Changes to support keys inside views.

2025-09-01 06:55:30 +00:00 · 2000-04-07 13:35:06 +00:00
parent 6324997211
commit 616ee4a3f7
8 changed files with 346 additions and 232 deletions
--- a/bin/tests/named.conf
+++ b/bin/tests/named.conf
@@ -15,188 +15,151 @@
 // watch out for ";" -- it's important!
 options {
-	request-ixfr yes;
+	version "my version string";
-	provide-ixfr yes;
+	directory "/tmp";
 	listen-on { 
 		10/24;
 		10.0.0.3; 1:2:3:4:5:6:7:8; 			
 	};
 	transfer-source 10.0.0.5;
 	transfer-source-v6 4:3:2:1:5:6:7:8;
 	directory ".";			// use current directory
 # Obsolete
-#	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
+	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
 	dump-file "named_dump.db";  	// _PATH_DUMPFILE
 	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
 	statistics-file "named.stats";  // _PATH_STATS
 	memstatistics-file "named.memstats";	// _PATH_MEMSTATS
 	tcp-clients	143;
 	recursive-clients	777;
 	rfc2308-type1	no;
 	tkey-domain	"foo.com";
 	tkey-dhkey	"xyz" 666 ;
 	check-names master fail;
 	check-names slave warn;
 	check-names response ignore;
 	host-statistics no;
 	serial-queries 10;
 	min-roots 15;
 	treat-cr-as-space false;
 # Obsolete
 #	deallocate-on-exit no;		// Painstakingly deallocate all
 #					// objects when exiting instead of
 #					// letting the OS clean up for us.
 #					// Useful a memory leak is suspected.
 #					// Final statistics are written to the
 #					// memstatistics-file.
 	datasize default;
 	stacksize default;
 	coresize default;
 	files unlimited;
 	recursion yes;
 	expert-mode true;		// don't issue warnings for some things
 	fetch-glue yes;
 # Obsolete
 #	fake-iquery no;
 	notify yes;			// send NOTIFY messages.  You can set
 					// notify on a zone-by-zone
 					// basis in the "zone" statement
 					// see (below)
 	auth-nxdomain yes;		// always set AA on NXDOMAIN.
 					// don't set this to 'no' unless
 					// you know what you're doing -- older
 					// servers won't like it.
 # Obsolete
-#	multiple-cnames no;		// if yes, then a name my have more
+	deallocate-on-exit no;		// Painstakingly deallocate all
-#					// than one CNAME RR.  This use
+					// objects when exiting instead of
-#					// is non-standard and is not
+					// letting the OS clean up for us.
-#					// recommended, but it is available
+					// Useful a memory leak is suspected.
-#					// because previous releases supported
+					// Final statistics are written to the
-#					// it and it was used by large sites
+					// memstatistics-file.
-#					// for load balancing.
+	dialup yes;
-	allow-query { any; };
+# Obsolete
-	allow-transfer { any; };
+	fake-iquery no;
-	transfers-in 10;		// DEFAULT_XFERS_RUNNING, cannot be
+
-					// set > than MAX_XFERS_RUNNING (20)
+	fetch-glue yes;
-	transfers-per-ns 2;		// DEFAULT_XFERS_PER_NS
+	has-old-clients yes;
-	transfers-out 0;		// not implemented
+	host-statistics no;
-	max-transfer-time-in 300;	// MAX_XFER_TIME; the default number
+
-					// of minutes an inbound zone transfer
+# Obsolete
-					// may run.  May be set on a per-zone
+	multiple-cnames no;		// if yes, then a name my have more
-					// basis.
+					// than one CNAME RR.  This use
-	max-transfer-time-out 10;	// MAX_XFER_TIME; the default number
+					// is non-standard and is not
-	max-transfer-idle-in 100;	// MAX_XFER_TIME; the default number
+					// recommended, but it is available
-	max-transfer-idle-out 11;	// MAX_XFER_TIME; the default number
+					// because previous releases supported
-	/*
+					// it and it was used by large sites
-	 * The "transfer-format" option specifies the way outbound zone
+					// for load balancing.
-	 * transfers (i.e. from us to them) are formatted.  Two values are
+
-	 * allowed:
+	notify yes;			// send NOTIFY messages.  You can set
-	 *
+					// notify on a zone-by-zone
-	 *	one-answer		Each RR gets its own DNS message.
+					// basis in the "zone" statement
-	 *				This format is not very efficient,
+					// see (below)
-	 *				but is widely understood.  All
+	recursion yes;
-	 *				versions of BIND prior to 8.1 generate
+	rfc2308-type1	no;
-	 *				this format for outbound zone 
+
-	 *				and require it on inbound transfers.
+# Obsolete
-	 *
+	use-id-pool yes;
-	 *	many-answers		As many RRs as will fit are put into
+
-	 *				each DNS message.  This format is
+# Obsolete
-	 *				the most efficient, but is only known
+	treat-cr-as-space yes;
-	 *				to work with BIND 8.  Patches to
+
-	 *				BIND 4.9.5 named-xfer that enable it
+	also-notify { 10.0.2.3; };
-	 *				to understand 'many-answers' will be
+
-	 *				available.
+	// The "forward" option is only meaningful if you've defined
-	 *
+	// forwarders.  "first" gives the normal BIND
-	 * If you are going to be doing zone transfers to older servers, you
+	// forwarding behavior, i.e. ask the forwarders first, and if that
-	 * shouldn't use 'many-answers'.  'transfer-format' may also be set
+	// doesn't work then do the full lookup.  You can also say
-	 * on a host-by-host basis using the 'server' statement (see below).
+	// "forward only;" which is what used to be specified with
-	 */
+	// "slave" or "options forward-only".  "only" will never attempt
-	transfer-format one-answer;
+	// a full lookup; only the forwarders will be used.
 	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
 	query-source port * address 10.0.0.54  ;
 	/*
 	 * The "forward" option is only meaningful if you've defined
 	 * forwarders.  "first" gives the normal BIND
 	 * forwarding behavior, i.e. ask the forwarders first, and if that
 	 * doesn't work then do the full lookup.  You can also say
 	 * "forward only;" which is what used to be specified with
 	 * "slave" or "options forward-only".  "only" will never attempt
 	 * a full lookup; only the forwarders will be used.
 	 */
 	forward first;
 	forwarders { };			// default is no forwarders
 	/*
 	 * Here's a forwarders example that isn't trivial
 	 */
 	/*
 	forwarders {
 		1.2.3.4;
 		5.6.7.8;
 	};
-	*/
+
-//	topology { localhost; localnets; };	// prefer local nameservers
+	check-names master fail;
-	/*
+	check-names slave warn;
-	 * Here's a more complicated topology example; it's commented out
+	check-names response ignore;
-	 * because only one topology block is allowed.
+
-	 */
+	allow-query { any; };
-	topology {
+	allow-transfer { any; };
-		10/8;			// prefer network 10.0.0.0
+	allow-recursion { !any; };
-					// netmask 255.0.0.0 most
+	blackhole { 45/24; };
-		!1.2.3/24;		// don't like 1.2.3.0 netmask
+
-					// 255.255.255.0 at all
+	listen-on { 
-		{ 1.2/16; 3/8; };	// like 1.2.0.0 netmask 255.255.0.0
+		10/24;
-					// and 3.0.0.0 netmask 255.0.0.0
+		10.0.0.3; 1:2:3:4:5:6:7:8; 			
 					// equally well, but less than 10/8
 	};
 	listen-on port 53 { any; };	
 	listen-on { 5.6.7.8; };		
 	listen-on port 1234 {		
 		!1.2.3.4;		
 		1.2.3/24;		
 	};				
-	listen-on port 53 { any; };	// listen for queries on port 53 on
+	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
-					// any interface on the system
+	query-source port * address 10.0.0.54  ;
 					// (i.e. all interfaces).  The
 					// "port 53" is optional; if you
 					// don't specify a port, port 53
 					// is assumed.
 	/*
 	 * Multiple listen-on statements are allowed.  Here's a more
 	 * complicated example:
 	 */
-	listen-on { 5.6.7.8; };		// listen on port 53 on interface
+	lame-ttl 477;
 					// 5.6.7.8
 	listen-on port 1234 {		// listen on port 1234 on any
 		!1.2.3.4;		// interface on network 1.2.3
 		1.2.3/24;		// netmask 255.255.255.0, except for
 	};				// interface 1.2.3.4.
 	max-transfer-time-in 300;
 	max-transfer-time-out 10;
 	max-transfer-idle-in 100;
 	max-transfer-idle-out 11;
 	max-ncache-ttl 333;
 	min-roots 15;
 	serial-queries 34;
-	/*
+	transfer-format one-answer;
-	 * Interval Timers
+
-	 */
+	transfers-in 10;
-	cleaning-interval 60;		// clean the cache of expired RRs
+	transfers-per-ns 2;
-					// every 'cleaning-interval' minutes
+	transfers-out 0;
-	interface-interval 60;		// scan for new or deleted interfaces
+
-					// every 'interface-interval' minutes
+	transfer-source 10.0.0.5;
-	statistics-interval 60;		// log statistics every 
+	transfer-source-v6 4:3:2:1:5:6:7:8;
-					// 'statistics-interval' minutes
+
-	/*
+	request-ixfr yes;
-	 * IXFR options
+	provide-ixfr yes;
     */
 # Now called 'provide-ixfr'
 #    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR
-    max-ixfr-log-size 20;	 // Not implemented, maximum size the 
+	max-ixfr-log-size 20;
-	                         // IXFR transaction log file to grow
+	coresize 100;
 	datasize 101;
 	files 230;
 	stacksize 231;
 	cleaning-interval 1000;
 	heartbeat-interval 1001;
 	interface-interval 1002;
 	statistics-interval 1003;
 	topology {
 		10/8;			
 		!1.2.3/24;		
 		{ 1.2/16; 3/8; };	
 	};
 	sortlist { 10/8; 11/8; };
 	tkey-domain	"foo.com";
 	tkey-dhkey	"xyz" 666 ;
 };
 /*
@@ -251,7 +214,8 @@ zone "slave.demo.zone" {
 	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
 };
-view "test-view" hs {
+view "test-view" in {
 	key "viewkey" { algorithm "xxx" ; secret "yyy" ; };
 	allow-query { 10.0.0.30;};
 	match-clients { 10.0.0.1 ; };
 	check-names master warn;
@@ -274,6 +238,7 @@ view "test-view" hs {
 	min-roots 3;
 	lame-ttl 477;
 	max-ncache-ttl 333;
 	transfer-format many-answers;
 	zone "view-zone.com" {
 		type master;
@@ -282,6 +247,8 @@ view "test-view" hs {
 	};
 };
 key "non-viewkey" { secret "aaa" ; algorithm "zzz" ; };
 zone "stub.demo.zone" {
 	type stub;			// stub zones are like slave zones,
 					// except that only the NS records
--- a/lib/dns/config/confip.c
+++ b/lib/dns/config/confip.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: confip.c,v 1.20 2000/03/28 22:58:17 brister Exp $ */
+/* $Id: confip.c,v 1.21 2000/04/07 13:35:04 brister Exp $ */
 #include <config.h>
@@ -107,7 +107,7 @@ dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme)
 		break;
 	case dns_c_ipmatch_key:
-		isc_mem_free(mem, elem->u.key );
+		isc_mem_free(mem, elem->u.key);
 		break;
 	case dns_c_ipmatch_acl:
--- a/lib/dns/config/confkeys.c
+++ b/lib/dns/config/confkeys.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: confkeys.c,v 1.17 2000/03/30 17:25:14 brister Exp $ */
+/* $Id: confkeys.c,v 1.18 2000/04/07 13:35:04 brister Exp $ */
 #include <config.h>
@@ -231,33 +231,30 @@ dns_c_kdeflist_print(FILE *fp, int indent, dns_c_kdeflist_t *list)
 isc_result_t
-dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
+dns_c_kdef_new(isc_mem_t *mem, const char *name, dns_c_kdef_t **keyid)
 	       dns_c_kdef_t **keyid)
 {
 	dns_c_kdef_t *kd;
 	REQUIRE(DNS_C_KDEFLIST_VALID(list));
 	REQUIRE(keyid != NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
-	kd = isc_mem_get(list->mem, sizeof *kd);
+	kd = isc_mem_get(mem, sizeof *kd);
 	if (kd == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
-	kd->keyid = isc_mem_strdup(list->mem, name);
+	kd->keyid = isc_mem_strdup(mem, name);
 	if (kd->keyid == NULL) {
-		isc_mem_put(list->mem, kd, sizeof *kd);
+		isc_mem_put(mem, kd, sizeof *kd);
 	}
 	kd->magic = DNS_C_KDEF_MAGIC;
-	kd->mylist = list;
+	kd->mem = mem;
 	kd->algorithm = NULL;
 	kd->secret = NULL;
 	ISC_LIST_APPEND(list->keydefs, kd, next);
 	*keyid = kd;
 	return (ISC_R_SUCCESS);
@@ -275,7 +272,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 	kd = *keydef;
-	mem = kd->mylist->mem;
+	mem = kd->mem;
 	isc_mem_free(mem, kd->keyid);
@@ -289,7 +286,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 	kd->magic = 0;
 	kd->keyid = NULL;
-	kd->mylist = NULL;
+	kd->mem = NULL;
 	kd->algorithm = NULL;
 	kd->secret = NULL;
@@ -371,11 +368,10 @@ dns_c_kdef_setalgorithm(dns_c_kdef_t *keydef, const char *algorithm)
 	REQUIRE(*algorithm != '\0');
 	if (keydef->algorithm != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->algorithm);
+		isc_mem_free(keydef->mem, keydef->algorithm);
 	}
-	keydef->algorithm = isc_mem_strdup(keydef->mylist->mem,
+	keydef->algorithm = isc_mem_strdup(keydef->mem, algorithm);
 					   algorithm);
 	if (keydef->algorithm == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -392,10 +388,10 @@ dns_c_kdef_setsecret(dns_c_kdef_t *keydef, const char *secret)
 	REQUIRE(*secret != '\0');
 	if (keydef->secret != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->secret);
+		isc_mem_free(keydef->mem, keydef->secret);
 	}
-	keydef->secret = isc_mem_strdup(keydef->mylist->mem, secret);
+	keydef->secret = isc_mem_strdup(keydef->mem, secret);
 	if (keydef->secret == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -467,10 +463,10 @@ keyid_delete(dns_c_kid_t **keyid)
 	ki = *keyid;
-	isc_mem_free(ki->mylist->mem, ki->keyid);
+	isc_mem_free(ki->mem, ki->keyid);
 	ki->magic = 0;
-	isc_mem_put(ki->mylist->mem, ki, sizeof *ki);
+	isc_mem_put(ki->mem, ki, sizeof *ki);
 	*keyid = NULL;
@@ -527,6 +523,16 @@ dns_c_kidlist_find(dns_c_kidlist_t *list, const char *keyid,
 }
 void
 dns_c_kidlist_append(dns_c_kidlist_t *list, dns_c_kid_t *keyid)
 {
 	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
 	REQUIRE(DNS_C_KEYID_VALID(keyid));
 	ISC_LIST_APPEND(list->keyids, keyid, next);
 }
 void
 dns_c_kidlist_print(FILE *fp, int indent,
 		    dns_c_kidlist_t *list)
@@ -560,26 +566,24 @@ dns_c_kidlist_print(FILE *fp, int indent,
 isc_result_t
-dns_c_kid_new(dns_c_kidlist_t *list, const char *name, dns_c_kid_t **keyid)
+dns_c_kid_new(isc_mem_t *mem, const char *name, dns_c_kid_t **keyid)
 {
 	dns_c_kid_t *ki;
 	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
 	REQUIRE(keyid != NULL);
-	ki = isc_mem_get(list->mem, sizeof *ki);
+	ki = isc_mem_get(mem, sizeof *ki);
 	if (ki == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 	ki->magic = DNS_C_KEYID_MAGIC;
-	ki->mylist = list;
+	ki->mem = mem;
-	ki->keyid = isc_mem_strdup(list->mem, name);
+	ki->keyid = isc_mem_strdup(mem, name);
 	ISC_LINK_INIT(ki, next);
 	ISC_LIST_APPEND(list->keyids, ki, next);
 	*keyid = ki;
--- a/lib/dns/config/confndc.c
+++ b/lib/dns/config/confndc.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: confndc.c,v 1.7 2000/04/05 16:39:24 brister Exp $ */
+/* $Id: confndc.c,v 1.8 2000/04/07 13:35:04 brister Exp $ */
 /*
 **	options {
@@ -1258,9 +1258,10 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 	if (result != ISC_R_SUCCESS)
 		goto done;
-	result = dns_c_kdef_new(keys, keyname, &key);
+	result = dns_c_kdef_new(keys->mem, keyname, &key);
 	if (result != ISC_R_SUCCESS)
 		goto done;
 	dns_c_kdeflist_append(keys, key, ISC_FALSE);
 	result = dns_c_kdef_setalgorithm(key, algorithm);
 	if (result != ISC_R_SUCCESS)
--- a/lib/dns/config/confparser.y
+++ b/lib/dns/config/confparser.y
@@ -16,7 +16,7 @@
 * SOFTWARE.
 */
-/* $Id: confparser.y,v 1.60 2000/04/06 20:12:26 brister Exp $ */
+/* $Id: confparser.y,v 1.61 2000/04/07 13:35:05 brister Exp $ */
 #include <config.h>
@@ -79,6 +79,11 @@ struct confssu_s {
 	struct confrdtype_s rdatatypes;
 };
 struct keydetails_s {
 	char *algorithm;
 	char *secret;
 };
 /* All these statics are protected by the above yacc_mutex */
 static dns_c_ctx_t	       *currcfg;
@@ -127,6 +132,7 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 	struct in6_addr		ip6_addr;
 	isc_sockaddr_t		ipaddress;
 	struct keydetails_s	keydetails;
 	struct confssu_s	ssu;
 	struct confrdtype_s	rdatatypelist;
 	dns_rdatatype_t		rdatatype;
@@ -339,7 +345,8 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 %type <rrclass>		class_name
 %type <rrclass>		wild_class_name
 %type <rrclass>		optional_class
-%type <severity>	check_names_opt;
+%type <severity>	check_names_opt
 %type <keydetails>	key_definition
 %type <ssu>		grant_stmt
 %type <text>		algorithm_id
 %type <text>		any_string
@@ -2445,8 +2452,16 @@ address_match_element: address_match_simple
 	| L_SEC_KEY L_STRING
 	{
 		dns_c_ipmatchelement_t *ime = NULL;
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 		isc_boolean_t isdefined;
 		if (view != NULL) {
 			isdefined = dns_c_view_keydefinedp(view, $2);
 		} else {
 			isdefined = dns_c_ctx_keydefinedp(currcfg, $2);
 		}
-		if (!dns_c_ctx_keydefinedp(currcfg, $2)) {
+		if (!isdefined) {
 			parser_error(ISC_FALSE,
 				     "address match key element (%s) "
 				     "referenced before defined", $2);
@@ -2677,62 +2692,90 @@ address_name: any_string
 */
-key_stmt: L_SEC_KEY any_string
+key_stmt: L_SEC_KEY any_string L_LBRACE key_definition L_RBRACE
 	{
 		dns_c_kdef_t *keydef;
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 		dns_c_kdeflist_t *list = NULL;
-		if (currcfg->keydefs == NULL) {
+		if (view == NULL) {
 			tmpres = dns_c_ctx_getkdeflist(currcfg, &list);
 		} else {
 			tmpres = dns_c_view_getkeydefs(view, &list);
 		}
 		if (tmpres == ISC_R_NOTFOUND) {
 			tmpres = dns_c_kdeflist_new(currcfg->mem,
-						    &currcfg->keydefs);
+						    &list);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
 					     "failed to create keylist");
 				isc_mem_free(memctx, $2);
 				isc_mem_free(memctx, $4.algorithm);
 				isc_mem_free(memctx, $4.secret);
 				YYABORT;
 			}
 			if (view == NULL) {
 				tmpres = dns_c_ctx_setkdeflist(currcfg,
 							       list,
 							       ISC_FALSE);
 			} else {
 				tmpres = dns_c_view_setkeydefs(view, list);
 			}
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
 					     "failed to set keylist");
 				dns_c_kdeflist_delete(&list);
 				isc_mem_free(memctx, $2);
 				isc_mem_free(memctx, $4.algorithm);
 				isc_mem_free(memctx, $4.secret);
 				YYABORT;
 			}
 		}
-		tmpres = dns_c_kdef_new(currcfg->keydefs,
+		tmpres = dns_c_kdef_new(currcfg->mem, $2, &keydef);
 					$2, &keydef);
 		if (tmpres != ISC_R_SUCCESS) {
-			parser_error(ISC_FALSE,
+			parser_error(ISC_FALSE, "failed to create key");
-				     "failed to create key definition");
+			isc_mem_free(memctx, $2);
 			isc_mem_free(memctx, $4.algorithm);
 			isc_mem_free(memctx, $4.secret);
 			YYABORT;
 		}
 		tmpres = dns_c_kdef_setalgorithm(keydef, $4.algorithm);
 		if (tmpres == ISC_R_SUCCESS) {
 			tmpres = dns_c_kdef_setsecret(keydef, $4.secret);
 		}
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set key details.");
 			isc_mem_free(memctx, $2);
 			isc_mem_free(memctx, $4.algorithm);
 			isc_mem_free(memctx, $4.secret);
 		}
 		dns_c_kdeflist_append(list, keydef, ISC_FALSE);
 		isc_mem_free(memctx, $2);
 		isc_mem_free(memctx, $4.algorithm);
 		isc_mem_free(memctx, $4.secret);
 	}
 	L_LBRACE key_definition L_RBRACE
 	;
 key_definition: algorithm_id secret
 	{
-		dns_c_kdef_t *keydef;
+		$$.algorithm = $1;
-
+		$$.secret = $2;
 		INSIST(currcfg->keydefs != NULL);
 		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
 		INSIST(keydef != NULL);
 		dns_c_kdef_setalgorithm(keydef, $1);
 		dns_c_kdef_setsecret(keydef, $2);
 		isc_mem_free(memctx, $1);
 		isc_mem_free(memctx, $2);
 	}
 	| secret algorithm_id
 	{
-		dns_c_kdef_t *keydef;
+		$$.algorithm = $2;
-
+		$$.secret = $1;
 		INSIST(currcfg->keydefs != NULL);
 		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
 		INSIST(keydef != NULL);
 		dns_c_kdef_setsecret(keydef, $1);
 		dns_c_kdef_setalgorithm(keydef, $2);
 		isc_mem_free(memctx, $1);
 		isc_mem_free(memctx, $2);
 	}
 	;
@@ -3274,6 +3317,7 @@ view_option: L_FORWARD zone_forward_opt
 			YYABORT;
 		}
 	}
 	| key_stmt
        | zone_stmt
 	;
--- a/lib/dns/config/confview.c
+++ b/lib/dns/config/confview.c
@@ -15,7 +15,7 @@
 * SOFTWARE.
 */
-/* $Id: confview.c,v 1.19 2000/04/06 10:35:26 brister Exp $ */
+/* $Id: confview.c,v 1.20 2000/04/07 13:35:06 brister Exp $ */
 #include <config.h>
@@ -503,6 +503,7 @@ dns_c_view_new(isc_mem_t *mem, const char *name, dns_rdataclass_t viewclass,
 	view->max_ncache_ttl = NULL;
 	view->transfer_format = NULL;
 	view->keydefs = NULL;
 #if 0
 	view->max_transfer_time_in = NULL;
@@ -671,6 +672,11 @@ dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view)
 	}
 	if (view->keydefs != NULL) {
 		dns_c_kdeflist_print(fp, indent + 1, view->keydefs);
 	}
 #if 0	
 	PRINT_INT32(max_transfer_time_in, "max-transfer-time-in");
 	PRINT_INT32(max_transfer_idle_in, "max-transfer-idle-in");
@@ -771,6 +777,8 @@ dns_c_view_delete(dns_c_view_t **viewptr)
 	FREEFIELD(transfer_format);
 	dns_c_view_unsetkeydefs(view);
 #if 0	
 	FREEFIELD(max_transfer_time_in);
 	FREEFIELD(max_transfer_idle_in);
@@ -785,7 +793,28 @@ dns_c_view_delete(dns_c_view_t **viewptr)
 	return (ISC_R_SUCCESS);
 }
 isc_boolean_t
 dns_c_view_keydefinedp(dns_c_view_t *view, const char *keyname)
 {
 	dns_c_kdef_t *keyid;
 	isc_result_t res;
 	isc_boolean_t rval = ISC_FALSE;
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	REQUIRE(keyname != NULL);
 	REQUIRE(*keyname != '\0');
 	if (view->keydefs != NULL) {
 		res = dns_c_kdeflist_find(view->keydefs, keyname, &keyid);
 		if (res == ISC_R_SUCCESS) {
 			rval = ISC_TRUE;
 		}
 	}
 	return rval;
 }
 isc_result_t
 dns_c_view_getname(dns_c_view_t *view, const char **retval)
 {
@@ -1125,7 +1154,54 @@ dns_c_view_unsetchecknames(dns_c_view_t *view,
 }
-		
+isc_result_t
 dns_c_view_getkeydefs(dns_c_view_t *view, dns_c_kdeflist_t **retval)
 {
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	REQUIRE(retval != NULL);
 	*retval = view->keydefs;
 	if (view->keydefs == NULL) {
 		return (ISC_R_NOTFOUND);
 	} else {
 		return (ISC_R_SUCCESS);
 	}
 }
 isc_result_t
 dns_c_view_setkeydefs(dns_c_view_t *view, dns_c_kdeflist_t *newval)
 {
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	REQUIRE(DNS_C_KDEFLIST_VALID(newval));
 	if (view->keydefs != NULL) {
 		dns_c_view_unsetkeydefs(view);
 	}
 	view->keydefs = newval;
 	return (ISC_R_SUCCESS);
 }
 isc_result_t
 dns_c_view_unsetkeydefs(dns_c_view_t *view)
 {
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	if (view->keydefs != NULL) {
 		dns_c_kdeflist_delete(&view->keydefs);
 		view->keydefs = NULL;
 		return (ISC_R_SUCCESS);
 	} else {
 		return (ISC_R_NOTFOUND);
 	}
 }
 GETIPMLIST(allowquery, allowquery)
 SETIPMLIST(allowquery, allowquery)
 UNSETIPMLIST(allowquery, allowquery)
--- a/lib/dns/include/dns/confkeys.h
+++ b/lib/dns/include/dns/confkeys.h
@@ -143,7 +143,7 @@ struct dns_c_pklist
 struct dns_c_kdef 
 {
 	isc_uint32_t		magic;
-	dns_c_kdeflist_t      *mylist;	
+	isc_mem_t	       *mem;
 	char		       *keyid;
 	char		       *algorithm;
@@ -167,7 +167,7 @@ struct dns_c_kdef_list
 struct dns_c_kid
 {
 	isc_uint32_t		magic;
-	dns_c_kidlist_t	      *mylist;
+	isc_mem_t	       *mem;
 	char		       *keyid;
 	ISC_LINK(dns_c_kid_t)	next;
@@ -230,11 +230,16 @@ isc_result_t	dns_c_kidlist_undef(dns_c_kidlist_t *list,
 isc_result_t	dns_c_kidlist_find(dns_c_kidlist_t *list,
 				   const char *keyid,
 				   dns_c_kid_t **retval);
 void		dns_c_kidlist_append(dns_c_kidlist_t *list,
 				     dns_c_kid_t *keyid);
 void		dns_c_kidlist_print(FILE *fp, int indent,
 				    dns_c_kidlist_t *list);
-isc_result_t	dns_c_kid_new(dns_c_kidlist_t *list, const char *name,
+isc_result_t	dns_c_kid_new(isc_mem_t *mem, const char *name,
 			      dns_c_kid_t **keyid);
 isc_result_t	dns_c_kdeflist_new(isc_mem_t *mem,
 				   dns_c_kdeflist_t **list);
 isc_result_t	dns_c_kdeflist_delete(dns_c_kdeflist_t **list);
@@ -252,7 +257,7 @@ isc_result_t	dns_c_kdeflist_find(dns_c_kdeflist_t *list,
 void		dns_c_kdeflist_print(FILE *fp, int indent,
 				     dns_c_kdeflist_t *list);
-isc_result_t	dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
+isc_result_t	dns_c_kdef_new(isc_mem_t *mem, const char *name,
 			       dns_c_kdef_t **keyid);
 isc_result_t	dns_c_kdef_delete(dns_c_kdef_t **keydef);
 isc_result_t	dns_c_kdef_copy(isc_mem_t *mem,
--- a/lib/dns/include/dns/confview.h
+++ b/lib/dns/include/dns/confview.h
@@ -148,6 +148,8 @@ struct dns_c_view
 	dns_transfer_format_t  *transfer_format;
 	dns_c_kdeflist_t       *keydefs;
 #if 0	
 	/*
 	 * To implement later.
@@ -187,6 +189,14 @@ isc_result_t	dns_c_viewtable_checkviews(dns_c_viewtable_t *viewtable);
 /* NOTE: For the various get* functions. The caller must not delete the
 * refutned value.
 *
 *	- For functions where retval is a dns_c_ipmatchlist_t
 *	  (e.g. dns_c_view_getallowquery) the caller must call
 *	  dns_c_ipmatcglist_detach() when finished with retval).
 *
 */
 isc_result_t	dns_c_view_new(isc_mem_t *mem, const char *name,
 			       dns_rdataclass_t viewclass,
@@ -194,6 +204,9 @@ isc_result_t	dns_c_view_new(isc_mem_t *mem, const char *name,
 isc_result_t	dns_c_view_delete(dns_c_view_t **viewptr);
 void		dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view);
 isc_boolean_t	dns_c_view_keydefinedp(dns_c_view_t *view,
 				       const char *keyname);
 isc_result_t	dns_c_view_getname(dns_c_view_t *view,
 				   const char **retval);
@@ -223,50 +236,49 @@ isc_result_t	dns_c_view_getforwarders(dns_c_view_t *view,
 isc_result_t	dns_c_view_getallowquery(dns_c_view_t *view,
-					 dns_c_ipmatchlist_t **rval);
+					 dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setallowquery(dns_c_view_t *view,
 					 dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetallowquery(dns_c_view_t *view);
 isc_result_t	dns_c_view_getallowupdateforwarding(dns_c_view_t *view,
-						   dns_c_ipmatchlist_t **rval);
+						 dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setallowupdateforwarding(dns_c_view_t *view,
 						  dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetallowupdateforwarding(dns_c_view_t *view);
 isc_result_t	dns_c_view_gettransferacl(dns_c_view_t *view,
-					  dns_c_ipmatchlist_t **rval);
+					  dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_settransferacl(dns_c_view_t *view,
 					  dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsettransferacl(dns_c_view_t *view);
 isc_result_t	dns_c_view_getrecursionacl(dns_c_view_t *view,
-					   dns_c_ipmatchlist_t **rval);
+					   dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setrecursionacl(dns_c_view_t *view,
 					   dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetrecursionacl(dns_c_view_t *view);
 isc_result_t	dns_c_view_getsortlist(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setsortlist(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetsortlist(dns_c_view_t *view);
 isc_result_t	dns_c_view_gettopology(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_settopology(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsettopology(dns_c_view_t *view);
 isc_result_t	dns_c_view_getmatchclients(dns_c_view_t *view,
-				       dns_c_ipmatchlist_t **rval);
+				       dns_c_ipmatchlist_t **retval);
 isc_result_t	dns_c_view_setmatchclients(dns_c_view_t *view,
 				       dns_c_ipmatchlist_t *newval);
 isc_result_t	dns_c_view_unsetmatchclients(dns_c_view_t *view);
@@ -419,7 +431,12 @@ isc_result_t dns_c_view_gettransferformat(dns_c_view_t *view,
 isc_result_t dns_c_view_unsettransferformat(dns_c_view_t *cfg);
-
+/* Caller must not delete retval */
 isc_result_t dns_c_view_getkeydefs(dns_c_view_t *view,
 				   dns_c_kdeflist_t **retval);
 isc_result_t dns_c_view_setkeydefs(dns_c_view_t *view,
 				   dns_c_kdeflist_t *newval);
 isc_result_t dns_c_view_unsetkeydefs(dns_c_view_t *view);