Extract check_dnskey_sigs() from check_dnskey()

Extract the part of check_dnskey() responsible for determining active algorithms in the verified zone based on the signatures at zone apex to a separate function.
2025-08-31 22:45:39 +00:00 · 2018-06-15 09:59:20 +02:00
parent d4f3b14c78
commit f06a755dd2
1 changed files with 44 additions and 24 deletions
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1213,6 +1213,47 @@ check_apex_rrsets(vctx_t *vctx) {
 	dns_db_detachnode(vctx->db, &node);
 }
 /*%
 * Update 'vctx' tables tracking active and standby key algorithms used in the
 * verified zone based on the signatures made using 'dnskey' (prepared from
 * 'rdata') found at zone apex.  Set 'vctx->goodksk' or 'vctx->goodzsk' to true
 * if 'dnskey' correctly signs the DNSKEY RRset at zone apex.
 *
 * The variables to update are chosen based on 'is_ksk', which is true when
 * 'dnskey' is a KSK and false otherwise.
 */
 static void
 check_dnskey_sigs(vctx_t *vctx, dns_rdata_dnskey_t *dnskey, dns_rdata_t *rdata,
 		  isc_boolean_t is_ksk)
 {
 	unsigned char *active_keys, *standby_keys;
 	isc_boolean_t *goodkey;
 	active_keys = (is_ksk ? vctx->ksk_algorithms : vctx->zsk_algorithms);
 	standby_keys = (is_ksk ? vctx->standby_ksk : vctx->standby_zsk);
 	goodkey = (is_ksk ? &vctx->goodksk : &vctx->goodzsk);
 	if (dns_dnssec_selfsigns(rdata, vctx->origin, &vctx->keyset,
 				 &vctx->keysigs, ISC_FALSE, vctx->mctx))
 	{
 		if (active_keys[dnskey->algorithm] != 255) {
 			active_keys[dnskey->algorithm]++;
 		}
 		*goodkey = ISC_TRUE;
 	} else if (!is_ksk &&
 		   dns_dnssec_signs(rdata, vctx->origin, &vctx->soaset,
 				    &vctx->soasigs, ISC_FALSE, vctx->mctx))
 	{
 		if (active_keys[dnskey->algorithm] != 255) {
 			active_keys[dnskey->algorithm]++;
 		}
 	} else {
 		if (standby_keys[dnskey->algorithm] != 255) {
 			standby_keys[dnskey->algorithm]++;
 		}
 	}
 }
 /*%
 * Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
 * algorithm in it (or, if -x was used, one self-signing KSK).
@@ -1222,6 +1263,7 @@ check_dnskey(vctx_t *vctx) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_dnskey_t dnskey;
 	isc_result_t result;
 	isc_boolean_t is_ksk;
 	for (result = dns_rdataset_first(&vctx->keyset);
 	     result == ISC_R_SUCCESS;
@@ -1229,6 +1271,7 @@ check_dnskey(vctx_t *vctx) {
 		dns_rdataset_current(&vctx->keyset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
 		check_result(result, "dns_rdata_tostruct");
 		is_ksk = ISC_TF((dnskey.flags & DNS_KEYFLAG_KSK) != 0);
 		if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0)
 			;
@@ -1257,31 +1300,8 @@ check_dnskey(vctx_t *vctx) {
 			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
 				 vctx->revoked_zsk[dnskey.algorithm] != 255)
 				vctx->revoked_zsk[dnskey.algorithm]++;
 		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
 			if (dns_dnssec_selfsigns(&rdata, vctx->origin,
 						 &vctx->keyset, &vctx->keysigs,
 						 ISC_FALSE, vctx->mctx)) {
 				if (vctx->ksk_algorithms[dnskey.algorithm] != 255)
 					vctx->ksk_algorithms[dnskey.algorithm]++;
 				vctx->goodksk = ISC_TRUE;
 			} else {
 				if (vctx->standby_ksk[dnskey.algorithm] != 255)
 					vctx->standby_ksk[dnskey.algorithm]++;
 			}
 		} else if (dns_dnssec_selfsigns(&rdata, vctx->origin,
 						&vctx->keyset, &vctx->keysigs,
 						ISC_FALSE, vctx->mctx)) {
 			if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
 				vctx->zsk_algorithms[dnskey.algorithm]++;
 			vctx->goodzsk = ISC_TRUE;
 		} else if (dns_dnssec_signs(&rdata, vctx->origin,
 					    &vctx->soaset, &vctx->soasigs,
 					    ISC_FALSE, vctx->mctx)) {
 			if (vctx->zsk_algorithms[dnskey.algorithm] != 255)
 				vctx->zsk_algorithms[dnskey.algorithm]++;
 		} else {
-			if (vctx->standby_zsk[dnskey.algorithm] != 255)
+			check_dnskey_sigs(vctx, &dnskey, &rdata, is_ksk);
 				vctx->standby_zsk[dnskey.algorithm]++;
 		}
 		dns_rdata_freestruct(&dnskey);
 		dns_rdata_reset(&rdata);