mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

use DS-style trust anchor to verify 5011 key refresh query

Browse Source 
note: this also needs further refactoring.

- when initializing RFC 5011 for a name, we populate the managed-keys
  zone with KEYDATA records derived from the initial-key trust anchors.

  however, with initial-ds trust anchors, there is no key. but the
  managed-keys zone still must have a KEYDATA record for the name,
  otherwise zone_refreshkeys() won't refresh that key. so, for
  initial-ds trust anchors, we now add an empty KEYDATA record and set
  the key refresh timer so that the real keys will be looked up as soon
  as possible.

- when a key refresh query is done, we verify it against the
  trust anchor; this is done in two ways, one with the DS RRset
  set up during configuration if present, or with the keys linked
  from each keynode in the list if not.  because there are two different
  verification methods, the loop structure is overly complex and should
  be simplified.

- the keyfetch_done() and sync_keyzone() functions are both too long
  and should be broken into smaller functions.
This commit is contained in:
Evan Hunt
2019-09-17 09:09:41 -07:00
parent 854af5a353
commit a8f89e9a9f
4 changed files with 269 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/dns/keytable.c
View File

@@ -866,15 +866,22 @@ dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) {
isc_result_t
dns_keytable_forall(dns_keytable_t *keytable,
void (*func)(dns_keytable_t *, dns_keynode_t *, void *),
void (*func)(dns_keytable_t *, dns_keynode_t *,
dns_name_t *, void *),
void *arg)
{
isc_result_t result;
dns_rbtnode_t *node;
dns_rbtnodechain_t chain;
dns_fixedname_t fixedfoundname, fixedorigin, fixedfullname;
dns_name_t *foundname, *origin, *fullname;
REQUIRE(VALID_KEYTABLE(keytable));
origin = dns_fixedname_initname(&fixedorigin);
fullname = dns_fixedname_initname(&fixedfullname);
foundname = dns_fixedname_initname(&fixedfoundname);
RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
dns_rbtnodechain_init(&chain);
result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
@@ -886,9 +893,12 @@ dns_keytable_forall(dns_keytable_t *keytable,
}
isc_refcount_increment0(&keytable->active_nodes);
for (;;) {
dns_rbtnodechain_current(&chain, NULL, NULL, &node);
dns_rbtnodechain_current(&chain, foundname, origin, &node);
if (node->data != NULL) {
(*func)(keytable, node->data, arg);
result = dns_name_concatenate(foundname, origin,
fullname, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
(*func)(keytable, node->data, fullname, arg);
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {