diff --git a/bin/named/server.c b/bin/named/server.c index 31bec0ec50..1b8ee399c4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6835,11 +6835,7 @@ struct dotat_arg { * reported in the TAT query. */ static isc_result_t -get_tat_qname(dns_name_t *target, dns_name_t *keyname, - dns_keytable_t *keytable, dns_keynode_t *keynode) -{ - dns_keynode_t *firstnode = keynode; - dns_keynode_t *nextnode = NULL; +get_tat_qname(dns_name_t *target, dns_name_t *keyname, dns_keynode_t *keynode) { dns_rdataset_t *dsset = NULL; unsigned int i, n = 0; uint16_t ids[12]; @@ -6866,23 +6862,6 @@ get_tat_qname(dns_name_t *target, dns_name_t *keyname, n++; } } - } else { - do { - dst_key_t *key = dns_keynode_key(keynode); - if (key != NULL) { - if (n < (sizeof(ids)/sizeof(ids[0]))) { - ids[n] = dst_key_id(key); - n++; - } - } - nextnode = NULL; - (void)dns_keytable_nextkeynode(keytable, keynode, - &nextnode); - if (keynode != firstnode) { - dns_keytable_detachkeynode(keytable, &keynode); - } - keynode = nextnode; - } while (keynode != NULL); } if (n == 0) { @@ -6938,7 +6917,7 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, task = dotat_arg->task; tatname = dns_fixedname_initname(&fixed); - result = get_tat_qname(tatname, keyname, keytable, keynode); + result = get_tat_qname(tatname, keyname, keynode); if (result != ISC_R_SUCCESS) { return; } diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h index 2d8113046f..4edba81a5b 100644 --- a/lib/dns/include/dns/keytable.h +++ b/lib/dns/include/dns/keytable.h @@ -223,9 +223,8 @@ isc_result_t dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname, dns_keynode_t **keynodep); /*%< - * Search for the first instance of a key named 'name' in 'keytable', - * without regard to keyid and algorithm. Use dns_keytable_nextkeynode() - * to find subsequent instances. + * Search for the first instance of a trust anchor named 'name' in + * 'keytable', without regard to keyid and algorithm. * * Requires: * @@ -243,78 +242,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname, *\li Any other result indicates an error. */ -isc_result_t -dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode, - dns_keynode_t **nextnodep); -/*%< - * Return for the next key after 'keynode' in 'keytable', without regard to - * keyid and algorithm. - * - * Requires: - * - *\li 'keytable' is a valid keytable. - * - *\li 'keynode' is a valid keynode. - * - *\li nextnodep != NULL && *nextnodep == NULL - * - * Returns: - * - *\li ISC_R_SUCCESS - *\li ISC_R_NOTFOUND - * - *\li Any other result indicates an error. - */ - -isc_result_t -dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name, - dns_secalg_t algorithm, dns_keytag_t tag, - dns_keynode_t **keynodep); -/*%< - * Search for a key named 'name', matching 'algorithm' and 'tag' in - * 'keytable'. This finds the first instance which matches. Use - * dns_keytable_findnextkeynode() to find other instances. - * - * Requires: - * - *\li 'keytable' is a valid keytable. - * - *\li 'name' is a valid absolute name. - * - *\li keynodep != NULL && *keynodep == NULL - * - * Returns: - * - *\li ISC_R_SUCCESS - *\li DNS_R_PARTIALMATCH the name existed in the keytable. - *\li ISC_R_NOTFOUND - * - *\li Any other result indicates an error. - */ - -isc_result_t -dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode, - dns_keynode_t **nextnodep); -/*%< - * Search for the next key with the same properties as 'keynode' in - * 'keytable' as found by dns_keytable_findkeynode(). - * - * Requires: - * - *\li 'keytable' is a valid keytable. - * - *\li 'keynode' is a valid keynode. - * - *\li nextnodep != NULL && *nextnodep == NULL - * - * Returns: - * - *\li ISC_R_SUCCESS - *\li ISC_R_NOTFOUND - * - *\li Any other result indicates an error. - */ - isc_result_t dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name, dns_name_t *foundname); @@ -413,12 +340,6 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **buf); * Dump the keytable to buffer at 'buf' */ -dst_key_t * -dns_keynode_key(dns_keynode_t *keynode); -/*%< - * Get the DST key associated with keynode. - */ - dns_rdataset_t * dns_keynode_dsset(dns_keynode_t *keynode); /*%< @@ -466,8 +387,7 @@ dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target); void dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target); /*%< - * Detach a single keynode, without touching any keynodes that - * may be pointed to by its 'next' pointer + * Detach a keynode. */ void diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c index bf1df1ed95..2a65c7caab 100644 --- a/lib/dns/keytable.c +++ b/lib/dns/keytable.c @@ -516,123 +516,6 @@ dns_keytable_find(dns_keytable_t *keytable, const dns_name_t *keyname, return (result); } -isc_result_t -dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode, - dns_keynode_t **nextnodep) -{ - /* - * Return the next key after 'keynode', regardless of - * properties. - */ - - REQUIRE(VALID_KEYTABLE(keytable)); - REQUIRE(VALID_KEYNODE(keynode)); - REQUIRE(nextnodep != NULL && *nextnodep == NULL); - - if (keynode->next == NULL) { - return (ISC_R_NOTFOUND); - } - - dns_keytable_attachkeynode(keytable, keynode->next, nextnodep); - - return (ISC_R_SUCCESS); -} - -isc_result_t -dns_keytable_findkeynode(dns_keytable_t *keytable, const dns_name_t *name, - dns_secalg_t algorithm, dns_keytag_t tag, - dns_keynode_t **keynodep) -{ - isc_result_t result; - dns_keynode_t *knode; - void *data; - - /* - * Search for a key named 'name', matching 'algorithm' and 'tag' in - * 'keytable'. - */ - - REQUIRE(VALID_KEYTABLE(keytable)); - REQUIRE(dns_name_isabsolute(name)); - REQUIRE(keynodep != NULL && *keynodep == NULL); - - RWLOCK(&keytable->rwlock, isc_rwlocktype_read); - - /* - * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname() - * as that indicates that 'name' was not found. - * - * DNS_R_PARTIALMATCH indicates that the name was found but we - * didn't get a match on algorithm and key id arguments. - */ - knode = NULL; - data = NULL; - result = dns_rbt_findname(keytable->table, name, 0, NULL, &data); - if (result == ISC_R_SUCCESS) { - INSIST(data != NULL); - - for (knode = data; knode != NULL; knode = knode->next) { - if (knode->key == NULL) { - knode = NULL; - break; - } - if (algorithm == dst_key_alg(knode->key) && - tag == dst_key_id(knode->key)) - { - break; - } - } - if (knode != NULL) { - dns_keytable_attachkeynode(keytable, knode, keynodep); - } else { - result = DNS_R_PARTIALMATCH; - } - } else if (result == DNS_R_PARTIALMATCH) { - result = ISC_R_NOTFOUND; - } - - RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read); - - return (result); -} - -isc_result_t -dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode, - dns_keynode_t **nextnodep) -{ - isc_result_t result; - dns_keynode_t *knode; - - /* - * Search for the next key with the same properties as 'keynode' in - * 'keytable'. - */ - - REQUIRE(VALID_KEYTABLE(keytable)); - REQUIRE(VALID_KEYNODE(keynode)); - REQUIRE(nextnodep != NULL && *nextnodep == NULL); - - for (knode = keynode->next; knode != NULL; knode = knode->next) { - if (knode->key == NULL) { - knode = NULL; - break; - } - if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) && - dst_key_id(keynode->key) == dst_key_id(knode->key)) - { - break; - } - } - if (knode != NULL) { - dns_keytable_attachkeynode(keytable, knode, nextnodep); - result = ISC_R_SUCCESS; - } else { - result = ISC_R_NOTFOUND; - } - - return (result); -} - isc_result_t dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name, dns_name_t *foundname) @@ -674,7 +557,8 @@ dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source, REQUIRE(VALID_KEYNODE(source)); REQUIRE(target != NULL && *target == NULL); - REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1) < UINT32_MAX); + REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, + 1) < UINT32_MAX); dns_keynode_attach(source, target); } @@ -913,8 +797,8 @@ dns_keytable_forall(dns_keytable_t *keytable, } goto cleanup; } - REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, 1) - < UINT32_MAX); + REQUIRE(atomic_fetch_add_relaxed(&keytable->active_nodes, + 1) < UINT32_MAX); for (;;) { dns_rbtnodechain_current(&chain, foundname, origin, &node); if (node->data != NULL) { @@ -939,13 +823,6 @@ dns_keytable_forall(dns_keytable_t *keytable, return (result); } -dst_key_t * -dns_keynode_key(dns_keynode_t *keynode) { - REQUIRE(VALID_KEYNODE(keynode)); - - return (keynode->key); -} - dns_rdataset_t * dns_keynode_dsset(dns_keynode_t *keynode) { REQUIRE(VALID_KEYNODE(keynode)); diff --git a/lib/dns/tests/keytable_test.c b/lib/dns/tests/keytable_test.c index b90b1f7df8..ac3066eafd 100644 --- a/lib/dns/tests/keytable_test.c +++ b/lib/dns/tests/keytable_test.c @@ -219,7 +219,6 @@ static void add_test(void **state) { dst_key_t *key = NULL; dns_keynode_t *keynode = NULL; - dns_keynode_t *next_keynode = NULL; dns_keynode_t *null_keynode = NULL; UNUSED(state); @@ -227,27 +226,24 @@ add_test(void **state) { create_tables(); /* - * Get the keynode for the example.com key. There's no other key for - * the name, so nextkeynode() should return NOTFOUND. + * Getting the keynode for the example.com key should succeed. */ assert_int_equal(dns_keytable_find(keytable, str2name("example.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); /* - * Try to add the same key. This should have no effect, so - * nextkeynode() should still return NOTFOUND. + * Try to add the same key. This should have no effect but + * report success. */ create_key(257, 3, 5, "example.com", keystr1, &key); assert_int_equal(dns_keytable_add(keytable, false, false, dst_key_name(key), &key, NULL), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); + dns_keytable_detachkeynode(keytable, &keynode); + assert_int_equal(dns_keytable_find(keytable, str2name("example.com"), + &keynode), + ISC_R_SUCCESS); /* Add another key (different keydata) */ dns_keytable_detachkeynode(keytable, &keynode); @@ -258,24 +254,16 @@ add_test(void **state) { assert_int_equal(dns_keytable_find(keytable, str2name("example.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_SUCCESS); - dns_keytable_detachkeynode(keytable, &next_keynode); dns_keytable_detachkeynode(keytable, &keynode); /* - * Get the keynode for the managed.com key. There's no other key for - * the name, so nextkeynode() should return NOTFOUND. Ensure the + * Get the keynode for the managed.com key. Ensure the * retrieved key is an initializing key, then mark it as trusted using * dns_keynode_trust() and ensure the latter works as expected. */ assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); assert_int_equal(dns_keynode_initial(keynode), true); dns_keynode_trust(keynode); assert_int_equal(dns_keynode_initial(keynode), false); @@ -283,8 +271,7 @@ add_test(void **state) { /* * Add a different managed key for managed.com, marking it as an - * initializing key. Ensure nextkeynode() no longer returns - * ISC_R_NOTFOUND and that the added key is an initializing key. + * initializing key. */ create_key(257, 3, 5, "managed.com", keystr2, &key); assert_int_equal(dns_keytable_add(keytable, true, true, @@ -293,11 +280,7 @@ add_test(void **state) { assert_int_equal(dns_keytable_find(keytable, str2name("managed.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_SUCCESS); assert_int_equal(dns_keynode_initial(keynode), true); - dns_keytable_detachkeynode(keytable, &next_keynode); dns_keytable_detachkeynode(keytable, &keynode); /* @@ -314,22 +297,11 @@ add_test(void **state) { &keynode), ISC_R_SUCCESS); assert_int_equal(dns_keynode_initial(keynode), false); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_SUCCESS); - dns_keytable_detachkeynode(keytable, &keynode); - keynode = next_keynode; - next_keynode = NULL; - assert_int_equal(dns_keynode_initial(keynode), false); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); dns_keytable_detachkeynode(keytable, &keynode); /* * Add a managed key at a new node, two.com, marking it as an - * initializing key. Ensure nextkeynode() returns ISC_R_NOTFOUND and - * that the added key is an initializing key. + * initializing key. */ create_key(257, 3, 5, "two.com", keystr1, &key); assert_int_equal(dns_keytable_add(keytable, true, true, @@ -338,16 +310,12 @@ add_test(void **state) { assert_int_equal(dns_keytable_find(keytable, str2name("two.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); assert_int_equal(dns_keynode_initial(keynode), true); dns_keytable_detachkeynode(keytable, &keynode); /* * Add a different managed key for two.com, marking it as a - * non-initializing key. Ensure nextkeynode() no longer returns - * ISC_R_NOTFOUND and that the added key is not an initializing key. + * non-initializing key. */ create_key(257, 3, 5, "two.com", keystr2, &key); assert_int_equal(dns_keytable_add(keytable, true, false, @@ -356,10 +324,7 @@ add_test(void **state) { assert_int_equal(dns_keytable_find(keytable, str2name("two.com"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), ISC_R_SUCCESS); assert_int_equal(dns_keynode_initial(keynode), false); - dns_keytable_detachkeynode(keytable, &next_keynode); dns_keytable_detachkeynode(keytable, &keynode); /* @@ -376,16 +341,6 @@ add_test(void **state) { &keynode), ISC_R_SUCCESS); assert_int_equal(dns_keynode_initial(keynode), false); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_SUCCESS); - dns_keytable_detachkeynode(keytable, &keynode); - keynode = next_keynode; - next_keynode = NULL; - assert_int_equal(dns_keynode_initial(keynode), false); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); dns_keytable_detachkeynode(keytable, &keynode); /* @@ -403,13 +358,11 @@ add_test(void **state) { &keynode), ISC_R_SUCCESS); assert_int_equal(keynode, null_keynode); /* should be the same node */ - assert_non_null(dns_keynode_key(keynode)); /* now have a key */ dns_keytable_detachkeynode(keytable, &null_keynode); /* * Try to add a null key to a name that already has a key. It's - * effectively no-op, so the same key node is still there, with no - * no next node. + * effectively no-op, so the same key node is still there. * (Note: this and above checks confirm that if a name has a null key * that's the only key for the name). */ @@ -420,10 +373,6 @@ add_test(void **state) { &null_keynode), ISC_R_SUCCESS); assert_int_equal(keynode, null_keynode); - assert_non_null(dns_keynode_key(keynode)); - assert_int_equal(dns_keytable_nextkeynode(keytable, keynode, - &next_keynode), - ISC_R_NOTFOUND); dns_keytable_detachkeynode(keytable, &null_keynode); dns_keytable_detachkeynode(keytable, &keynode); @@ -553,7 +502,6 @@ find_test(void **state) { str2name("null.example"), &keynode), ISC_R_SUCCESS); - assert_int_equal(dns_keynode_key(keynode), NULL); dns_keytable_detachkeynode(keytable, &keynode); /* @@ -581,37 +529,6 @@ find_test(void **state) { ISC_R_SUCCESS); assert_true(dns_name_equal(name, str2name("null.example"))); - /* - * dns_keytable_findkeynode() requires exact name, algorithm, keytag - * match. If algorithm or keytag doesn't match, should result in - * PARTIALMATCH. Same for a node with a null key. - */ - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("example.org"), - 5, keytag1, &keynode), - ISC_R_NOTFOUND); - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("sub.example.com"), - 5, keytag1, &keynode), - ISC_R_NOTFOUND); - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("example.com"), - 4, keytag1, &keynode), - DNS_R_PARTIALMATCH); /* different algorithm */ - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("example.com"), - 5, keytag1 + 1, &keynode), - DNS_R_PARTIALMATCH); /* different keytag */ - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("null.example"), - 5, 0, &keynode), - DNS_R_PARTIALMATCH); /* null key */ - assert_int_equal(dns_keytable_findkeynode(keytable, - str2name("example.com"), - 5, keytag1, &keynode), - ISC_R_SUCCESS); /* complete match */ - dns_keytable_detachkeynode(keytable, &keynode); - destroy_tables(); } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 3ba10feb0d..ee6f98e0d9 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1684,110 +1684,6 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, return (result); } -static isc_result_t -anchor_signed(dns_validator_t *val, isc_result_t *resp) { - isc_result_t result; - bool atsep = false; - - /* - * First, see if this key was signed by a trust anchor. - */ - for (result = dns_rdataset_first(val->event->sigrdataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(val->event->sigrdataset)) - { - dns_keynode_t *keynode = NULL; - dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_fixedname_t fixed; - dns_name_t *found; - dst_key_t *dstkey; - dns_rdata_rrsig_t sig; - - found = dns_fixedname_initname(&fixed); - dns_rdata_reset(&sigrdata); - dns_rdataset_current(val->event->sigrdataset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - if (!dns_name_equal(val->event->name, &sig.signer)) { - continue; - } - - result = dns_keytable_findkeynode(val->keytable, - val->event->name, - sig.algorithm, sig.keyid, - &keynode); - if (result == ISC_R_NOTFOUND) { - result = dns_keytable_finddeepestmatch(val->keytable, - val->event->name, - found); - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); - *resp = markanswer(val, "validate_dnskey (1)", - "not beneath secure root"); - return (ISC_R_COMPLETE); - } - continue; - } - - if (result == DNS_R_PARTIALMATCH || result == ISC_R_SUCCESS) { - atsep = true; - } - - while (result == ISC_R_SUCCESS) { - dns_keynode_t *nextnode = NULL; - dstkey = dns_keynode_key(keynode); - if (dstkey == NULL) { - dns_keytable_detachkeynode(val->keytable, - &keynode); - break; - } - - result = verify(val, dstkey, &sigrdata, sig.keyid); - if (result == ISC_R_SUCCESS) { - dns_keytable_detachkeynode(val->keytable, - &keynode); - break; - } - - result = dns_keytable_findnextkeynode(val->keytable, - keynode, - &nextnode); - dns_keytable_detachkeynode(val->keytable, &keynode); - keynode = nextnode; - } - - if (result == ISC_R_SUCCESS) { - marksecure(val->event); - validator_log(val, ISC_LOG_DEBUG(3), - "signed by trusted key; " - "marking as secure"); - *resp = result; - return (ISC_R_COMPLETE); - } - } - - if (atsep) { - /* - * We have not found a key to verify this DNSKEY - * RRset, but there is a trust anchor defined for this - * name, so we have to assume that the RRset is invalid. - */ - char namebuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(val->event->name, namebuf, sizeof(namebuf)); - validator_log(val, ISC_LOG_NOTICE, - "unable to find a DNSKEY which verifies " - "the DNSKEY RRset and also matches a " - "trusted key for '%s'", namebuf); - *resp = DNS_R_NOVALIDKEY; - return (ISC_R_COMPLETE); - } - - return (result); -} - /* * get_dsset is called to look up a DS RRset corresponding to the name * of a DNSKEY record, either in the cache or, if necessary, by starting a @@ -1924,15 +1820,6 @@ validate_dnskey(dns_validator_t *val) { if (val->dsset == NULL) { isc_result_t tresult = ISC_R_SUCCESS; - /* - * First, check whether the key to be validated was - * signed by a trust anchor. - */ - result = anchor_signed(val, &tresult); - if (result == ISC_R_COMPLETE) { - return (tresult); - } - /* * If this is the root name and there was no trusted key, * we can give up now, since there's no DS at the root. diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 708b97242c..42e8ab222a 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -463,7 +463,6 @@ dns_keynode_detach dns_keynode_detachall dns_keynode_dsset dns_keynode_initial -dns_keynode_key dns_keynode_managed dns_keynode_trust dns_keyring_restore @@ -478,12 +477,9 @@ dns_keytable_detachkeynode dns_keytable_dump dns_keytable_find dns_keytable_finddeepestmatch -dns_keytable_findkeynode -dns_keytable_findnextkeynode dns_keytable_forall dns_keytable_issecuredomain dns_keytable_marksecure -dns_keytable_nextkeynode dns_keytable_totext dns_lib_init dns_lib_shutdown diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 39464bf8a9..80e3085a45 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3857,12 +3857,9 @@ create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_get(&now); /* - * If the keynode has neither a key nor a DS RRset, - * we shouldn't be here. + * If the keynode has no trust anchor set, we shouldn't be here. */ - if (dns_keynode_key(keynode) == NULL && - dns_keynode_dsset(keynode) == NULL) - { + if (dns_keynode_dsset(keynode) == NULL) { return (ISC_R_FAILURE); } @@ -4265,12 +4262,9 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode, } /* - * If the keynode has neither a key-style nor a DS-style - * trust anchor, return. + * If the keynode has no trust anchor set, return. */ - if (dns_keynode_dsset(keynode) == NULL && - dns_keynode_key(keynode) == NULL) - { + if (dns_keynode_dsset(keynode) == NULL) { return; } @@ -9823,8 +9817,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } /* - * If the first keynode has a DS trust anchor, use that for - * verification. + * If the keynode has a DS trust anchor, use it for verification. */ if ((dsset = dns_keynode_dsset(keynode)) != NULL) { for (result = dns_rdataset_first(dnskeysigs); @@ -9897,74 +9890,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { break; } } - goto anchors_done; - } else { - dns_keytable_detachkeynode(secroots, &keynode); - } - - /* - * Validate the DNSKEY set against using the key-style - * trust anchor(s). - */ - for (result = dns_rdataset_first(dnskeysigs); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(dnskeysigs)) - { - result = dns_keytable_find(secroots, keyname, &keynode); - if (result != ISC_R_SUCCESS) { - goto anchors_done; - } - dns_rdata_reset(&sigrr); - dns_rdataset_current(dnskeysigs, &sigrr); - result = dns_rdata_tostruct(&sigrr, &sig, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - - result = ISC_R_SUCCESS; - while (result == ISC_R_SUCCESS) { - dns_keynode_t *nextnode = NULL; - - dstkey = dns_keynode_key(keynode); - if (dstkey == NULL) { - /* fail_secure() was called */ - break; - } - - if (dst_key_alg(dstkey) == sig.algorithm && - dst_key_id(dstkey) == sig.keyid) - { - result = dns_dnssec_verify(keyname, dnskeys, - dstkey, false, 0, - mctx, &sigrr, NULL); - - dnssec_log(zone, ISC_LOG_DEBUG(3), - "Verifying DNSKEY set " - "for zone '%s' " - "using key %d/%d: %s", - namebuf, sig.keyid, - sig.algorithm, - dns_result_totext(result)); - - if (result == ISC_R_SUCCESS) { - dnskeys->trust = dns_trust_secure; - dnskeysigs->trust = dns_trust_secure; - secure = true; - initial = dns_keynode_initial(keynode); - dns_keynode_trust(keynode); - break; - } - } - - result = dns_keytable_nextkeynode(secroots, keynode, - &nextnode); - if (result == ISC_R_SUCCESS) { - dns_keytable_detachkeynode(secroots, &keynode); - keynode = nextnode; - } - } - dns_keytable_detachkeynode(secroots, &keynode); - if (secure) { - break; - } } anchors_done: diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index 265fdf6dbe..c19367b0a0 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -1614,39 +1614,6 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, goto cleanup; } - /* - * The keynode didn't have any DS trust anchors, so we now try to - * find a matching DNSKEY trust anchor. - */ - result = dns_keytable_findkeynode(vctx->secroots, vctx->origin, - dst_key_alg(key), dst_key_id(key), - &keynode); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } - - /* - * Walk the keynode list until we find a matching key or - * reach the end. - */ - while (result == ISC_R_SUCCESS) { - dns_keynode_t *nextnode = NULL; - - if (dst_key_compare(key, dns_keynode_key(keynode))) { - dns_keytable_detachkeynode(vctx->secroots, &keynode); - dns_rdataset_settrust(&vctx->keyset, dns_trust_secure); - dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure); - *goodkey = true; - - goto cleanup; - } - - result = dns_keytable_findnextkeynode(vctx->secroots, - keynode, &nextnode); - dns_keytable_detachkeynode(vctx->secroots, &keynode); - keynode = nextnode; - } - cleanup: if (keynode != NULL) { dns_keytable_detachkeynode(vctx->secroots, &keynode); diff --git a/lib/ns/query.c b/lib/ns/query.c index 50876a4f84..f5ddfcb88e 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -6634,23 +6634,12 @@ has_ta(query_ctx_t *qctx) { } } - while (result == ISC_R_SUCCESS) { - dns_keynode_t *nextnode = NULL; - dns_keytag_t keyid = dst_key_id(dns_keynode_key(keynode)); - if (keyid == sentinel) { - dns_keytable_detachkeynode(keytable, &keynode); - dns_keytable_detach(&keytable); - return (true); - } - result = dns_keytable_nextkeynode(keytable, keynode, &nextnode); - dns_keytable_detachkeynode(keytable, &keynode); - keynode = nextnode; - } - if (keynode != NULL) { dns_keytable_detachkeynode(keytable, &keynode); } + dns_keytable_detach(&keytable); + return (false); }