Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.
If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated. Thus, mirror zones need
special handling in this regard.
Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself. Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.
Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones. Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used. If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key. Define
a new libdns result signifying a zone verification failure.
Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor. The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure. Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.
Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone. This commit does not
introduce any behavior changes yet.
Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers. Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c. This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.
record_found() returns an isc_result_t, but its value is not checked.
Modify the only call site of record_found() so that its errors are
properly handled.
Replace the fprintf() call inside record_nsec3() with a
zoneverify_log_error() call. Remove the "mctx" argument of
record_nsec3() as it can be extracted from "vctx".
Modify one of the record_nsec3() call sites so that its errors are
properly handled.
Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.
Modify all call sites of match_nsec3() so that its errors are properly
handled.
Replace all check_result() calls inside isoptout() with
zoneverify_log_error() calls and error handling code. Enable isoptout()
to signal errors to the caller using its return value.
Modify the call site of isoptout() so that its errors are properly
handled.
Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
verification result through a separate pointer, thus making it possible
to signal errors using function return values. Replace all
check_result() and fprintf() calls inside these functions with
zoneverify_log_error() calls and error handling code.
Modify all call sites of verifynsec3(), verifynsec3s(), and
verifyemptynodes() so that their errors are properly handled.
Make verifynsec() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
verifynsec() with zoneverify_log_error() calls and error handling code.
Modify the call site of verifynsec() so that its errors are properly
handled.
Rename "tresult" to "tvresult" in order to improve variable naming
consistency between functions.
Replace all check_result() and fprintf() calls inside check_no_rrsig()
with zoneverify_log_error() calls and error handling code. Enable
check_no_rrsig() to signal errors to the caller using its return
value.
Modify the call site of check_no_rrsig() so that its errors are properly
handled.
Define buffer size using a named constant rather than a plain integer.
Replace all check_result() and fprintf() calls inside verifyset() with
zoneverify_log_error() calls and error handling code. Enable
verifyset() to signal errors to the caller using its return value.
Modify the call site of verifyset() so that its errors are properly
handled.
Define buffer sizes using named constants rather than plain integers.
Make verifynode() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all fatal() and check_result() calls inside
verifynode() with zoneverify_log_error() calls and error handling code.
Add a REQUIRE assertion to emphasize verifynode() may be called with
some of its arguments set to NULL.
Modify all call sites of verifynode() so that its errors are properly
handled.
Replace the check_result() call inside is_empty() with a
zoneverify_log_error() call and error handling code. Enable is_empty()
to signal errors to the caller using its return value.
Modify the call site of is_empty() so that its errors are properly
handled.
Replace the fatal() call inside check_no_nsec() with a
zoneverify_log_error() call. Enable check_no_nsec() to signal errors to
the caller using its return value.
Modify all call sites of check_no_nsec() so that its errors are properly
handled.
Replace all fatal(), check_result(), and check_dns_dbiterator_current()
calls inside verify_nodes() with zoneverify_log_error() calls and error
handling code. Enable verify_nodes() to signal errors to the caller
using its return value.
Modify the call site of verify_nodes() so that its errors are properly
handled.
Free all heap elements upon verification context cleanup as a
verification error may prevent them from being freed elsewhere.
Remove the check_dns_dbiterator_current() macro as it is no longer used
anywhere in lib/dns/zoneverify.c.
Replace all fatal() and fprintf() calls inside check_bad_algorithms()
with zoneverify_print() calls and error handling code. Enable
check_bad_algorithms() to signal errors to the caller using its return
value.
Modify the call site of check_bad_algorithms() so that its errors are
properly handled.
Replace all fatal() and check_result() calls inside check_dnskey() with
zoneverify_log_error() calls and error handling code. Enable
check_dnskey() to signal errors to the caller using its return value.
Modify the call site of check_dnskey() so that its errors are properly
handled.
Replace all fatal() calls inside check_apex_rrsets() with
zoneverify_log_error() calls and error handling code. Enable
check_apex_rrsets() to signal errors to the caller using its return
value.
Modify the call site of check_apex_rrsets() so that its errors are
properly handled.
Replace calls to check_result() with RUNTIME_CHECK assertions for all
dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
cannot fail when the "mctx" argument is NULL (and that is the case for
all call sites of this function throughout lib/dns/zoneverify.c).
Extract the part of dns_zoneverify_dnssec() responsible for checking
whether the zone is fully signed using all active algorithms to a
separate function.
Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for determining
and printing a list of DNSSEC algorithms active in the verified zone to
a separate function.
Extract the part of check_dnskey() responsible for determining active
algorithms in the verified zone based on the signatures at zone apex to
a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for fetching and
preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from
zone apex to a separate function.
These functions will be used in the process of replacing fatal(),
check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
code that does not call exit(). They are intended for:
- zoneverify_log_error(): logging problems encountered while
performing zone verification,
- zoneverify_print(): printing status messages and reports which are
only useful in standalone tools.
To make using dns_zone_logv() possible, add a new "zone" argument to
dns_zoneverify_dnssec() that standalone tools are expected to set to
NULL.
Tables representing algorithm use in the verified zone are commonly
accessed throughout dns_zoneverify_dnssec(). Move them into the
structure representing a verification context. While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
