2739. [cleanup] Clean up API for initializing and clearing trust

anchors for a view. [RT #20211]

CHANGES

@@ -1,3 +1,6 @@
+2739.	[cleanup]	Clean up API for initializing and clearing trust
+			anchors for a view. [RT #20211]
+
 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 			test. [RT #20453]
 

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.553 2009/10/26 23:14:53 each Exp $ */
+/* $Id: server.c,v 1.554 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -578,7 +578,10 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 	const cfg_listelt_t *elt, *elt2;
 	const cfg_obj_t *key, *keylist;
 	dst_key_t *dstkey = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t result;
+	dns_keytable_t *secroots = NULL;
+
+	CHECK(dns_view_getsecroots(view, &secroots));
 
 	for (elt = cfg_list_first(keys);
 	     elt != NULL;
@@ -597,12 +600,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 			}
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
-			CHECK(dns_keytable_add(view->secroots, managed,
+
-					       &dstkey));
+			CHECK(dns_keytable_add(secroots, managed, &dstkey));
 		}
 	}
 
  cleanup:
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 	if (result == DST_R_NOCRYPTO)
 		result = ISC_R_SUCCESS;
 	return (result);
@@ -628,14 +633,18 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
+	isc_boolean_t meta;
 	int i = 0;
 
 	/* We don't need trust anchors for the _bind view */
-	if (strcmp(view->name, "_bind") == 0) {
+	if (strcmp(view->name, "_bind") == 0 &&
-		view->secroots = NULL;
+	    view->rdclass == dns_rdataclass_chaos) {
 		return (ISC_R_SUCCESS);
 	}
 
+	meta = ISC_TF(strcmp(view->name, "_meta") == 0 &&
+		      view->rdclass == dns_rdataclass_in);
+
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
@@ -657,9 +666,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 
-	if (view->secroots != NULL)
+	result = dns_view_initsecroots(view, mctx);
-		dns_keytable_detach(&view->secroots);
-	result = dns_keytable_create(mctx, &view->secroots);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -697,7 +704,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		CHECK(load_view_keys(builtin_keys, vconfig, view,
 				     ISC_FALSE, mctx));
 
-		if (strcmp(view->name, "_meta") == 0)
+		if (meta)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
 					     view, ISC_TRUE, mctx));
 	}
@@ -705,7 +712,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
 	CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx));
 
-	if (strcmp(view->name, "_meta") == 0)
+	if (meta)
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
 			       ISC_TRUE, mctx));
 
@@ -714,8 +721,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 }
 
 static isc_result_t
-mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
-{
 	const cfg_listelt_t *element;
 	const cfg_obj_t *obj;
 	const char *str;

lib/dns/client.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.5 2009/09/03 21:45:46 jinmei Exp $ */
+/* $Id: client.c,v 1.6 2009/10/27 22:46:13 each Exp $ */
 
 #include <config.h>
 
@@ -309,16 +309,11 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/*
+	/* Initialize view security roots */
-	 * Workaround for a recent change in dns_view_create(): proactively
+	result = dns_view_initsecroots(view, mctx);
-	 * create view->secroots if it's not created with view creation.
+	if (result != ISC_R_SUCCESS) {
-	 */
+		dns_view_detach(&view);
-	if (view->secroots == NULL) {
+		return (result);
-		result = dns_keytable_create(mctx, &view->secroots);
-		if (result != ISC_R_SUCCESS) {
-			dns_view_detach(&view);
-			return (result);
-		}
 	}
 
 	result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
@@ -1398,6 +1393,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 	isc_result_t result;
 	dns_view_t *view = NULL;
 	dst_key_t *dstkey = NULL;
+	dns_keytable_t *secroots = NULL;
 
 	REQUIRE(DNS_CLIENT_VALID(client));
 
@@ -1406,17 +1402,24 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 				   rdclass, &view);
 	UNLOCK(&client->lock);
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto cleanup;
+
+	result = dns_view_getsecroots(view, &secroots);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
 	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
 				 &dstkey);
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto cleanup;
 
-	result = dns_keytable_add(view->secroots, ISC_FALSE, &dstkey);
+	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
-
-	dns_view_detach(&view);
 
+ cleanup:
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 	return (result);
 }
 

lib/dns/include/dns/view.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.118 2009/06/30 02:52:32 each Exp $ */
+/* $Id: view.h,v 1.119 2009/10/27 22:46:13 each Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -92,7 +92,13 @@ struct dns_view {
 	dns_cache_t *			cache;
 	dns_db_t *			cachedb;
 	dns_db_t *			hints;
-	dns_keytable_t *		secroots;   /* security roots */
+
+	/*
+	 * security roots.
+	 * internal use only; access via * dns_view_getsecroots()
+	 */
+	dns_keytable_t *		secroots_priv;
+
 	isc_mutex_t			lock;
 	isc_boolean_t			frozen;
 	isc_task_t *			task;
@@ -904,4 +910,53 @@ dns_view_iscacheshared(dns_view_t *view);
  *\li	#ISC_FALSE otherwise.
  */
 
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view.  (Note that secroots is
+ * NULL until this function is called, so any function using
+ * secroots must check its validity first.  One way to do this is
+ * use dns_view_getsecroots() and check its return value.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'view->secroots' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key?  Put answer in
+ * '*secure_domain'.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other value indicates failure
+ */
 #endif /* DNS_VIEW_H */

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.405 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: resolver.c,v 1.406 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -1691,9 +1691,8 @@ resquery_send(resquery_t *query) {
 	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
 	} else if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots,
+		result = dns_view_issecuredomain(res->view, &fctx->name,
-						     &fctx->name,
+						 &secure_domain);
-						     &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			secure_domain = ISC_FALSE;
 		if (res->view->dlv != NULL)
@@ -4217,8 +4216,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
+		result = dns_view_issecuredomain(res->view, name,
-						     &secure_domain);
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
@@ -4675,8 +4674,8 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (fctx->res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
+		result = dns_view_issecuredomain(res->view, name,
-						     &secure_domain);
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.178 2009/06/30 02:52:32 each Exp $ */
+/* $Id: validator.c,v 1.179 2009/10/27 22:46:13 each Exp $ */
 
 #include <config.h>
 
@@ -3651,6 +3651,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		return (ISC_R_NOMEMORY);
 	val->view = NULL;
 	dns_view_weakattach(view, &val->view);
+
 	event = (dns_validatorevent_t *)
 		isc_event_allocate(view->mctx, task,
 				   DNS_EVENT_VALIDATORSTART,
@@ -3679,8 +3680,12 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->fetch = NULL;
 	val->subvalidator = NULL;
 	val->parent = NULL;
+
 	val->keytable = NULL;
-	dns_keytable_attach(val->view->secroots, &val->keytable);
+	result = dns_view_getsecroots(val->view, &val->keytable);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	val->keynode = NULL;
 	val->key = NULL;
 	val->siginfo = NULL;

lib/dns/view.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.156 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: view.c,v 1.157 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -97,7 +97,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		goto cleanup_mutex;
 	}
 #endif
-	view->secroots = NULL;
+	view->secroots_priv = NULL;
 	view->fwdtable = NULL;
 	result = dns_fwdtable_create(mctx, &view->fwdtable);
 	if (result != ISC_R_SUCCESS) {
@@ -354,8 +354,8 @@ destroy(dns_view_t *view) {
 		isc_stats_detach(&view->resstats);
 	if (view->resquerystats != NULL)
 		dns_stats_detach(&view->resquerystats);
-	if (view->secroots != NULL)
+	if (view->secroots_priv != NULL)
-		dns_keytable_detach(&view->secroots);
+		dns_keytable_detach(&view->secroots_priv);
 	dns_fwdtable_destroy(&view->fwdtable);
 	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
@@ -1531,3 +1531,29 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
 	if (view->resquerystats != NULL)
 		dns_stats_attach(view->resquerystats, statsp);
 }
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+	return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ktp != NULL && *ktp == NULL);
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	dns_keytable_attach(view->secroots_priv, ktp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (dns_keytable_issecuredomain(view->secroots_priv, name,
+					    secure_domain));
+}

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.521 2009/10/27 03:59:45 each Exp $ */
+/* $Id: zone.c,v 1.522 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -2705,6 +2705,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
 	unsigned char data[4096];
 	isc_buffer_t buffer;
 	dns_view_t *view;
+	dns_keytable_t *sr = NULL;
 
 	/* Convert dnskey to DST key. */
 	isc_buffer_init(&buffer, data, sizeof(data));
@@ -2713,15 +2714,20 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
 
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL) {
+		dst_key_t *key = NULL;
-			dst_key_t *key = NULL;
+
-			CHECK(dns_dnssec_keyfromrdata(keyname, &rdata,
+		result = dns_view_getsecroots(view, &sr);
-						      mctx, &key));
+		if (result != ISC_R_SUCCESS)
-			CHECK(dns_keytable_add(view->secroots, ISC_TRUE, &key));
+			continue;
-		}
+
+		CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key));
+		CHECK(dns_keytable_add(sr, ISC_TRUE, &key));
+		dns_keytable_detach(&sr);
 	}
 
   failure:
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
 	return;
 }
 
@@ -2755,9 +2761,13 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx,
 
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots == NULL)
+		dns_keytable_t *sr = NULL;
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
 			continue;
-		dns_keytable_deletekeynode(view->secroots, key);
+
+		dns_keytable_deletekeynode(sr, key);
+		dns_keytable_detach(&sr);
 	}
 
 	dst_key_free(&key);
@@ -2769,13 +2779,20 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx,
  */
 static void
 fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) {
+	isc_result_t result;
 	dns_view_t *view;
 
 	for (view = ISC_LIST_HEAD(*viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL)
+		dns_keytable_t *sr = NULL;
-			dns_keytable_marksecure(view->secroots, keyname);
+
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		dns_keytable_marksecure(sr, keyname);
+		dns_keytable_detach(&sr);
 	}
 }
 
@@ -2801,8 +2818,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
 	/* For each view, delete references to this key from secroots. */
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL)
+		dns_keytable_t *sr = NULL;
-			dns_keytable_delete(view->secroots, name);
+
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		dns_keytable_delete(sr, name);
+		dns_keytable_detach(&sr);
 	}
 
 	/* Now insert all the accepted trust anchors from this keydata set. */
@@ -3029,7 +3052,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	dns_name_t foundname, *origin;
 	dns_keynode_t *keynode = NULL;
 	dns_view_t *view = zone->view;
-	dns_keytable_t *sr = view->secroots;
+	dns_keytable_t *sr = NULL;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
 	dns_rriterator_t rrit;
@@ -3042,6 +3065,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 
 	dns_diff_init(zone->mctx, &diff);
 
+	CHECK(dns_view_getsecroots(view, &sr));
+
 	result = dns_db_newversion(db, &ver);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
@@ -3150,6 +3175,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	}
 
  failure:
+ 	if (sr != NULL)
+		dns_keytable_detach(&sr);
 	if (ver != NULL)
 		dns_db_closeversion(db, &ver, changed);
 	dns_diff_clear(&diff);
@@ -6994,7 +7021,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	dns_keyfetch_t *kfetch;
 	dns_zone_t *zone;
-	dns_keytable_t *secroots;
+	dns_keytable_t *secroots = NULL;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
 	isc_boolean_t changed = ISC_FALSE;
@@ -7020,7 +7047,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	kfetch = event->ev_arg;
 	zone = kfetch->zone;
-	secroots = zone->view->secroots;
 	keyname = dns_fixedname_name(&kfetch->name);
 
 	devent = (dns_fetchevent_t *) event;
@@ -7037,6 +7063,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	isc_stdtime_get(&now);
 	dns_name_format(keyname, namebuf, sizeof(namebuf));
 
+	result = dns_view_getsecroots(zone->view, &secroots);
+	INSIST(result == ISC_R_SUCCESS);
+
 	LOCK_ZONE(zone);
 	dns_db_newversion(kfetch->db, &ver);
 	dns_diff_init(zone->mctx, &diff);
@@ -7431,6 +7460,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	dns_name_free(keyname, zone->mctx);
 	isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 }
 
 /*