2976. [bug] named die on exit after negotiating a GSS-TSIG key. [RT #3415]

2025-08-29 13:38:26 +00:00 · 2010-12-02 23:22:42 +00:00 · 2010-12-02 23:22:42 +00:00 · c87f15dac8
commit c87f15dac8
parent 7fb319204e
15 changed files with 121 additions and 108 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+2976.	[bug]		named die on exit after negotiating a GSS-TSIG key.
+			[RT #3415]
+			
 2975.	[bug]		rbtdb.c:cleanup_dead_nodes_callback() aquired the
 			wrong lock which could lead to server deadlock.
 			[RT #22614]
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dighost.c,v 1.334 2010/11/16 05:38:30 marka Exp $ */
+/* $Id: dighost.c,v 1.335 2010/12/02 23:22:41 marka Exp $ */

 /*! \file
 *  \note
@ -252,7 +252,7 @@ isc_result_t	  opentmpkey(isc_mem_t *mctx, const char *file,
 			     char **tempp, FILE **fp);
 isc_result_t	  removetmpkey(isc_mem_t *mctx, const char *file);
 void		  clean_trustedkey(void);
-void		  insert_trustedkey(dst_key_t  * key);
+void		  insert_trustedkey(dst_key_t **key);
 #if DIG_SIGCHASE_BU
 isc_result_t	  getneededrr(dns_message_t *msg);
 void		  sigchase_bottom_up(dns_message_t *msg);
@ -1135,14 +1135,13 @@ setup_file_key(void) {
 		goto failure;
 	}
 	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
-					   dstkey, ISC_FALSE, NULL, 0, 0,
+					   &dstkey, ISC_FALSE, NULL, 0, 0,
 					   mctx, NULL, &key);
 	if (result != ISC_R_SUCCESS) {
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
 		goto failure;
 	}
-	dstkey = NULL;
 failure:
 	if (dstkey != NULL)
 		dst_key_free(&dstkey);
@ -4053,14 +4052,15 @@ sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
 }

 void
-insert_trustedkey(dst_key_t * key)
+insert_trustedkey(dst_key_t **keyp)
 {
-	if (key == NULL)
+	if (*keyp == NULL)
 		return;
 	if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
 		return;

-	tk_list.key[tk_list.nb_tk++] = key;
+	tk_list.key[tk_list.nb_tk++] = *keyp;
+	*keyp = NULL;
 	return;
 }

@ -4234,11 +4234,12 @@ get_trusted_key(isc_mem_t *mctx)
 			fclose(fp);
 			return (ISC_R_FAILURE);
 		}
-		insert_trustedkey(key);
 #if 0
 		dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
 #endif
-		key = NULL;
+		insert_trustedkey(&key);
+		if (key != NULL)
+			dst_key_free(&key);
 	}
 	return (ISC_R_SUCCESS);
 }
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.586 2010/11/16 01:37:36 sar Exp $ */
+/* $Id: server.c,v 1.587 2010/12/02 23:22:41 marka Exp $ */

 /*! \file */

@ -634,6 +634,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 	}

 cleanup:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
 	if (secroots != NULL)
 		dns_keytable_detach(&secroots);
 	if (result == DST_R_NOCRYPTO)
@ -3565,10 +3567,9 @@ generate_session_key(const char *filename, const char *keynamestr,

 	/* Store the key in tsigkey. */
 	isc_stdtime_get(&now);
-	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
+	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, &key,
 					ISC_FALSE, NULL, now, now, mctx, NULL,
 					&tsigkey));
-	key = NULL;		/* ownership of key has been transferred */

 	/* Dump the key to the key file. */
 	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: nsupdate.c,v 1.182 2010/08/10 23:48:19 tbox Exp $ */
+/* $Id: nsupdate.c,v 1.183 2010/12/02 23:22:41 marka Exp $ */

 /*! \file */

@ -682,7 +682,7 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	}
 	if (hmacname != NULL) {
 		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-						   hmacname, dstkey, ISC_FALSE,
+						   hmacname, &dstkey, ISC_FALSE,
 						   NULL, 0, 0, mctx, NULL,
 						   &tsigkey);
 		if (result != ISC_R_SUCCESS) {
--- a/bin/tests/system/allow_query/tests.sh
+++ b/bin/tests/system/allow_query/tests.sh
@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.2 2010/11/16 01:37:37 sar Exp $
+# $Id: tests.sh,v 1.3 2010/12/02 23:22:41 marka Exp $

 # Test of allow-query statement.
 # allow-query takes an address match list and can be included in either the
@ -68,7 +68,7 @@ n=0
 n=`expr $n + 1`
 echo "I:test $n: default - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -82,7 +82,7 @@ sleep 5

 echo "I:test $n: explicit any - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -96,7 +96,7 @@ sleep 5

 echo "I:test $n: none - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -110,7 +110,7 @@ sleep 5

 echo "I:test $n: address allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -124,7 +124,7 @@ sleep 5

 echo "I:test $n: address not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -138,7 +138,7 @@ sleep 5

 echo "I:test $n: address disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -152,7 +152,7 @@ sleep 5

 echo "I:test $n: acl allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -166,7 +166,7 @@ sleep 5

 echo "I:test $n: acl not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -181,7 +181,7 @@ sleep 5

 echo "I:test $n: acl disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -195,7 +195,7 @@ sleep 5

 echo "I:test $n: key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -209,7 +209,7 @@ sleep 5

 echo "I:test $n: key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -223,7 +223,7 @@ sleep 5

 echo "I:test $n: key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -240,7 +240,7 @@ sleep 5

 echo "I:test $n: views default - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -254,7 +254,7 @@ sleep 5

 echo "I:test $n: views explicit any - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -268,7 +268,7 @@ sleep 5

 echo "I:test $n: views none - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -282,7 +282,7 @@ sleep 5

 echo "I:test $n: views address allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -296,7 +296,7 @@ sleep 5

 echo "I:test $n: views address not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -310,7 +310,7 @@ sleep 5

 echo "I:test $n: views address disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -324,7 +324,7 @@ sleep 5

 echo "I:test $n: views acl allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -338,7 +338,7 @@ sleep 5

 echo "I:test $n: views acl not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -352,7 +352,7 @@ sleep 5

 echo "I:test $n: views acl disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -366,7 +366,7 @@ sleep 5

 echo "I:test $n: views key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -380,7 +380,7 @@ sleep 5

 echo "I:test $n: views key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -394,7 +394,7 @@ sleep 5

 echo "I:test $n: views key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -408,7 +408,7 @@ sleep 5

 echo "I:test $n: views over options, views allow - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -422,7 +422,7 @@ sleep 5

 echo "I:test $n: views over options, views disallow - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -440,7 +440,7 @@ sleep 5

 echo "I:test $n: zone default - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -450,7 +450,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone explicit any - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.any.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.any.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -460,7 +460,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone none - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.none.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.none.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -470,7 +470,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone address allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.addrallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -480,7 +480,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone address not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrnotallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.addrnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -490,7 +490,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone address disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.addrdisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.addrdisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -500,7 +500,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone acl allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.aclallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -510,7 +510,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone acl not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.aclnotallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.aclnotallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -520,7 +520,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone acl disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.acldisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.acldisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -530,7 +530,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone key allowed - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -540,7 +540,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone key not allowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -550,7 +550,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:test $n: zone key disallowed - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -564,7 +564,7 @@ sleep 5

 echo "I:test $n: views over options, views allow - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -578,7 +578,7 @@ sleep 5

 echo "I:test $n: views over options, views disallow - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -592,7 +592,7 @@ sleep 5

 echo "I:test $n: zones over views, views allow - query allowed"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
@ -606,7 +606,7 @@ sleep 5

 echo "I:test $n: zones over views, views disallow - query refused"
 ret=0
-$DIG $DIGOPTS @10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret=1
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: keydelete.c,v 1.13 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: keydelete.c,v 1.14 2010/12/02 23:22:41 marka Exp $ */

 #include <config.h>

@ -230,7 +230,7 @@ main(int argc, char **argv) {
 	CHECK("dst_key_fromnamedfile", result);
 	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
 					   DNS_TSIG_HMACMD5_NAME,
-					   dstkey, ISC_TRUE, NULL, 0, 0,
+					   &dstkey, ISC_TRUE, NULL, 0, 0,
 					   mctx, ring, &tsigkey);
 	CHECK("dns_tsigkey_createfromkey", result);

--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.c,v 1.10 2010/05/19 07:09:25 marka Exp $ */
+/* $Id: client.c,v 1.11 2010/12/02 23:22:41 marka Exp $ */

 #include <config.h>

@ -1424,6 +1424,8 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);

 cleanup:
+	if (dstkey != NULL)
+		dns_key_free(&dstkey);
 	if (view != NULL)
 		dns_view_detach(&view);
 	if (secroots != NULL)
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@ -31,7 +31,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.51 2010/05/13 03:08:30 marka Exp $
+ * $Id: dst_api.c,v 1.52 2010/12/02 23:22:42 marka Exp $
 */

 /*! \file */
@ -544,6 +544,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,

 	*keyp = key;
 	return (ISC_R_SUCCESS);
+
 out:
 	if (pubkey != NULL)
 		dst_key_free(&pubkey);
--- a/lib/dns/include/dns/tsec.h
+++ b/lib/dns/include/dns/tsec.h
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: tsec.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: tsec.h,v 1.4 2010/12/02 23:22:42 marka Exp $ */

 #ifndef DNS_TSEC_H
 #define DNS_TSEC_H 1
@ -65,7 +65,7 @@ typedef enum {
 } dns_tsectype_t;

 isc_result_t
-dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp,
 		dns_tsec_t **tsecp);
 /*%<
 * Create a TSEC structure and stores a type-dependent key structure in it.
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: tsig.h,v 1.55 2010/07/09 23:46:51 tbox Exp $ */
+/* $Id: tsig.h,v 1.56 2010/12/02 23:22:42 marka Exp $ */

 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@ -103,7 +103,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,

 isc_result_t
 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
+			  dst_key_t **dstkeyp, isc_boolean_t generated,
 			  dns_name_t *creator, isc_stdtime_t inception,
 			  isc_stdtime_t expire, isc_mem_t *mctx,
 			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@ -16,7 +16,7 @@
 */

 /*
- * $Id: tkey.c,v 1.94 2010/07/09 23:46:51 tbox Exp $
+ * $Id: tkey.c,v 1.95 2010/12/02 23:22:42 marka Exp $
 */
 /*! \file */
 #include <config.h>
@ -417,10 +417,9 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 }

 static isc_result_t
-process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-		dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
-		dns_rdata_tkey_t *tkeyout,
-		dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
+process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
+		dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
+		dns_tsig_keyring_t *ring)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dst_key_t *dstkey = NULL;
@ -431,9 +430,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	isc_buffer_t *outtoken = NULL;
 	gss_ctx_id_t gss_ctx = NULL;

-	UNUSED(namelist);
-	UNUSED(signer);
-
 	if (tctx->gsscred == NULL)
 		return (ISC_R_NOPERM);

@ -483,7 +479,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 #endif
 		isc_uint32_t expire;

-		RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey));
+		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey));
 		/*
 		 * Limit keys to 1 hour or the context's lifetime whichever
 		 * is smaller.
@ -495,7 +491,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 			expire = now + lifetime;
 #endif
 		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
-						 dstkey, ISC_TRUE,
+						 &dstkey, ISC_TRUE,
 						 dns_fixedname_name(&principal),
 						 now, expire, ring->mctx, ring,
 						 NULL));
@ -551,19 +547,14 @@ failure:
 }

 static isc_result_t
-process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-		   dns_rdata_tkey_t *tkeyin,
-		   dns_rdata_tkey_t *tkeyout,
-		   dns_tsig_keyring_t *ring,
-		   dns_namelist_t *namelist)
+process_deletetkey(dns_name_t *signer, dns_name_t *name,
+		   dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
+		   dns_tsig_keyring_t *ring)
 {
 	isc_result_t result;
 	dns_tsigkey_t *tsigkey = NULL;
 	dns_name_t *identity;

-	UNUSED(msg);
-	UNUSED(namelist);
-
 	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
 	if (result != ISC_R_SUCCESS) {
 		tkeyout->error = dns_tsigerror_badname;
@ -780,16 +771,13 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			break;
 		case DNS_TKEYMODE_GSSAPI:
 			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
-					       tctx, &tkeyout, ring,
-					       &namelist));
-
+			RETERR(process_gsstkey(keyname, &tkeyin, tctx,
+					       &tkeyout, ring));
 			break;
 		case DNS_TKEYMODE_DELETE:
 			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_deletetkey(msg, signer, keyname,
-						  &tkeyin, &tkeyout,
-						  ring, &namelist));
+			RETERR(process_deletetkey(signer, keyname, &tkeyin,
+						  &tkeyout, ring));
 			break;
 		case DNS_TKEYMODE_SERVERASSIGNED:
 		case DNS_TKEYMODE_RESOLVERASSIGNED:
@ -1280,15 +1268,13 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
 	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));

-	dstkey = NULL;
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
 				  &dstkey));

 	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
-					 dstkey, ISC_FALSE, NULL,
+					 &dstkey, ISC_FALSE, NULL,
 					 rtkey.inception, rtkey.expire,
 					 ring->mctx, ring, outkey));
-
 	dns_rdata_freestruct(&rtkey);
 	return (result);

@ -1296,6 +1282,8 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	/*
 	 * XXXSRA This probably leaks memory from rtkey and qtkey.
 	 */
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
 	return (result);
 }

@ -1406,7 +1394,6 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);

-	dstkey = NULL;
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
 				  &dstkey));

@ -1420,10 +1407,9 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 					 (win2k
 					  ? DNS_TSIG_GSSAPIMS_NAME
 					  : DNS_TSIG_GSSAPI_NAME),
-					 dstkey, ISC_TRUE, NULL,
+					 &dstkey, ISC_TRUE, NULL,
 					 rtkey.inception, rtkey.expire,
 					 ring->mctx, ring, outkey));
-
 	dns_rdata_freestruct(&rtkey);
 	return (result);

@ -1432,5 +1418,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	 * XXXSRA This probably leaks memory from qtkey.
 	 */
 	dns_rdata_freestruct(&rtkey);
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
 	return (result);
 }
--- a/lib/dns/tsec.c
+++ b/lib/dns/tsec.c
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: tsec.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: tsec.c,v 1.5 2010/12/02 23:22:42 marka Exp $ */

 #include <config.h>

@ -44,14 +44,16 @@ struct dns_tsec {
 };

 isc_result_t
-dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t **keyp,
 		dns_tsec_t **tsecp)
 {
 	isc_result_t result;
 	dns_tsec_t *tsec;
 	dns_tsigkey_t *tsigkey = NULL;
 	dns_name_t *algname;
+	dst_key_t *key;

+	REQUIRE(keyp != NULL && *keyp != NULL);
 	REQUIRE(mctx != NULL);
 	REQUIRE(tsecp != NULL && *tsecp == NULL);

@ -59,6 +61,8 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 	if (tsec == NULL)
 		return (ISC_R_NOMEMORY);

+	key = *keyp;
+
 	tsec->type = type;
 	tsec->mctx = mctx;

@ -88,7 +92,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 			return (DNS_R_BADALG);
 		}
 		result = dns_tsigkey_createfromkey(dst_key_name(key),
-						   algname, key, ISC_FALSE,
+						   algname, keyp, ISC_FALSE,
 						   NULL, 0, 0, mctx, NULL,
 						   &tsigkey);
 		if (result != ISC_R_SUCCESS) {
@ -99,6 +103,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 		break;
 	case dns_tsectype_sig0:
 		tsec->ukey.key = key;
+		*keyp = NULL;
 		break;
 	default:
 		INSIST(0);
@ -107,7 +112,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 	tsec->magic = DNS_TSEC_MAGIC;

 	*tsecp = tsec;
-
+	ENSURE(*keyp == NULL);
 	return (ISC_R_SUCCESS);
 }

--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@ -16,7 +16,7 @@
 */

 /*
- * $Id: tsig.c,v 1.141 2010/07/09 05:13:15 each Exp $
+ * $Id: tsig.c,v 1.142 2010/12/02 23:22:42 marka Exp $
 */
 /*! \file */
 #include <config.h>
@ -287,7 +287,7 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,

 isc_result_t
 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
+			  dst_key_t **dstkeyp, isc_boolean_t generated,
 			  dns_name_t *creator, isc_stdtime_t inception,
 			  isc_stdtime_t expire, isc_mem_t *mctx,
 			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
@ -295,6 +295,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	dns_tsigkey_t *tkey;
 	isc_result_t ret;
 	unsigned int refs = 0;
+	dst_key_t *dstkey;

 	REQUIRE(key == NULL || *key == NULL);
 	REQUIRE(name != NULL);
@ -302,6 +303,10 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	REQUIRE(mctx != NULL);
 	REQUIRE(key != NULL || ring != NULL);

+	if (dstkeyp != NULL)
+		dstkey = *dstkeyp;
+	else
+		dstkey = NULL;
 	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
 	if (tkey == NULL)
 		return (ISC_R_NOMEMORY);
@ -436,6 +441,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			      namestr);
 	}

+	if (dstkeyp != NULL)
+		*dstkeyp = NULL;
 	if (key != NULL)
 		*key = tkey;

@ -623,7 +630,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 	} else if (length > 0)
 		return (DNS_R_BADALG);

-	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
+	result = dns_tsigkey_createfromkey(name, algorithm, &dstkey,
 					   generated, creator,
 					   inception, expire, mctx, ring, key);
 	if (result != ISC_R_SUCCESS && dstkey != NULL)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.576 2010/11/30 23:46:55 tbox Exp $ */
+/* $Id: zone.c,v 1.577 2010/12/02 23:22:42 marka Exp $ */

 /*! \file */

@ -2831,6 +2831,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
 	isc_buffer_t buffer;
 	dns_view_t *view;
 	dns_keytable_t *sr = NULL;
+	dst_key_t *dstkey = NULL;

 	/* Convert dnskey to DST key. */
 	isc_buffer_init(&buffer, data, sizeof(data));
@ -2839,18 +2840,19 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,

 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		dst_key_t *key = NULL;

 		result = dns_view_getsecroots(view, &sr);
 		if (result != ISC_R_SUCCESS)
 			continue;

-		CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key));
-		CHECK(dns_keytable_add(sr, ISC_TRUE, &key));
+		CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
+		CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
 		dns_keytable_detach(&sr);
 	}

  failure:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
 	if (sr != NULL)
 		dns_keytable_detach(&sr);
 	return;
@ -3235,6 +3237,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 			dns_fixedname_t fname;
 			dns_name_t *keyname;
 			dst_key_t *key;
+
 			key = dns_keynode_key(keynode);
 			dns_fixedname_init(&fname);

@ -4450,6 +4453,7 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
 	const char *directory = dns_zone_getkeydirectory(zone);
+
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
 	result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
 					  directory, mctx, maxkeys, keys,
--- a/lib/export/samples/sample-update.c
+++ b/lib/export/samples/sample-update.c
@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: sample-update.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
+/* $Id: sample-update.c,v 1.6 2010/12/02 23:22:42 marka Exp $ */

 #include <config.h>

@ -747,6 +747,7 @@ setup_tsec(char *keyfile, isc_mem_t *mctx) {

 	result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
 	if (result != ISC_R_SUCCESS) {
+		dns_key_free(&dstkey);
 		fprintf(stderr, "could not create tsec: %s\n",
 			isc_result_totext(result));
 		exit(1);