better error reporting and miscellaneous cleanup

bin/dnssec/dnssec-keygen.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.18 2000/05/15 21:06:41 bwelling Exp $ */
+/* $Id: dnssec-keygen.c,v 1.19 2000/05/16 18:40:57 bwelling Exp $ */
 
 #include <config.h>
 
@@ -33,12 +33,81 @@
 #include <dst/dst.h>
 #include <dst/result.h>
 
-static isc_boolean_t dsa_size_ok(int size);
-static void die(char *str);
-static void usage(char *prog);
+#define PROGRAM "keygen"
+
+#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
 
 static int verbose;
-#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
+
+static inline void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
+			isc_result_totext(result));
+		exit(1);
+	}
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+usage(char *prog) {
+	printf("Usage:\n");
+	printf("    %s [options] name\n\n", prog);
+	printf("Required options:\n");
+	printf("    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
+	printf("    -b key size, in bits:\n");
+	printf("        RSA:\t\t[512..%d]\n", MAX_RSA);
+	printf("        DH:\t\t[128..4096]\n");
+	printf("        DSA:\t\t[512..1024] and dividable by 64\n");
+	printf("        HMAC-MD5:\t[1..512]\n");
+	printf("    -n nametype: ZONE | HOST | ENTITY | USER\n");
+	printf("    name: owner of the key\n");
+	printf("Other options:\n");
+	printf("    -e use large exponent (RSA only)\n");
+	printf("    -g use specified generator (DH only)\n");
+	printf("    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
+	printf("        default: AUTHCONF\n");
+	printf("    -p protocol value\n");
+	printf("        default: 2 (email) for User keys, "
+	       			"3 (dnssec) for all others\n");
+	printf("    -s strength value this key signs DNS records with\n");
+	printf("        default: 0\n");
+	printf("    -v verbose level\n");
+
+	exit (-1);
+}
 
 int
 main(int argc, char **argv) {
@@ -64,7 +133,7 @@ main(int argc, char **argv) {
 	else
 		prog = isc_mem_strdup(mctx, ++prog);
 	if (prog == NULL)
-		die("strdup failure");
+		fatal("out of memory");
 
 	if (argc == 1)
 		usage(prog);
@@ -77,12 +146,12 @@ main(int argc, char **argv) {
 			algname = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (algname == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 'b':
 			size = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || size < 0)
-				die("-b requires a non-negative number");
+				fatal("-b requires a non-negative number");
 			break;
 		case 'e':
 			rsa_exp = 1;
@@ -90,36 +159,37 @@ main(int argc, char **argv) {
 		case 'g':
 			generator = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || generator <= 0)
-				die("-g requires a positive number");
+				fatal("-g requires a positive number");
 			break;
 		case 'n':
 			nametype = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (nametype == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 't':
 			type = isc_mem_strdup(mctx, isc_commandline_argument);
 			if (type == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 'p':
 			protocol = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || protocol < 0 || protocol > 255)
-				die("-p must be followed by "
-				    "a number [0..255]");
+				fatal("-p must be followed by a number "
+				      "[0..255]");
 			break;
 		case 's':
 			signatory = strtol(isc_commandline_argument,
 					   &endp, 10);
 			if (*endp != '\0' || signatory < 0 || signatory > 15)
-				die("-s must be followed by a number [0..15]");
+				fatal("-s must be followed by a number "
+				      "[0..15]");
 			break;
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				die("-v must be followed by a number");
+				fatal("-v must be followed by a number");
 			break;
 
 		case 'h':
@@ -131,12 +201,12 @@ main(int argc, char **argv) {
 	}
 
 	if (argc < isc_commandline_index + 1)
-		die("Must specify a domain name");
+		fatal("the key name was not specified");
 	if (argc > isc_commandline_index + 1)
-		die("Extraneous arguments");
+		fatal("extraneous arguments");
 
 	if (algname == NULL)
-		die("No algorithm specified");
+		fatal("no algorithm was specified");
 	if (strcasecmp(algname, "RSA") == 0)
 		alg = DNS_KEYALG_RSA;
 	else if (strcasecmp(algname, "HMAC-MD5") == 0)
@@ -146,10 +216,10 @@ main(int argc, char **argv) {
 		r.length = strlen(algname);
 		ret = dns_secalg_fromtext(&alg, &r);
 		if (ret != ISC_R_SUCCESS)
-			die("Unknown algorithm");
+			fatal("unknown algorithm %s", algname);
 	}
 	if (dst_supported_algorithm(alg) == ISC_FALSE)
-		die("Unsupported algorithm");
+		fatal("unsupported algorithm %s", algname);
 
 	if (type != NULL) {
 		if (strcasecmp(type, "NOAUTH") == 0)
@@ -164,39 +234,39 @@ main(int argc, char **argv) {
 		else if (strcasecmp(type, "AUTHCONF") == 0)
 			/* nothing */;
 		else
-			die("Invalid type");
+			fatal("invalid type %s", type);
 	}
 
 	if (size < 0)
-		die("Must specify key size (-b option)");
+		fatal("key size not specified (-b option)");
 
 	switch (alg) {
 	case DNS_KEYALG_RSA:
 		if (size != 0 && (size < 512 || size > MAX_RSA))
-			die("RSA key size out of range");
+			fatal("RSA key size %d out of range", size);
 		break;
 	case DNS_KEYALG_DH:
 		if (size != 0 && (size < 128 || size > 4096))
-			die("DH key size out of range");
+			fatal("DH key size %d out of range", size);
 		break;
 	case DNS_KEYALG_DSA:
 		if (size != 0 && !dsa_size_ok(size))
-			die("Invalid DSS key size");
+			fatal("Invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
-			die("Invalid HMAC-MD5 key size");
+			fatal("HMAC-MD5 key size %d out of range", size);
 		break;
 	}
 
 	if (alg != DNS_KEYALG_RSA && rsa_exp != 0)
-		die("Cannot specify RSA exponent without RSA");
+		fatal("specified RSA exponent without RSA");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
-		die("Cannot specify DH generator without DH");
+		fatal("specified DH generator without DH");
 
 	if (nametype == NULL)
-		die("No nametype specified");
+		fatal("no nametype specified");
 	if (strcasecmp(nametype, "zone") == 0)
 		flags |= DNS_KEYOWNER_ZONE;
 	else if (strcasecmp(nametype, "host") == 0 ||
@@ -205,7 +275,7 @@ main(int argc, char **argv) {
 	else if (strcasecmp(nametype, "user") == 0)
 		flags |= DNS_KEYOWNER_USER;
 	else
-		die("Invalid nametype");
+		fatal("invalid nametype %s", nametype);
 
 	flags |= signatory;
 
@@ -218,14 +288,14 @@ main(int argc, char **argv) {
 
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		if (size > 0)
-			die("Specified null key with non-zero size");
+			fatal("Specified null key with non-zero size");
 		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			die("Specified null key with signing authority");
+			fatal("Specified null key with signing authority");
 	}
 
 	name = isc_mem_allocate(mctx, strlen(argv[isc_commandline_index]) + 2);
 	if (name == NULL)
-		die("strdup failure");
+		fatal("out of memory");
 	strcpy(name, argv[isc_commandline_index]);
 	if (name[strlen(name) - 1] != '.') {
 		strcat(name, ".");
@@ -262,7 +332,7 @@ main(int argc, char **argv) {
 				       mctx, &key);
 
 		if (ret != ISC_R_SUCCESS) {
-			fprintf(stderr, "keygen: failed to generate key: %s\n", 
+			fatal("failed to generate key %s/%d: %s\n", name, alg,
 				dst_result_totext(ret));
 			exit(-1);
 		}
@@ -288,15 +358,13 @@ main(int argc, char **argv) {
 	} while (conflict == ISC_TRUE);
 
 	if (conflict)
-		die("Attempting to generate a null key when a key with id 0 "
-		    "already exists\n");
+		fatal("cannot generate a null key when a key with id 0 "
+		      "already exists");
 
 	ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE);
-	if (ret != ISC_R_SUCCESS) {
-		fprintf(stderr, "keygen: failed to write key %s(%d)\n", name, 
-			dst_key_id(key));
-		exit(-1); 
-	}
+	if (ret != ISC_R_SUCCESS)
+		fatal("failed to write key %s/%s/%d: %s\n", name, 
+			dst_key_id(key), algtostr(alg), isc_result_totext(ret));
 
 	isc_buffer_clear(&buf);
 	ret = dst_key_buildfilename(key, 0, &buf);
@@ -313,42 +381,3 @@ main(int argc, char **argv) {
 
 	return (0);
 }
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
-static void
-die(char *str) {
-	fprintf(stderr, "keygen: %s\n", str);
-	exit(-1);
-}
-
-static void
-usage(char *prog) {
-	printf("Usage:\n");
-	printf("    %s [options] name\n\n", prog);
-	printf("Required options:\n");
-	printf("    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
-	printf("    -b key size, in bits:\n");
-	printf("        RSA:\t\t[512..%d]\n", MAX_RSA);
-	printf("        DH:\t\t[128..4096]\n");
-	printf("        DSA:\t\t[512..1024] and dividable by 64\n");
-	printf("        HMAC-MD5:\t[1..512]\n");
-	printf("    -n nametype: ZONE | HOST | ENTITY | USER\n");
-	printf("    name: owner of the key\n");
-	printf("Other options:\n");
-	printf("    -e use large exponent (RSA only)\n");
-	printf("    -g use specified generator (DH only)\n");
-	printf("    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
-	printf("        default: AUTHCONF\n");
-	printf("    -p protocol value\n");
-	printf("        default: 2 (email) for User keys, "
-	       			"3 (dnssec) for all others\n");
-	printf("    -s strength value this key signs DNS records with\n");
-	printf("        default: 0\n");
-	printf("    -v verbose level\n");
-
-	exit (-1);
-}

bin/dnssec/dnssec-makekeyset.c

@@ -32,6 +32,7 @@
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/secalg.h>
 #include <dns/time.h>
 
 #define PROGRAM "keysettool"
@@ -78,10 +79,28 @@ static char *
 nametostr(dns_name_t *name) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[1025];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_name_totext(name, ISC_FALSE, &b);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -104,6 +123,7 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	}
 	else {
 		result = dns_time64_fromtext(str, &val);
+		if (result != ISC_R_SUCCESS)
 			fatal("time %s must be numeric", str);
 	}
 	if (*endp != '\0')
@@ -304,8 +324,8 @@ main(int argc, char *argv[]) {
 						  &zonekey);
 			
 			if (result != ISC_R_SUCCESS)
-				fatal("failed to read key %s/%d/%d: %s",
-				      namestr, id, alg,
+				fatal("failed to read key %s/%s/%d: %s",
+				      namestr, id, algtostr(alg),
 				      isc_result_totext(result));
 			keynode = isc_mem_get(mctx, sizeof (keynode_t));
 			if (keynode == NULL)
@@ -323,8 +343,9 @@ main(int argc, char *argv[]) {
 		isc_buffer_init(&b, data, BUFSIZE);
 		result = dst_key_todns(key, &b);
 		if (result != ISC_R_SUCCESS)
-			fatal("failed to convert key %s/%d/%d to a DNS KEY: %s",
-			      namestr, id, alg, isc_result_totext(result));
+			fatal("failed to convert key %s/%s/%d to a DNS KEY: %s",
+			      namestr, id, algtostr(alg),
+			      isc_result_totext(result));
 		isc_buffer_usedregion(&b, &r);
 		dns_rdata_fromregion(rdata, dns_rdataclass_in,
 				     dns_rdatatype_key, &r);
@@ -364,10 +385,10 @@ main(int argc, char *argv[]) {
 					 &starttime, &endtime, mctx, &b,
 					 rdata);
 		if (result != ISC_R_SUCCESS)
-			fatal("failed to sign keyset with key %s/%d/%d: %s",
+			fatal("failed to sign keyset with key %s/%s/%d: %s",
 			      dst_key_name(keynode->key),
+			      algtostr(dst_key_alg(keynode->key)),
 			      dst_key_id(keynode->key),
-			      dst_key_alg(keynode->key),
 			      isc_result_totext(result));
 		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
 		dns_rdataset_init(&sigrdataset);

bin/dnssec/dnssec-signkey.c

@@ -32,6 +32,7 @@
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include <dns/result.h>
+#include <dns/secalg.h>
 
 #define PROGRAM "keysigner"
 
@@ -52,8 +53,14 @@ static isc_mem_t *mctx = NULL;
 static keylist_t keylist;
 
 static inline void
-fatal(char *message) {
-	fprintf(stderr, "%s: %s\n", PROGRAM, message);
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
 	exit(1);
 }
 
@@ -66,6 +73,39 @@ check_result(isc_result_t result, char *message) {
 	}
 }
 
+/* Not thread-safe! */
+static char *
+nametostr(dns_name_t *name) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[1025];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+		        isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+
 static void
 usage() {
 	fprintf(stderr, "Usage:\n");
@@ -106,15 +146,14 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
 			continue;
 		keynode = isc_mem_get(mctx, sizeof (keynode_t));
 		if (keynode == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		keynode->key = key;
 		keynode->verified = ISC_FALSE;
 		ISC_LINK_INIT(keynode, link);
 		ISC_LIST_APPEND(keylist, keynode, link);
 	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	check_result(result, "loadkeys()");
+	if (result != ISC_R_NOMORE)
+		fatal("failure traversing key list");
 }
 
 static dst_key_t *
@@ -170,7 +209,7 @@ main(int argc, char *argv[]) {
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("verbose level must be numeric");
 			break;
 
 		default:
@@ -206,7 +245,8 @@ main(int argc, char *argv[]) {
 	isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
 	isc_buffer_add(&b, strlen(argv[0]) - 7);
 	result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
-	check_result(result, "dns_name_fromtext()");
+	if (result != ISC_R_SUCCESS)
+		fatal("'%s' does not contain a valid domain name", argv[0]);
 	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
 	result = dns_name_totext(domain, ISC_FALSE, &b);
 	check_result(result, "dns_name_totext()");
@@ -216,7 +256,7 @@ main(int argc, char *argv[]) {
 	output = isc_mem_allocate(mctx,
 				  strlen(tdomain) + strlen("signedkey") + 1);
 	if (output == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+		fatal("out of memory");
 	strcpy(output, tdomain);
 	strcat(output, "signedkey");
 
@@ -226,33 +266,45 @@ main(int argc, char *argv[]) {
 	check_result(result, "dns_db_create()");
 
 	result = dns_db_load(db, argv[0]);
-	check_result(result, "dns_db_load()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to load database from '%s': %s", argv[0],
+		      isc_result_totext(result));
 
 	version = NULL;
 	dns_db_newversion(db, &version);
 
 	node = NULL;
 	result = dns_db_findnode(db, domain, ISC_FALSE, &node);
-	check_result(result, "dns_db_findnode()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find database node '%s': %s",
+		      nametostr(domain), isc_result_totext(result));
 
 	dns_rdataset_init(&rdataset);
 	dns_rdataset_init(&sigrdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
 				     0, &rdataset, &sigrdataset);
-	check_result(result, "dns_db_findrdataset()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find rdataset '%s KEY': %s",
+		      nametostr(domain), isc_result_totext(result));
 
 	loadkeys(domain, &rdataset);
 
+	if (!dns_rdataset_isassociated(&sigrdataset))
+		fatal("no SIG KEY set present");
+
 	result = dns_rdataset_first(&sigrdataset);
 	check_result(result, "dns_rdataset_first()");
 	do {
 		dns_rdataset_current(&sigrdataset, &sigrdata);
 		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
-		check_result(result, "dns_rdata_tostruct");
+		check_result(result, "dns_rdata_tostruct()");
 		key = findkey(&sig);
 		result = dns_dnssec_verify(domain, &rdataset, key,
 					   ISC_TRUE, mctx, &sigrdata);
-		check_result(result, "dns_dnssec_verify");
+		if (result != ISC_R_SUCCESS)
+			fatal("signature by key '%s/%s/%d' did not verify: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		dns_rdata_freestruct(&sig);
 		result = dns_rdataset_next(&sigrdataset);
 	} while (result == ISC_R_SUCCESS);
@@ -295,20 +347,26 @@ main(int argc, char *argv[]) {
 		key = NULL;
 		result = dst_key_fromfile(namestr, id, alg, DST_TYPE_PRIVATE,
 					  mctx, &key);
-		check_result (result, "dst_key_fromfile()");
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to read key %s/%s/%d from disk: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		isc_mem_put(mctx, namestr, strlen(namestr) + 1);
 
 		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
 		if (rdata == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		data = isc_mem_get(mctx, BUFSIZE);
 		if (data == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		isc_buffer_init(&b, data, BUFSIZE);
 		result = dns_dnssec_sign(domain, &rdataset, key,
 					 &sig.timesigned, &sig.timeexpire,
 					 mctx, &b, rdata);
-		check_result (result, "dns_dnssec_sign()");
+		if (result != ISC_R_SUCCESS)
+			fatal("key '%s/%s/%d' failed to sign data: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
 		dst_key_free(key);
 	}
@@ -323,7 +381,9 @@ main(int argc, char *argv[]) {
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &version, ISC_TRUE);
 	result = dns_db_dump(db, version, output);
-	check_result(result, "dns_db_dump()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write database to '%s': %s",
+		      output, isc_result_totext(result));
 
 	dns_rdataset_disassociate(&rdataset);
 	dns_rdataset_disassociate(&newsigrdataset);

bin/dnssec/dnssec-signzone.c

@@ -72,8 +72,14 @@ static isc_boolean_t tryverify = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
 
 static inline void
-fatal(char *message) {
-	fprintf(stderr, "%s: %s\n", PROGRAM, message);
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
 	exit(1);
 }
 
@@ -102,10 +108,12 @@ static char *
 nametostr(dns_name_t *name) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[1025];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_name_totext(name, ISC_FALSE, &b);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -116,10 +124,12 @@ static char *
 typetostr(const dns_rdatatype_t type) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_rdatatype_totext(type, &b);
+	result = dns_rdatatype_totext(type, &b);
+	check_result(result, "dns_rdatatype_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -130,10 +140,12 @@ static char *
 algtostr(const dns_secalg_t alg) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_secalg_totext(alg, &b);
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -162,7 +174,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	dns_rdata_init(rdata);
 	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
 				 mctx, b, rdata);
-	check_result(result, "dns_dnssec_sign()");
+	if (result != ISC_R_SUCCESS)
+		fatal("key '%s/%s/%d' failed to sign data: %s",
+		      dst_key_name(key), algtostr(dst_key_alg(key)),
+		      dst_key_id(key), isc_result_totext(result));
 
 	if (tryverify) {
 		result = dns_dnssec_verify(name, rdataset, key,
@@ -223,7 +238,7 @@ keythatsigned(dns_rdata_sig_t *sig) {
 
 	key = isc_mem_get(mctx, sizeof(signer_key_t));
 	if (key == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_get");
+		fatal("out of memory");
 
 	result = dst_key_fromfile(keyname, sig->keyid, sig->algorithm,
 				  DST_TYPE_PRIVATE, mctx, &privkey);
@@ -262,7 +277,8 @@ expecttofindkey(dns_name_t *name, dns_db_t *db, dns_dbversion_t *version) {
 		case DNS_R_DNAME:
 			return ISC_FALSE;
 		default:
-			check_result(result, "dns_db_find");
+			fatal("failure looking for '%s KEY' in database: %s",
+			      nametostr(name), isc_result_totext(result));
 			return ISC_FALSE; /* removes a warning */
 	}
 }
@@ -282,7 +298,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	tdata = isc_mem_get(mctx, sizeof(signer_array_t)); \
 	ISC_LIST_APPEND(arraylist, tdata, link); \
 	if (trdata == NULL || tdata == NULL) \
-		check_result(ISC_R_FAILURE, "isc_mem_get"); \
+		fatal("out of memory"); \
 	isc_buffer_init(&b, tdata->array, sizeof(tdata->array));
 
 /*
@@ -320,7 +336,10 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		result = ISC_R_SUCCESS;
 		nosigs = ISC_TRUE;
 	}
-	check_result(result, "dns_db_findrdataset()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed while looking for '%s SIG %s': %s",
+		      nametostr(name), typetostr(set->type),
+		      isc_result_totext(result));
 
 	vbprintf(1, "%s/%s:\n", nametostr(name), typetostr(set->type));
 
@@ -551,7 +570,8 @@ hasnullkey(dns_rdataset_t *rdataset) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_dnssec_keyfromrdata(dns_rootname,
 						 &rdata, mctx, &key);
-		check_result(result, "dns_dnssec_keyfromrdata()");
+		if (result != ISC_R_SUCCESS)
+			fatal("could not convert KEY into internal format");
 		if (dst_key_isnullkey(key))
 			found = ISC_TRUE;
                 dst_key_free(key);
@@ -560,7 +580,7 @@ hasnullkey(dns_rdataset_t *rdataset) {
                 result = dns_rdataset_next(rdataset);
         }
         if (result != ISC_R_NOMORE)
-                check_result(result, "iteration over keys");
+                fatal("failure looking for null keys");
         return (ISC_FALSE);
 }
 #endif
@@ -610,11 +630,11 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	dns_rdata_init(&newrdata);
 
 	result = dns_rdataset_first(set);
-	check_result(result, "dns_rdata_first()");
+	check_result(result, "dns_rdataset_first()");
 	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) {
 		dns_rdataset_current(set, &rdata);
 		result = dns_rdataset_first(&newset);
-		check_result(result, "dns_rdata_first()");
+		check_result(result, "dns_rdataset_first()");
 		for (;
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&newset))
@@ -850,7 +870,10 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 
 				if (result == ISC_R_NOTFOUND)
 					result = ISC_R_SUCCESS;
-				check_result(result, "dns_db_findrdataset");
+				if (result != ISC_R_SUCCESS)
+					fatal("failure looking for null key "
+					      "at '%s': %s", nametostr(name),
+					      isc_result_totext(result));
 
 				if (dns_rdataset_isassociated(&keyset))
 					dns_rdataset_disassociate(&keyset);
@@ -866,7 +889,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 							  DNS_KEYTYPE_NOKEY,
 							  DNS_KEYPROTO_DNSSEC,
 							  mctx, &dstkey);
-				check_result(result, "dst_key_generate");
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to generate null key");
 				isc_buffer_init(&b, keydata, sizeof keydata);
 				result = dst_key_todns(dstkey, &b);
 				dst_key_free(dstkey);
@@ -907,7 +931,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		result = dns_rdatasetiter_next(rdsiter);
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed");
+		fatal("rdataset iteration for name '%s' failed: %s",
+		      nametostr(name), isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
@@ -934,7 +959,8 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 			result = ISC_R_NOMORE;
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed");
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 
 	if (!active) {
@@ -1023,12 +1049,14 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 	dns_rdataset_init(&soaset);
 	result = dns_db_find(db, origin, version, dns_rdatatype_soa,
 			     0, 0, NULL, name, &soaset, NULL);
-	check_result(result, "dns_db_find");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find '%s SOA' in the zone: %s",
+		      nametostr(name), isc_result_totext(result));
 	result = dns_rdataset_first(&soaset);
-	check_result(result, "dns_rdataset_first");
+	check_result(result, "dns_rdataset_first()");
 	dns_rdataset_current(&soaset, &soarr);
 	result = dns_rdata_tostruct(&soarr, &soa, mctx);
-	check_result(result, "dns_rdataset_tostruct");
+	check_result(result, "dns_rdataset_tostruct()");
 	zonettl = soa.minimum;
 	dns_rdata_freestruct(&soa);
 	dns_rdataset_disassociate(&soaset);
@@ -1065,7 +1093,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 				result = dns_rdatasetiter_next(rdsiter);
 			}
 			if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
-				fatal("rdataset iteration failed");
+				fatal("rdataset iteration failed: %s",
+				      isc_result_totext(result));
 			if (result == ISC_R_SUCCESS) {
 				if (lastcut != NULL)
 					dns_name_free(lastcut, mctx);
@@ -1073,11 +1102,11 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 					lastcut = isc_mem_get(mctx,
 							sizeof(dns_name_t));
 					if (lastcut == NULL)
-						fatal("allocation failure");
+						fatal("out of memory");
 				}
 				dns_name_init(lastcut, NULL);
 				result = dns_name_dup(curname, mctx, lastcut);
-				check_result(result, "dns_name_dup");
+				check_result(result, "dns_name_dup()");
 			}
 			dns_rdatasetiter_destroy(&rdsiter);
 		}
@@ -1091,7 +1120,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 			target = origin;
 		else {
 			target = NULL;	/* Make compiler happy. */
-			fatal("db iteration failed");
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
 		}
 		nxtresult = dns_buildnxt(db, version, node, target, zonettl);
 		check_result(nxtresult, "dns_buildnxt()");
@@ -1102,7 +1132,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 		node = nextnode;
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("db iteration failed");
+		fatal("iterating through the database failed: %s",
+		      isc_result_totext(result));
 	if (lastcut != NULL) {
 		dns_name_free(lastcut, mctx);
 		isc_mem_put(mctx, lastcut, sizeof(dns_name_t));
@@ -1126,7 +1157,9 @@ loadzone(char *file, char *origin, dns_zone_t **zone) {
 
 	dns_name_init(&name, NULL);
 	result = dns_name_fromtext(&name, &b, dns_rootname, ISC_FALSE, &b2);
-	check_result(result, "dns_name_fromtext()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed converting name '%s' to dns format: %s",
+		      origin, isc_result_totext(result));
 
 	result = dns_zone_create(zone, mctx);
 	check_result(result, "dns_zone_create()");
@@ -1145,7 +1178,9 @@ loadzone(char *file, char *origin, dns_zone_t **zone) {
 	dns_zone_setclass(*zone, dns_rdataclass_in); /* XXX */
 
 	result = dns_zone_load(*zone);
-	check_result(result, "dns_zone_load()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed loading zone from '%s': %s",
+		      file, isc_result_totext(result));
 }
 
 static void
@@ -1176,20 +1211,24 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) {
 
 	node = NULL;
 	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	check_result(result, "dns_db_findnode()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
 
 	result = dns_dnssec_findzonekeys(db, version, node, origin, mctx,
 					 20, keys, &nkeys);
 	if (result == ISC_R_NOTFOUND)
 		result = ISC_R_SUCCESS;
-	check_result(result, "dns_dnssec_findzonekeys()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone keys: %s",
+		      isc_result_totext(result));
 
 	for (i = 0; i < nkeys; i++) {
 		signer_key_t *key;
 
 		key = isc_mem_get(mctx, sizeof(signer_key_t));
 		if (key == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_get(key)");
+			fatal("out of memory");
 		key->key = keys[i];
 		key->isdefault = ISC_FALSE;
 
@@ -1209,7 +1248,9 @@ dumpzone(dns_zone_t *zone, char *filename) {
 		exit(-1);
 	}
 	result = dns_zone_dumptostream(zone, fp);
-	check_result(result, "dns_zone_dump");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write new database to '%s': %s",
+		      filename, isc_result_totext(result));
 	fclose(fp);
 }
 
@@ -1229,10 +1270,11 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	}
 	else {
 		result = dns_time64_fromtext(str, &val);
-		check_result(result, "dns_time64_fromtext()");
+		if (result != ISC_R_SUCCESS)
+			fatal("time %s must be numeric", str);
 	}
 	if (*endp != '\0')
-		check_result(ISC_R_FAILURE, "strtol()");
+		fatal("time value %s is invalid", str);
 
 	return ((isc_stdtime_t) val);
 }
@@ -1324,7 +1366,8 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create()");
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
 	while ((ch = isc_commandline_parse(argc, argv, "s:e:c:v:o:f:ah"))
 	       != -1) {
@@ -1333,46 +1376,42 @@ main(int argc, char *argv[]) {
 			startstr = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (startstr == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'e':
 			endstr = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (endstr == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'c':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("cycle period must be numeric");
 			break;
 
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("verbose level must be numeric");
 			break;
 
 		case 'o':
 			origin = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (origin == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'f':
 			output = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (output == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'a':
@@ -1431,7 +1470,7 @@ main(int argc, char *argv[]) {
 
 	file = isc_mem_strdup(mctx, argv[0]);
 	if (file == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+		fatal("out of memory");
 
 	argc -= 1;
 	argv += 1;
@@ -1440,14 +1479,14 @@ main(int argc, char *argv[]) {
 		output = isc_mem_allocate(mctx,
 					 strlen(file) + strlen(".signed") + 1);
 		if (output == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		sprintf(output, "%s.signed", file);
 	}
 
 	if (origin == NULL) {
 		origin = isc_mem_allocate(mctx, strlen(file) + 2);
 		if (origin == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		strcpy(origin, file);
 		if (file[strlen(file) - 1] != '.')
 			strcat(origin, ".");
@@ -1496,9 +1535,12 @@ main(int argc, char *argv[]) {
 				{
 					key->isdefault = ISC_TRUE;
 					if (!dst_key_isprivate(dkey))
-						check_result
-							(DST_R_NOTPRIVATEKEY,
-							 "key specify");
+						fatal("cannot sign zone with "
+						      "non-private key "
+						      "'%s/%s/%d'",
+						      dst_key_name(dkey),
+						      algtostr(dst_key_alg(dkey)),
+						      dst_key_id(dkey));
 					break;
 				}
 				key = ISC_LIST_NEXT(key, link);
@@ -1508,11 +1550,14 @@ main(int argc, char *argv[]) {
 				result = dst_key_fromfile(namestr, id, alg,
 							  DST_TYPE_PRIVATE,
 							  mctx, &dkey);
-				check_result (result, "dst_key_fromfile");
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to load key '%s/%s/%d' "
+					      "from disk: %s", namestr,
+					      algtostr(alg), id,
+					      isc_result_totext(result));
 				key = isc_mem_get(mctx, sizeof(signer_key_t));
 				if (key == NULL)
-					check_result(ISC_R_FAILURE,
-						     "isc_mem_get");
+					fatal("out of memory");
 				key->key = dkey;
 				key->isdefault = ISC_TRUE;
 				ISC_LIST_APPEND(keylist, key, link);

bin/tests/keygen.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
  */
 
-/* $Id: keygen.c,v 1.18 2000/05/15 21:06:41 bwelling Exp $ */
+/* $Id: keygen.c,v 1.19 2000/05/16 18:40:57 bwelling Exp $ */
 
 #include <config.h>
 
@@ -33,12 +33,81 @@
 #include <dst/dst.h>
 #include <dst/result.h>
 
-static isc_boolean_t dsa_size_ok(int size);
-static void die(char *str);
-static void usage(char *prog);
+#define PROGRAM "keygen"
+
+#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
 
 static int verbose;
-#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
+
+static inline void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
+			isc_result_totext(result));
+		exit(1);
+	}
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+usage(char *prog) {
+	printf("Usage:\n");
+	printf("    %s [options] name\n\n", prog);
+	printf("Required options:\n");
+	printf("    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
+	printf("    -b key size, in bits:\n");
+	printf("        RSA:\t\t[512..%d]\n", MAX_RSA);
+	printf("        DH:\t\t[128..4096]\n");
+	printf("        DSA:\t\t[512..1024] and dividable by 64\n");
+	printf("        HMAC-MD5:\t[1..512]\n");
+	printf("    -n nametype: ZONE | HOST | ENTITY | USER\n");
+	printf("    name: owner of the key\n");
+	printf("Other options:\n");
+	printf("    -e use large exponent (RSA only)\n");
+	printf("    -g use specified generator (DH only)\n");
+	printf("    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
+	printf("        default: AUTHCONF\n");
+	printf("    -p protocol value\n");
+	printf("        default: 2 (email) for User keys, "
+	       			"3 (dnssec) for all others\n");
+	printf("    -s strength value this key signs DNS records with\n");
+	printf("        default: 0\n");
+	printf("    -v verbose level\n");
+
+	exit (-1);
+}
 
 int
 main(int argc, char **argv) {
@@ -64,7 +133,7 @@ main(int argc, char **argv) {
 	else
 		prog = isc_mem_strdup(mctx, ++prog);
 	if (prog == NULL)
-		die("strdup failure");
+		fatal("out of memory");
 
 	if (argc == 1)
 		usage(prog);
@@ -77,12 +146,12 @@ main(int argc, char **argv) {
 			algname = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (algname == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 'b':
 			size = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || size < 0)
-				die("-b requires a non-negative number");
+				fatal("-b requires a non-negative number");
 			break;
 		case 'e':
 			rsa_exp = 1;
@@ -90,36 +159,37 @@ main(int argc, char **argv) {
 		case 'g':
 			generator = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || generator <= 0)
-				die("-g requires a positive number");
+				fatal("-g requires a positive number");
 			break;
 		case 'n':
 			nametype = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (nametype == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 't':
 			type = isc_mem_strdup(mctx, isc_commandline_argument);
 			if (type == NULL)
-				die("strdup failure");
+				fatal("out of memory");
 			break;
 		case 'p':
 			protocol = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || protocol < 0 || protocol > 255)
-				die("-p must be followed by "
-				    "a number [0..255]");
+				fatal("-p must be followed by a number "
+				      "[0..255]");
 			break;
 		case 's':
 			signatory = strtol(isc_commandline_argument,
 					   &endp, 10);
 			if (*endp != '\0' || signatory < 0 || signatory > 15)
-				die("-s must be followed by a number [0..15]");
+				fatal("-s must be followed by a number "
+				      "[0..15]");
 			break;
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				die("-v must be followed by a number");
+				fatal("-v must be followed by a number");
 			break;
 
 		case 'h':
@@ -131,12 +201,12 @@ main(int argc, char **argv) {
 	}
 
 	if (argc < isc_commandline_index + 1)
-		die("Must specify a domain name");
+		fatal("the key name was not specified");
 	if (argc > isc_commandline_index + 1)
-		die("Extraneous arguments");
+		fatal("extraneous arguments");
 
 	if (algname == NULL)
-		die("No algorithm specified");
+		fatal("no algorithm was specified");
 	if (strcasecmp(algname, "RSA") == 0)
 		alg = DNS_KEYALG_RSA;
 	else if (strcasecmp(algname, "HMAC-MD5") == 0)
@@ -146,10 +216,10 @@ main(int argc, char **argv) {
 		r.length = strlen(algname);
 		ret = dns_secalg_fromtext(&alg, &r);
 		if (ret != ISC_R_SUCCESS)
-			die("Unknown algorithm");
+			fatal("unknown algorithm %s", algname);
 	}
 	if (dst_supported_algorithm(alg) == ISC_FALSE)
-		die("Unsupported algorithm");
+		fatal("unsupported algorithm %s", algname);
 
 	if (type != NULL) {
 		if (strcasecmp(type, "NOAUTH") == 0)
@@ -164,39 +234,39 @@ main(int argc, char **argv) {
 		else if (strcasecmp(type, "AUTHCONF") == 0)
 			/* nothing */;
 		else
-			die("Invalid type");
+			fatal("invalid type %s", type);
 	}
 
 	if (size < 0)
-		die("Must specify key size (-b option)");
+		fatal("key size not specified (-b option)");
 
 	switch (alg) {
 	case DNS_KEYALG_RSA:
 		if (size != 0 && (size < 512 || size > MAX_RSA))
-			die("RSA key size out of range");
+			fatal("RSA key size %d out of range", size);
 		break;
 	case DNS_KEYALG_DH:
 		if (size != 0 && (size < 128 || size > 4096))
-			die("DH key size out of range");
+			fatal("DH key size %d out of range", size);
 		break;
 	case DNS_KEYALG_DSA:
 		if (size != 0 && !dsa_size_ok(size))
-			die("Invalid DSS key size");
+			fatal("Invalid DSS key size: %d", size);
 		break;
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
-			die("Invalid HMAC-MD5 key size");
+			fatal("HMAC-MD5 key size %d out of range", size);
 		break;
 	}
 
 	if (alg != DNS_KEYALG_RSA && rsa_exp != 0)
-		die("Cannot specify RSA exponent without RSA");
+		fatal("specified RSA exponent without RSA");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
-		die("Cannot specify DH generator without DH");
+		fatal("specified DH generator without DH");
 
 	if (nametype == NULL)
-		die("No nametype specified");
+		fatal("no nametype specified");
 	if (strcasecmp(nametype, "zone") == 0)
 		flags |= DNS_KEYOWNER_ZONE;
 	else if (strcasecmp(nametype, "host") == 0 ||
@@ -205,7 +275,7 @@ main(int argc, char **argv) {
 	else if (strcasecmp(nametype, "user") == 0)
 		flags |= DNS_KEYOWNER_USER;
 	else
-		die("Invalid nametype");
+		fatal("invalid nametype %s", nametype);
 
 	flags |= signatory;
 
@@ -218,14 +288,14 @@ main(int argc, char **argv) {
 
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		if (size > 0)
-			die("Specified null key with non-zero size");
+			fatal("Specified null key with non-zero size");
 		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			die("Specified null key with signing authority");
+			fatal("Specified null key with signing authority");
 	}
 
 	name = isc_mem_allocate(mctx, strlen(argv[isc_commandline_index]) + 2);
 	if (name == NULL)
-		die("strdup failure");
+		fatal("out of memory");
 	strcpy(name, argv[isc_commandline_index]);
 	if (name[strlen(name) - 1] != '.') {
 		strcat(name, ".");
@@ -262,7 +332,7 @@ main(int argc, char **argv) {
 				       mctx, &key);
 
 		if (ret != ISC_R_SUCCESS) {
-			fprintf(stderr, "keygen: failed to generate key: %s\n", 
+			fatal("failed to generate key %s/%d: %s\n", name, alg,
 				dst_result_totext(ret));
 			exit(-1);
 		}
@@ -288,15 +358,13 @@ main(int argc, char **argv) {
 	} while (conflict == ISC_TRUE);
 
 	if (conflict)
-		die("Attempting to generate a null key when a key with id 0 "
-		    "already exists\n");
+		fatal("cannot generate a null key when a key with id 0 "
+		      "already exists");
 
 	ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE);
-	if (ret != ISC_R_SUCCESS) {
-		fprintf(stderr, "keygen: failed to write key %s(%d)\n", name, 
-			dst_key_id(key));
-		exit(-1); 
-	}
+	if (ret != ISC_R_SUCCESS)
+		fatal("failed to write key %s/%s/%d: %s\n", name, 
+			dst_key_id(key), algtostr(alg), isc_result_totext(ret));
 
 	isc_buffer_clear(&buf);
 	ret = dst_key_buildfilename(key, 0, &buf);
@@ -313,42 +381,3 @@ main(int argc, char **argv) {
 
 	return (0);
 }
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
-static void
-die(char *str) {
-	fprintf(stderr, "keygen: %s\n", str);
-	exit(-1);
-}
-
-static void
-usage(char *prog) {
-	printf("Usage:\n");
-	printf("    %s [options] name\n\n", prog);
-	printf("Required options:\n");
-	printf("    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
-	printf("    -b key size, in bits:\n");
-	printf("        RSA:\t\t[512..%d]\n", MAX_RSA);
-	printf("        DH:\t\t[128..4096]\n");
-	printf("        DSA:\t\t[512..1024] and dividable by 64\n");
-	printf("        HMAC-MD5:\t[1..512]\n");
-	printf("    -n nametype: ZONE | HOST | ENTITY | USER\n");
-	printf("    name: owner of the key\n");
-	printf("Other options:\n");
-	printf("    -e use large exponent (RSA only)\n");
-	printf("    -g use specified generator (DH only)\n");
-	printf("    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
-	printf("        default: AUTHCONF\n");
-	printf("    -p protocol value\n");
-	printf("        default: 2 (email) for User keys, "
-	       			"3 (dnssec) for all others\n");
-	printf("    -s strength value this key signs DNS records with\n");
-	printf("        default: 0\n");
-	printf("    -v verbose level\n");
-
-	exit (-1);
-}

bin/tests/keysettool.c

@@ -32,6 +32,7 @@
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/secalg.h>
 #include <dns/time.h>
 
 #define PROGRAM "keysettool"
@@ -78,10 +79,28 @@ static char *
 nametostr(dns_name_t *name) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[1025];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_name_totext(name, ISC_FALSE, &b);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -104,6 +123,7 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	}
 	else {
 		result = dns_time64_fromtext(str, &val);
+		if (result != ISC_R_SUCCESS)
 			fatal("time %s must be numeric", str);
 	}
 	if (*endp != '\0')
@@ -304,8 +324,8 @@ main(int argc, char *argv[]) {
 						  &zonekey);
 			
 			if (result != ISC_R_SUCCESS)
-				fatal("failed to read key %s/%d/%d: %s",
-				      namestr, id, alg,
+				fatal("failed to read key %s/%s/%d: %s",
+				      namestr, id, algtostr(alg),
 				      isc_result_totext(result));
 			keynode = isc_mem_get(mctx, sizeof (keynode_t));
 			if (keynode == NULL)
@@ -323,8 +343,9 @@ main(int argc, char *argv[]) {
 		isc_buffer_init(&b, data, BUFSIZE);
 		result = dst_key_todns(key, &b);
 		if (result != ISC_R_SUCCESS)
-			fatal("failed to convert key %s/%d/%d to a DNS KEY: %s",
-			      namestr, id, alg, isc_result_totext(result));
+			fatal("failed to convert key %s/%s/%d to a DNS KEY: %s",
+			      namestr, id, algtostr(alg),
+			      isc_result_totext(result));
 		isc_buffer_usedregion(&b, &r);
 		dns_rdata_fromregion(rdata, dns_rdataclass_in,
 				     dns_rdatatype_key, &r);
@@ -364,10 +385,10 @@ main(int argc, char *argv[]) {
 					 &starttime, &endtime, mctx, &b,
 					 rdata);
 		if (result != ISC_R_SUCCESS)
-			fatal("failed to sign keyset with key %s/%d/%d: %s",
+			fatal("failed to sign keyset with key %s/%s/%d: %s",
 			      dst_key_name(keynode->key),
+			      algtostr(dst_key_alg(keynode->key)),
 			      dst_key_id(keynode->key),
-			      dst_key_alg(keynode->key),
 			      isc_result_totext(result));
 		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
 		dns_rdataset_init(&sigrdataset);

bin/tests/keysigner.c

@@ -32,6 +32,7 @@
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include <dns/result.h>
+#include <dns/secalg.h>
 
 #define PROGRAM "keysigner"
 
@@ -52,8 +53,14 @@ static isc_mem_t *mctx = NULL;
 static keylist_t keylist;
 
 static inline void
-fatal(char *message) {
-	fprintf(stderr, "%s: %s\n", PROGRAM, message);
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
 	exit(1);
 }
 
@@ -66,6 +73,39 @@ check_result(isc_result_t result, char *message) {
 	}
 }
 
+/* Not thread-safe! */
+static char *
+nametostr(dns_name_t *name) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[1025];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+		        isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+
 static void
 usage() {
 	fprintf(stderr, "Usage:\n");
@@ -106,15 +146,14 @@ loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
 			continue;
 		keynode = isc_mem_get(mctx, sizeof (keynode_t));
 		if (keynode == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		keynode->key = key;
 		keynode->verified = ISC_FALSE;
 		ISC_LINK_INIT(keynode, link);
 		ISC_LIST_APPEND(keylist, keynode, link);
 	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	check_result(result, "loadkeys()");
+	if (result != ISC_R_NOMORE)
+		fatal("failure traversing key list");
 }
 
 static dst_key_t *
@@ -170,7 +209,7 @@ main(int argc, char *argv[]) {
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("verbose level must be numeric");
 			break;
 
 		default:
@@ -206,7 +245,8 @@ main(int argc, char *argv[]) {
 	isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
 	isc_buffer_add(&b, strlen(argv[0]) - 7);
 	result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
-	check_result(result, "dns_name_fromtext()");
+	if (result != ISC_R_SUCCESS)
+		fatal("'%s' does not contain a valid domain name", argv[0]);
 	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
 	result = dns_name_totext(domain, ISC_FALSE, &b);
 	check_result(result, "dns_name_totext()");
@@ -216,7 +256,7 @@ main(int argc, char *argv[]) {
 	output = isc_mem_allocate(mctx,
 				  strlen(tdomain) + strlen("signedkey") + 1);
 	if (output == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+		fatal("out of memory");
 	strcpy(output, tdomain);
 	strcat(output, "signedkey");
 
@@ -226,33 +266,45 @@ main(int argc, char *argv[]) {
 	check_result(result, "dns_db_create()");
 
 	result = dns_db_load(db, argv[0]);
-	check_result(result, "dns_db_load()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to load database from '%s': %s", argv[0],
+		      isc_result_totext(result));
 
 	version = NULL;
 	dns_db_newversion(db, &version);
 
 	node = NULL;
 	result = dns_db_findnode(db, domain, ISC_FALSE, &node);
-	check_result(result, "dns_db_findnode()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find database node '%s': %s",
+		      nametostr(domain), isc_result_totext(result));
 
 	dns_rdataset_init(&rdataset);
 	dns_rdataset_init(&sigrdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
 				     0, &rdataset, &sigrdataset);
-	check_result(result, "dns_db_findrdataset()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find rdataset '%s KEY': %s",
+		      nametostr(domain), isc_result_totext(result));
 
 	loadkeys(domain, &rdataset);
 
+	if (!dns_rdataset_isassociated(&sigrdataset))
+		fatal("no SIG KEY set present");
+
 	result = dns_rdataset_first(&sigrdataset);
 	check_result(result, "dns_rdataset_first()");
 	do {
 		dns_rdataset_current(&sigrdataset, &sigrdata);
 		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
-		check_result(result, "dns_rdata_tostruct");
+		check_result(result, "dns_rdata_tostruct()");
 		key = findkey(&sig);
 		result = dns_dnssec_verify(domain, &rdataset, key,
 					   ISC_TRUE, mctx, &sigrdata);
-		check_result(result, "dns_dnssec_verify");
+		if (result != ISC_R_SUCCESS)
+			fatal("signature by key '%s/%s/%d' did not verify: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		dns_rdata_freestruct(&sig);
 		result = dns_rdataset_next(&sigrdataset);
 	} while (result == ISC_R_SUCCESS);
@@ -295,20 +347,26 @@ main(int argc, char *argv[]) {
 		key = NULL;
 		result = dst_key_fromfile(namestr, id, alg, DST_TYPE_PRIVATE,
 					  mctx, &key);
-		check_result (result, "dst_key_fromfile()");
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to read key %s/%s/%d from disk: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		isc_mem_put(mctx, namestr, strlen(namestr) + 1);
 
 		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
 		if (rdata == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		data = isc_mem_get(mctx, BUFSIZE);
 		if (data == NULL)
-			check_result(ISC_R_NOMEMORY, "isc_mem_get()");
+			fatal("out of memory");
 		isc_buffer_init(&b, data, BUFSIZE);
 		result = dns_dnssec_sign(domain, &rdataset, key,
 					 &sig.timesigned, &sig.timeexpire,
 					 mctx, &b, rdata);
-		check_result (result, "dns_dnssec_sign()");
+		if (result != ISC_R_SUCCESS)
+			fatal("key '%s/%s/%d' failed to sign data: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
 		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
 		dst_key_free(key);
 	}
@@ -323,7 +381,9 @@ main(int argc, char *argv[]) {
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &version, ISC_TRUE);
 	result = dns_db_dump(db, version, output);
-	check_result(result, "dns_db_dump()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write database to '%s': %s",
+		      output, isc_result_totext(result));
 
 	dns_rdataset_disassociate(&rdataset);
 	dns_rdataset_disassociate(&newsigrdataset);

bin/tests/signer.c

@@ -72,8 +72,14 @@ static isc_boolean_t tryverify = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
 
 static inline void
-fatal(char *message) {
-	fprintf(stderr, "%s: %s\n", PROGRAM, message);
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
 	exit(1);
 }
 
@@ -102,10 +108,12 @@ static char *
 nametostr(dns_name_t *name) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[1025];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_name_totext(name, ISC_FALSE, &b);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -116,10 +124,12 @@ static char *
 typetostr(const dns_rdatatype_t type) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_rdatatype_totext(type, &b);
+	result = dns_rdatatype_totext(type, &b);
+	check_result(result, "dns_rdatatype_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -130,10 +140,12 @@ static char *
 algtostr(const dns_secalg_t alg) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
 	isc_buffer_init(&b, data, sizeof(data));
-	dns_secalg_totext(alg, &b);
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
 	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
@@ -162,7 +174,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	dns_rdata_init(rdata);
 	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
 				 mctx, b, rdata);
-	check_result(result, "dns_dnssec_sign()");
+	if (result != ISC_R_SUCCESS)
+		fatal("key '%s/%s/%d' failed to sign data: %s",
+		      dst_key_name(key), algtostr(dst_key_alg(key)),
+		      dst_key_id(key), isc_result_totext(result));
 
 	if (tryverify) {
 		result = dns_dnssec_verify(name, rdataset, key,
@@ -223,7 +238,7 @@ keythatsigned(dns_rdata_sig_t *sig) {
 
 	key = isc_mem_get(mctx, sizeof(signer_key_t));
 	if (key == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_get");
+		fatal("out of memory");
 
 	result = dst_key_fromfile(keyname, sig->keyid, sig->algorithm,
 				  DST_TYPE_PRIVATE, mctx, &privkey);
@@ -262,7 +277,8 @@ expecttofindkey(dns_name_t *name, dns_db_t *db, dns_dbversion_t *version) {
 		case DNS_R_DNAME:
 			return ISC_FALSE;
 		default:
-			check_result(result, "dns_db_find");
+			fatal("failure looking for '%s KEY' in database: %s",
+			      nametostr(name), isc_result_totext(result));
 			return ISC_FALSE; /* removes a warning */
 	}
 }
@@ -282,7 +298,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	tdata = isc_mem_get(mctx, sizeof(signer_array_t)); \
 	ISC_LIST_APPEND(arraylist, tdata, link); \
 	if (trdata == NULL || tdata == NULL) \
-		check_result(ISC_R_FAILURE, "isc_mem_get"); \
+		fatal("out of memory"); \
 	isc_buffer_init(&b, tdata->array, sizeof(tdata->array));
 
 /*
@@ -320,7 +336,10 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		result = ISC_R_SUCCESS;
 		nosigs = ISC_TRUE;
 	}
-	check_result(result, "dns_db_findrdataset()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed while looking for '%s SIG %s': %s",
+		      nametostr(name), typetostr(set->type),
+		      isc_result_totext(result));
 
 	vbprintf(1, "%s/%s:\n", nametostr(name), typetostr(set->type));
 
@@ -551,7 +570,8 @@ hasnullkey(dns_rdataset_t *rdataset) {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_dnssec_keyfromrdata(dns_rootname,
 						 &rdata, mctx, &key);
-		check_result(result, "dns_dnssec_keyfromrdata()");
+		if (result != ISC_R_SUCCESS)
+			fatal("could not convert KEY into internal format");
 		if (dst_key_isnullkey(key))
 			found = ISC_TRUE;
                 dst_key_free(key);
@@ -560,7 +580,7 @@ hasnullkey(dns_rdataset_t *rdataset) {
                 result = dns_rdataset_next(rdataset);
         }
         if (result != ISC_R_NOMORE)
-                check_result(result, "iteration over keys");
+                fatal("failure looking for null keys");
         return (ISC_FALSE);
 }
 #endif
@@ -610,11 +630,11 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	dns_rdata_init(&newrdata);
 
 	result = dns_rdataset_first(set);
-	check_result(result, "dns_rdata_first()");
+	check_result(result, "dns_rdataset_first()");
 	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) {
 		dns_rdataset_current(set, &rdata);
 		result = dns_rdataset_first(&newset);
-		check_result(result, "dns_rdata_first()");
+		check_result(result, "dns_rdataset_first()");
 		for (;
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&newset))
@@ -850,7 +870,10 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 
 				if (result == ISC_R_NOTFOUND)
 					result = ISC_R_SUCCESS;
-				check_result(result, "dns_db_findrdataset");
+				if (result != ISC_R_SUCCESS)
+					fatal("failure looking for null key "
+					      "at '%s': %s", nametostr(name),
+					      isc_result_totext(result));
 
 				if (dns_rdataset_isassociated(&keyset))
 					dns_rdataset_disassociate(&keyset);
@@ -866,7 +889,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 							  DNS_KEYTYPE_NOKEY,
 							  DNS_KEYPROTO_DNSSEC,
 							  mctx, &dstkey);
-				check_result(result, "dst_key_generate");
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to generate null key");
 				isc_buffer_init(&b, keydata, sizeof keydata);
 				result = dst_key_todns(dstkey, &b);
 				dst_key_free(dstkey);
@@ -907,7 +931,8 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		result = dns_rdatasetiter_next(rdsiter);
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed");
+		fatal("rdataset iteration for name '%s' failed: %s",
+		      nametostr(name), isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
@@ -934,7 +959,8 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 			result = ISC_R_NOMORE;
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed");
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 
 	if (!active) {
@@ -1023,12 +1049,14 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 	dns_rdataset_init(&soaset);
 	result = dns_db_find(db, origin, version, dns_rdatatype_soa,
 			     0, 0, NULL, name, &soaset, NULL);
-	check_result(result, "dns_db_find");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find '%s SOA' in the zone: %s",
+		      nametostr(name), isc_result_totext(result));
 	result = dns_rdataset_first(&soaset);
-	check_result(result, "dns_rdataset_first");
+	check_result(result, "dns_rdataset_first()");
 	dns_rdataset_current(&soaset, &soarr);
 	result = dns_rdata_tostruct(&soarr, &soa, mctx);
-	check_result(result, "dns_rdataset_tostruct");
+	check_result(result, "dns_rdataset_tostruct()");
 	zonettl = soa.minimum;
 	dns_rdata_freestruct(&soa);
 	dns_rdataset_disassociate(&soaset);
@@ -1065,7 +1093,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 				result = dns_rdatasetiter_next(rdsiter);
 			}
 			if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
-				fatal("rdataset iteration failed");
+				fatal("rdataset iteration failed: %s",
+				      isc_result_totext(result));
 			if (result == ISC_R_SUCCESS) {
 				if (lastcut != NULL)
 					dns_name_free(lastcut, mctx);
@@ -1073,11 +1102,11 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 					lastcut = isc_mem_get(mctx,
 							sizeof(dns_name_t));
 					if (lastcut == NULL)
-						fatal("allocation failure");
+						fatal("out of memory");
 				}
 				dns_name_init(lastcut, NULL);
 				result = dns_name_dup(curname, mctx, lastcut);
-				check_result(result, "dns_name_dup");
+				check_result(result, "dns_name_dup()");
 			}
 			dns_rdatasetiter_destroy(&rdsiter);
 		}
@@ -1091,7 +1120,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 			target = origin;
 		else {
 			target = NULL;	/* Make compiler happy. */
-			fatal("db iteration failed");
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
 		}
 		nxtresult = dns_buildnxt(db, version, node, target, zonettl);
 		check_result(nxtresult, "dns_buildnxt()");
@@ -1102,7 +1132,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 		node = nextnode;
 	}
 	if (result != ISC_R_NOMORE)
-		fatal("db iteration failed");
+		fatal("iterating through the database failed: %s",
+		      isc_result_totext(result));
 	if (lastcut != NULL) {
 		dns_name_free(lastcut, mctx);
 		isc_mem_put(mctx, lastcut, sizeof(dns_name_t));
@@ -1126,7 +1157,9 @@ loadzone(char *file, char *origin, dns_zone_t **zone) {
 
 	dns_name_init(&name, NULL);
 	result = dns_name_fromtext(&name, &b, dns_rootname, ISC_FALSE, &b2);
-	check_result(result, "dns_name_fromtext()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed converting name '%s' to dns format: %s",
+		      origin, isc_result_totext(result));
 
 	result = dns_zone_create(zone, mctx);
 	check_result(result, "dns_zone_create()");
@@ -1145,7 +1178,9 @@ loadzone(char *file, char *origin, dns_zone_t **zone) {
 	dns_zone_setclass(*zone, dns_rdataclass_in); /* XXX */
 
 	result = dns_zone_load(*zone);
-	check_result(result, "dns_zone_load()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed loading zone from '%s': %s",
+		      file, isc_result_totext(result));
 }
 
 static void
@@ -1176,20 +1211,24 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) {
 
 	node = NULL;
 	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	check_result(result, "dns_db_findnode()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
 
 	result = dns_dnssec_findzonekeys(db, version, node, origin, mctx,
 					 20, keys, &nkeys);
 	if (result == ISC_R_NOTFOUND)
 		result = ISC_R_SUCCESS;
-	check_result(result, "dns_dnssec_findzonekeys()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone keys: %s",
+		      isc_result_totext(result));
 
 	for (i = 0; i < nkeys; i++) {
 		signer_key_t *key;
 
 		key = isc_mem_get(mctx, sizeof(signer_key_t));
 		if (key == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_get(key)");
+			fatal("out of memory");
 		key->key = keys[i];
 		key->isdefault = ISC_FALSE;
 
@@ -1209,7 +1248,9 @@ dumpzone(dns_zone_t *zone, char *filename) {
 		exit(-1);
 	}
 	result = dns_zone_dumptostream(zone, fp);
-	check_result(result, "dns_zone_dump");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write new database to '%s': %s",
+		      filename, isc_result_totext(result));
 	fclose(fp);
 }
 
@@ -1229,10 +1270,11 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	}
 	else {
 		result = dns_time64_fromtext(str, &val);
-		check_result(result, "dns_time64_fromtext()");
+		if (result != ISC_R_SUCCESS)
+			fatal("time %s must be numeric", str);
 	}
 	if (*endp != '\0')
-		check_result(ISC_R_FAILURE, "strtol()");
+		fatal("time value %s is invalid", str);
 
 	return ((isc_stdtime_t) val);
 }
@@ -1324,7 +1366,8 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create()");
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
 	while ((ch = isc_commandline_parse(argc, argv, "s:e:c:v:o:f:ah"))
 	       != -1) {
@@ -1333,46 +1376,42 @@ main(int argc, char *argv[]) {
 			startstr = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (startstr == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'e':
 			endstr = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (endstr == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'c':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("cycle period must be numeric");
 			break;
 
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("verbose level must be numeric");
 			break;
 
 		case 'o':
 			origin = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (origin == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'f':
 			output = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (output == NULL)
-				check_result(ISC_R_FAILURE,
-					     "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'a':
@@ -1431,7 +1470,7 @@ main(int argc, char *argv[]) {
 
 	file = isc_mem_strdup(mctx, argv[0]);
 	if (file == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+		fatal("out of memory");
 
 	argc -= 1;
 	argv += 1;
@@ -1440,14 +1479,14 @@ main(int argc, char *argv[]) {
 		output = isc_mem_allocate(mctx,
 					 strlen(file) + strlen(".signed") + 1);
 		if (output == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		sprintf(output, "%s.signed", file);
 	}
 
 	if (origin == NULL) {
 		origin = isc_mem_allocate(mctx, strlen(file) + 2);
 		if (origin == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		strcpy(origin, file);
 		if (file[strlen(file) - 1] != '.')
 			strcat(origin, ".");
@@ -1496,9 +1535,12 @@ main(int argc, char *argv[]) {
 				{
 					key->isdefault = ISC_TRUE;
 					if (!dst_key_isprivate(dkey))
-						check_result
-							(DST_R_NOTPRIVATEKEY,
-							 "key specify");
+						fatal("cannot sign zone with "
+						      "non-private key "
+						      "'%s/%s/%d'",
+						      dst_key_name(dkey),
+						      algtostr(dst_key_alg(dkey)),
+						      dst_key_id(dkey));
 					break;
 				}
 				key = ISC_LIST_NEXT(key, link);
@@ -1508,11 +1550,14 @@ main(int argc, char *argv[]) {
 				result = dst_key_fromfile(namestr, id, alg,
 							  DST_TYPE_PRIVATE,
 							  mctx, &dkey);
-				check_result (result, "dst_key_fromfile");
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to load key '%s/%s/%d' "
+					      "from disk: %s", namestr,
+					      algtostr(alg), id,
+					      isc_result_totext(result));
 				key = isc_mem_get(mctx, sizeof(signer_key_t));
 				if (key == NULL)
-					check_result(ISC_R_FAILURE,
-						     "isc_mem_get");
+					fatal("out of memory");
 				key->key = dkey;
 				key->isdefault = ISC_TRUE;
 				ISC_LIST_APPEND(keylist, key, link);