new or deleted interfaces
-					// every 'interface-interval' minutes
-	statistics-interval 60;		// log statistics every 
-					// 'statistics-interval' minutes
-	/*
-	 * IXFR options
-     */
+	transfer-format one-answer;
+
+	transfers-in 10;
+	transfers-per-ns 2;
+	transfers-out 0;
+
+	transfer-source 10.0.0.5;
+	transfer-source-v6 4:3:2:1:5:6:7:8;
+
+	request-ixfr yes;
+	provide-ixfr yes;
 
 # Now called 'provide-ixfr'
 #    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR
 
-    max-ixfr-log-size 20;	 // Not implemented, maximum size the 
-	                         // IXFR transaction log file to grow
+	max-ixfr-log-size 20;
+	coresize 100;
+	datasize 101;
+	files 230;
+	stacksize 231;
+	cleaning-interval 1000;
+	heartbeat-interval 1001;
+	interface-interval 1002;
+	statistics-interval 1003;
+	
+	topology {
+		10/8;			
+					
+		!1.2.3/24;		
+					
+		{ 1.2/16; 3/8; };	
+					
+					
+	};
+
+	sortlist { 10/8; 11/8; };
+
+	tkey-domain	"foo.com";
+	tkey-dhkey	"xyz" 666 ;
 };
 
 /*
@@ -251,7 +214,8 @@ zone "slave.demo.zone" {
 	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
 };
 
-view "test-view" hs {
+view "test-view" in {
+	key "viewkey" { algorithm "xxx" ; secret "yyy" ; };
 	allow-query { 10.0.0.30;};
 	match-clients { 10.0.0.1 ; };
 	check-names master warn;
@@ -274,6 +238,7 @@ view "test-view" hs {
 	min-roots 3;
 	lame-ttl 477;
 	max-ncache-ttl 333;
+	transfer-format many-answers;
 
 	zone "view-zone.com" {
 		type master;
@@ -282,6 +247,8 @@ view "test-view" hs {
 	};
 };
 
+key "non-viewkey" { secret "aaa" ; algorithm "zzz" ; };
+
 zone "stub.demo.zone" {
 	type stub;			// stub zones are like slave zones,
 					// except that only the NS records

lib/dns/config/confip.c

@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: confip.c,v 1.20 2000/03/28 22:58:17 brister Exp $ */
+/* $Id: confip.c,v 1.21 2000/04/07 13:35:04 brister Exp $ */
 
 #include <config.h>
 
@@ -107,7 +107,7 @@ dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme)
 		break;
 
 	case dns_c_ipmatch_key:
-		isc_mem_free(mem, elem->u.key );
+		isc_mem_free(mem, elem->u.key);
 		break;
 
 	case dns_c_ipmatch_acl:

lib/dns/config/confkeys.c

@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: confkeys.c,v 1.17 2000/03/30 17:25:14 brister Exp $ */
+/* $Id: confkeys.c,v 1.18 2000/04/07 13:35:04 brister Exp $ */
 
 #include <config.h>
 
@@ -231,33 +231,30 @@ dns_c_kdeflist_print(FILE *fp, int indent, dns_c_kdeflist_t *list)
 
 
 isc_result_t
-dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
-	       dns_c_kdef_t **keyid)
+dns_c_kdef_new(isc_mem_t *mem, const char *name, dns_c_kdef_t **keyid)
 {
 	dns_c_kdef_t *kd;
 
-	REQUIRE(DNS_C_KDEFLIST_VALID(list));
 	REQUIRE(keyid != NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
 	
-	kd = isc_mem_get(list->mem, sizeof *kd);
+	kd = isc_mem_get(mem, sizeof *kd);
 	if (kd == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 
-	kd->keyid = isc_mem_strdup(list->mem, name);
+	kd->keyid = isc_mem_strdup(mem, name);
 	if (kd->keyid == NULL) {
-		isc_mem_put(list->mem, kd, sizeof *kd);
+		isc_mem_put(mem, kd, sizeof *kd);
 	}
 
 	kd->magic = DNS_C_KDEF_MAGIC;
-	kd->mylist = list;
+	kd->mem = mem;
+	
 	kd->algorithm = NULL;
 	kd->secret = NULL;
 
-	ISC_LIST_APPEND(list->keydefs, kd, next);
-
 	*keyid = kd;
 	
 	return (ISC_R_SUCCESS);
@@ -275,7 +272,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 
 	kd = *keydef;
 
-	mem = kd->mylist->mem;
+	mem = kd->mem;
 	
 	isc_mem_free(mem, kd->keyid);
 
@@ -289,7 +286,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 
 	kd->magic = 0;
 	kd->keyid = NULL;
-	kd->mylist = NULL;
+	kd->mem = NULL;
 	kd->algorithm = NULL;
 	kd->secret = NULL;
 
@@ -371,11 +368,10 @@ dns_c_kdef_setalgorithm(dns_c_kdef_t *keydef, const char *algorithm)
 	REQUIRE(*algorithm != '\0');
 
 	if (keydef->algorithm != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->algorithm);
+		isc_mem_free(keydef->mem, keydef->algorithm);
 	}
 	
-	keydef->algorithm = isc_mem_strdup(keydef->mylist->mem,
-					   algorithm);
+	keydef->algorithm = isc_mem_strdup(keydef->mem, algorithm);
 	if (keydef->algorithm == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -392,10 +388,10 @@ dns_c_kdef_setsecret(dns_c_kdef_t *keydef, const char *secret)
 	REQUIRE(*secret != '\0');
 	
 	if (keydef->secret != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->secret);
+		isc_mem_free(keydef->mem, keydef->secret);
 	}
 	
-	keydef->secret = isc_mem_strdup(keydef->mylist->mem, secret);
+	keydef->secret = isc_mem_strdup(keydef->mem, secret);
 	if (keydef->secret == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -467,10 +463,10 @@ keyid_delete(dns_c_kid_t **keyid)
 	
 	ki = *keyid;
 
-	isc_mem_free(ki->mylist->mem, ki->keyid);
+	isc_mem_free(ki->mem, ki->keyid);
 
 	ki->magic = 0;
-	isc_mem_put(ki->mylist->mem, ki, sizeof *ki);
+	isc_mem_put(ki->mem, ki, sizeof *ki);
 
 	*keyid = NULL;
 	
@@ -527,6 +523,16 @@ dns_c_kidlist_find(dns_c_kidlist_t *list, const char *keyid,
 }
 
 
+void
+dns_c_kidlist_append(dns_c_kidlist_t *list, dns_c_kid_t *keyid)
+{
+	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
+	REQUIRE(DNS_C_KEYID_VALID(keyid));
+
+	ISC_LIST_APPEND(list->keyids, keyid, next);
+}
+
+
 void
 dns_c_kidlist_print(FILE *fp, int indent,
 		    dns_c_kidlist_t *list)
@@ -560,26 +566,24 @@ dns_c_kidlist_print(FILE *fp, int indent,
 
 
 isc_result_t
-dns_c_kid_new(dns_c_kidlist_t *list, const char *name, dns_c_kid_t **keyid)
+dns_c_kid_new(isc_mem_t *mem, const char *name, dns_c_kid_t **keyid)
 {
 	dns_c_kid_t *ki;
 
-	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
 	REQUIRE(keyid != NULL);
 	
-	ki = isc_mem_get(list->mem, sizeof *ki);
+	ki = isc_mem_get(mem, sizeof *ki);
 	if (ki == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 
 	ki->magic = DNS_C_KEYID_MAGIC;
-	ki->mylist = list;
-	ki->keyid = isc_mem_strdup(list->mem, name);
+	ki->mem = mem;
+	ki->keyid = isc_mem_strdup(mem, name);
 
 	ISC_LINK_INIT(ki, next);
-	ISC_LIST_APPEND(list->keyids, ki, next);
 
 	*keyid = ki;
 

lib/dns/config/confndc.c

@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: confndc.c,v 1.7 2000/04/05 16:39:24 brister Exp $ */
+/* $Id: confndc.c,v 1.8 2000/04/07 13:35:04 brister Exp $ */
 
 /*
 **	options {
@@ -1258,9 +1258,10 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 	if (result != ISC_R_SUCCESS)
 		goto done;
 	
-	result = dns_c_kdef_new(keys, keyname, &key);
+	result = dns_c_kdef_new(keys->mem, keyname, &key);
 	if (result != ISC_R_SUCCESS)
 		goto done;
+	dns_c_kdeflist_append(keys, key, ISC_FALSE);
 
 	result = dns_c_kdef_setalgorithm(key, algorithm);
 	if (result != ISC_R_SUCCESS)

lib/dns/config/confparser.y

@@ -16,7 +16,7 @@
  * SOFTWARE.
  */
 
-/* $Id: confparser.y,v 1.60 2000/04/06 20:12:26 brister Exp $ */
+/* $Id: confparser.y,v 1.61 2000/04/07 13:35:05 brister Exp $ */
 
 #include <config.h>
 
@@ -79,6 +79,11 @@ struct confssu_s {
 	struct confrdtype_s rdatatypes;
 };
 
+struct keydetails_s {
+	char *algorithm;
+	char *secret;
+};
+
 
 /* All these statics are protected by the above yacc_mutex */
 static dns_c_ctx_t	       *currcfg;
@@ -127,6 +132,7 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 	struct in6_addr		ip6_addr;
 	isc_sockaddr_t		ipaddress;
 
+	struct keydetails_s	keydetails;
 	struct confssu_s	ssu;
 	struct confrdtype_s	rdatatypelist;
 	dns_rdatatype_t		rdatatype;
@@ -339,7 +345,8 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 %type <rrclass>		class_name
 %type <rrclass>		wild_class_name
 %type <rrclass>		optional_class
-%type <severity>	check_names_opt;
+%type <severity>	check_names_opt
+%type <keydetails>	key_definition
 %type <ssu>		grant_stmt
 %type <text>		algorithm_id
 %type <text>		any_string
@@ -2445,8 +2452,16 @@ address_match_element: address_match_simple
 	| L_SEC_KEY L_STRING
 	{
 		dns_c_ipmatchelement_t *ime = NULL;
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+		isc_boolean_t isdefined;
+		
+		if (view != NULL) {
+			isdefined = dns_c_view_keydefinedp(view, $2);
+		} else {
+			isdefined = dns_c_ctx_keydefinedp(currcfg, $2);
+		}
 
-		if (!dns_c_ctx_keydefinedp(currcfg, $2)) {
+		if (!isdefined) {
 			parser_error(ISC_FALSE,
 				     "address match key element (%s) "
 				     "referenced before defined", $2);
@@ -2677,62 +2692,90 @@ address_name: any_string
  */
 
 
-key_stmt: L_SEC_KEY any_string
+key_stmt: L_SEC_KEY any_string L_LBRACE key_definition L_RBRACE
 	{
 		dns_c_kdef_t *keydef;
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+		dns_c_kdeflist_t *list = NULL;
 		
-		if (currcfg->keydefs == NULL) {
+		if (view == NULL) {
+			tmpres = dns_c_ctx_getkdeflist(currcfg, &list);
+		} else {
+			tmpres = dns_c_view_getkeydefs(view, &list);
+		}
+		
+		if (tmpres == ISC_R_NOTFOUND) {
 			tmpres = dns_c_kdeflist_new(currcfg->mem,
-						    &currcfg->keydefs);
+						    &list);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
 					     "failed to create keylist");
+				isc_mem_free(memctx, $2);
+				isc_mem_free(memctx, $4.algorithm);
+				isc_mem_free(memctx, $4.secret);
+		
+				YYABORT;
+			}
+
+			if (view == NULL) {
+				tmpres = dns_c_ctx_setkdeflist(currcfg,
+							       list,
+							       ISC_FALSE);
+			} else {
+				tmpres = dns_c_view_setkeydefs(view, list);
+			}
+
+			if (tmpres != ISC_R_SUCCESS) {
+				parser_error(ISC_FALSE,
+					     "failed to set keylist");
+				dns_c_kdeflist_delete(&list);
+				isc_mem_free(memctx, $2);
+				isc_mem_free(memctx, $4.algorithm);
+				isc_mem_free(memctx, $4.secret);
+		
 				YYABORT;
 			}
 		}
 		
-		tmpres = dns_c_kdef_new(currcfg->keydefs,
-					$2, &keydef);
+		tmpres = dns_c_kdef_new(currcfg->mem, $2, &keydef);
 		if (tmpres != ISC_R_SUCCESS) {
-			parser_error(ISC_FALSE,
-				     "failed to create key definition");
+			parser_error(ISC_FALSE, "failed to create key");
+			isc_mem_free(memctx, $2);
+			isc_mem_free(memctx, $4.algorithm);
+			isc_mem_free(memctx, $4.secret);
 			YYABORT;
 		}
 
+		tmpres = dns_c_kdef_setalgorithm(keydef, $4.algorithm);
+		if (tmpres == ISC_R_SUCCESS) {
+			tmpres = dns_c_kdef_setsecret(keydef, $4.secret);
+		}
+
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set key details.");
+			isc_mem_free(memctx, $2);
+			isc_mem_free(memctx, $4.algorithm);
+			isc_mem_free(memctx, $4.secret);
+		}
+		
+		dns_c_kdeflist_append(list, keydef, ISC_FALSE);
+
 		isc_mem_free(memctx, $2);
+		isc_mem_free(memctx, $4.algorithm);
+		isc_mem_free(memctx, $4.secret);
 	}
-	L_LBRACE key_definition L_RBRACE
 	;
 
 key_definition: algorithm_id secret
 	{
-		dns_c_kdef_t *keydef;
-
-		INSIST(currcfg->keydefs != NULL);
-
-		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
-		INSIST(keydef != NULL);
-
-		dns_c_kdef_setalgorithm(keydef, $1);
-		dns_c_kdef_setsecret(keydef, $2);
-
-		isc_mem_free(memctx, $1);
-		isc_mem_free(memctx, $2);
+		$$.algorithm = $1;
+		$$.secret = $2;
 	}
 	| secret algorithm_id
 	{
-		dns_c_kdef_t *keydef;
-
-		INSIST(currcfg->keydefs != NULL);
-
-		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
-		INSIST(keydef != NULL);
-
-		dns_c_kdef_setsecret(keydef, $1);
-		dns_c_kdef_setalgorithm(keydef, $2);
-
-		isc_mem_free(memctx, $1);
-		isc_mem_free(memctx, $2);
+		$$.algorithm = $2;
+		$$.secret = $1;
 	}
 	;
 
@@ -3274,6 +3317,7 @@ view_option: L_FORWARD zone_forward_opt
 			YYABORT;
 		}
 	}
+	| key_stmt
         | zone_stmt
 	;
 

lib/dns/config/confview.c

@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: confview.c,v 1.19 2000/04/06 10:35:26 brister Exp $ */
+/* $Id: confview.c,v 1.20 2000/04/07 13:35:06 brister Exp $ */
 
 #include <config.h>
 
@@ -503,6 +503,7 @@ dns_c_view_new(isc_mem_t *mem, const char *name, dns_rdataclass_t viewclass,
 	view->max_ncache_ttl = NULL;
 
 	view->transfer_format = NULL;
+	view->keydefs = NULL;
 	
 #if 0
 	view->max_transfer_time_in = NULL;
@@ -671,6 +672,11 @@ dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view)
 	}
 	
 
+	if (view->keydefs != NULL) {
+		dns_c_kdeflist_print(fp, indent + 1, view->keydefs);
+	}
+	
+
 #if 0	
 	PRINT_INT32(max_transfer_time_in, "max-transfer-time-in");
 	PRINT_INT32(max_transfer_idle_in, "max-transfer-idle-in");
@@ -771,6 +777,8 @@ dns_c_view_delete(dns_c_view_t **viewptr)
 
 	FREEFIELD(transfer_format);
 
+	dns_c_view_unsetkeydefs(view);
+
 #if 0	
 	FREEFIELD(max_transfer_time_in);
 	FREEFIELD(max_transfer_idle_in);
@@ -785,7 +793,28 @@ dns_c_view_delete(dns_c_view_t **viewptr)
 	return (ISC_R_SUCCESS);
 }
 
+
+isc_boolean_t
+dns_c_view_keydefinedp(dns_c_view_t *view, const char *keyname)
+{
+	dns_c_kdef_t *keyid;
+	isc_result_t res;
+	isc_boolean_t rval = ISC_FALSE;
+
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(keyname != NULL);
+	REQUIRE(*keyname != '\0');
 	
+	if (view->keydefs != NULL) {
+		res = dns_c_kdeflist_find(view->keydefs, keyname, &keyid);
+		if (res == ISC_R_SUCCESS) {
+			rval = ISC_TRUE;
+		}
+	}
+
+	return rval;
+}
+
 isc_result_t
 dns_c_view_getname(dns_c_view_t *view, const char **retval)
 {
@@ -1125,7 +1154,54 @@ dns_c_view_unsetchecknames(dns_c_view_t *view,
 }
 
 
-		
+isc_result_t
+dns_c_view_getkeydefs(dns_c_view_t *view, dns_c_kdeflist_t **retval)
+{
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(retval != NULL);
+
+	*retval = view->keydefs;
+	
+	if (view->keydefs == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+isc_result_t
+dns_c_view_setkeydefs(dns_c_view_t *view, dns_c_kdeflist_t *newval)
+{
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(DNS_C_KDEFLIST_VALID(newval));
+
+	if (view->keydefs != NULL) {
+		dns_c_view_unsetkeydefs(view);
+	}
+
+	view->keydefs = newval;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+isc_result_t
+dns_c_view_unsetkeydefs(dns_c_view_t *view)
+{
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->keydefs != NULL) {
+		dns_c_kdeflist_delete(&view->keydefs);
+		view->keydefs = NULL;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+
+
 GETIPMLIST(allowquery, allowquery)
 SETIPMLIST(allowquery, allowquery)
 UNSETIPMLIST(allowquery, allowquery)

lib/dns/include/dns/confkeys.h

@@ -143,7 +143,7 @@ struct dns_c_pklist
 struct dns_c_kdef 
 {
 	isc_uint32_t		magic;
-	dns_c_kdeflist_t      *mylist;	
+	isc_mem_t	       *mem;
 
 	char		       *keyid;
 	char		       *algorithm;
@@ -167,7 +167,7 @@ struct dns_c_kdef_list
 struct dns_c_kid
 {
 	isc_uint32_t		magic;
-	dns_c_kidlist_t	      *mylist;
+	isc_mem_t	       *mem;
 	char		       *keyid;
 
 	ISC_LINK(dns_c_kid_t)	next;
@@ -230,11 +230,16 @@ isc_result_t	dns_c_kidlist_undef(dns_c_kidlist_t *list,
 isc_result_t	dns_c_kidlist_find(dns_c_kidlist_t *list,
 				   const char *keyid,
 				   dns_c_kid_t **retval);
+void		dns_c_kidlist_append(dns_c_kidlist_t *list,
+				     dns_c_kid_t *keyid);
 void		dns_c_kidlist_print(FILE *fp, int indent,
 				    dns_c_kidlist_t *list);
-isc_result_t	dns_c_kid_new(dns_c_kidlist_t *list, const char *name,
+isc_result_t	dns_c_kid_new(isc_mem_t *mem, const char *name,
 			      dns_c_kid_t **keyid);
 
+
+
+
 isc_result_t	dns_c_kdeflist_new(isc_mem_t *mem,
 				   dns_c_kdeflist_t **list);
 isc_result_t	dns_c_kdeflist_delete(dns_c_kdeflist_t **list);
@@ -252,7 +257,7 @@ isc_result_t	dns_c_kdeflist_find(dns_c_kdeflist_t *list,
 void		dns_c_kdeflist_print(FILE *fp, int indent,
 				     dns_c_kdeflist_t *list);
 
-isc_result_t	dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
+isc_result_t	dns_c_kdef_new(isc_mem_t *mem, const char *name,
 			       dns_c_kdef_t **keyid);
 isc_result_t	dns_c_kdef_delete(dns_c_kdef_t **keydef);
 isc_result_t	dns_c_kdef_copy(isc_mem_t *mem,

lib/dns/include/dns/confview.h

@@ -148,6 +148,8 @@ struct dns_c_view
 
 	dns_transfer_format_t  *transfer_format;
 
+	dns_c_kdeflist_t       *keydefs;
+
 #if 0	
 	/*
 	 * To implement later.
@@ -187,6 +189,14 @@ isc_result_t	dns_c_viewtable_checkviews(dns_c_viewtable_t *viewtable);
 
 
 
+/* NOTE: For the various get* functions. The caller must not delete the
+ * refutned value.
+ *
+ *	- For functions where retval is a dns_c_ipmatchlist_t
+ *	  (e.g. dns_c_view_getallowquery) the caller must call
+ *	  dns_c_ipmatcglist_detach() when finished with retval).
+ *
+ */
 
 isc_result_t	dns_c_view_new(isc_mem_t *mem, const char *name,
 			       dns_rdataclass_t viewclass,
@@ -194,6 +204,9 @@ isc_result_t	dns_c_view_new(isc_mem_t *mem, const char *name,
 
 isc_result_t	dns_c_view_delete(dns_c_view_t **viewptr);
 void		dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view);
+isc_boolean_t	dns_c_view_keydefinedp(dns_c_view_t *view,
+				       const char *keyname);
+
 
 isc_result_t	dns_c_view_getname(dns_c_view_t *view,
 				   const char **retval);
@@ -223,50 +236,49 @@ isc_result_t	dns_c_view_getforwarders(dns_c_view_t *view,
 
 
 isc_result_t	dns_c_view_getallowquery(dns_c_view_t *view,
-					 dns_c_ipmatchlist_t **rval);
+					 dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setallowquery(dns_c_view_t *view,
 					 dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetallowquery(dns_c_view_t *view);
 
 
-
 isc_result_t	dns_c_view_getallowupdateforwarding(dns_c_view_t *view,
-						   dns_c_ipmatchlist_t **rval);
+						 dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setallowupdateforwarding(dns_c_view_t *view,
 						  dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetallowupdateforwarding(dns_c_view_t *view);
 
 
 isc_result_t	dns_c_view_gettransferacl(dns_c_view_t *view,
-					  dns_c_ipmatchlist_t **rval);
+					  dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_settransferacl(dns_c_view_t *view,
 					  dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsettransferacl(dns_c_view_t *view);
 
 
 isc_result_t	dns_c_view_getrecursionacl(dns_c_view_t *view,
-					   dns_c_ipmatchlist_t **rval);
+					   dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setrecursionacl(dns_c_view_t *view,
 					   dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetrecursionacl(dns_c_view_t *view);
 
 
 isc_result_t	dns_c_view_getsortlist(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setsortlist(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetsortlist(dns_c_view_t *view);
 
 
 isc_result_t	dns_c_view_gettopology(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_settopology(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsettopology(dns_c_view_t *view);
 
 
 isc_result_t	dns_c_view_getmatchclients(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setmatchclients(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetmatchclients(dns_c_view_t *view);
@@ -419,7 +431,12 @@ isc_result_t dns_c_view_gettransferformat(dns_c_view_t *view,
 isc_result_t dns_c_view_unsettransferformat(dns_c_view_t *cfg);
 
 
-
+/* Caller must not delete retval */
+isc_result_t dns_c_view_getkeydefs(dns_c_view_t *view,
+				   dns_c_kdeflist_t **retval);
+isc_result_t dns_c_view_setkeydefs(dns_c_view_t *view,
+				   dns_c_kdeflist_t *newval);
+isc_result_t dns_c_view_unsetkeydefs(dns_c_view_t *view);