summaryrefslogtreecommitdiffstats
path: root/bin/dnssec/dnssec-signzone.c
diff options
context:
space:
mode:
Diffstat (limited to 'bin/dnssec/dnssec-signzone.c')
-rw-r--r--bin/dnssec/dnssec-signzone.c145
1 files changed, 89 insertions, 56 deletions
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index eec6110..b8f4d66 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
/*
- * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.209.12.18 2009/11/03 23:47:45 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.209.12.20 2010-06-03 23:47:48 tbox Exp $ */
/*! \file */
@@ -1606,6 +1606,15 @@ verifyzone(void) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
+ if (!dns_name_issubdomain(name, gorigin)) {
+ dns_db_detachnode(gdb, &node);
+ result = dns_dbiterator_next(dbiter);
+ if (result == ISC_R_NOMORE)
+ done = ISC_TRUE;
+ else
+ check_result(result, "dns_dbiterator_next()");
+ continue;
+ }
if (delegation(name, node, NULL)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
@@ -1931,6 +1940,40 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
}
}
+/*
+ * Remove records of the given type and their signatures.
+ */
+static void
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
+ isc_result_t result;
+ dns_rdatatype_t type, covers;
+ dns_rdatasetiter_t *rdsiter = NULL;
+ dns_rdataset_t rdataset;
+
+ dns_rdataset_init(&rdataset);
+
+ /*
+ * Delete any NSEC records at the apex.
+ */
+ result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+ check_result(result, "dns_db_allrdatasets()");
+ for (result = dns_rdatasetiter_first(rdsiter);
+ result == ISC_R_SUCCESS;
+ result = dns_rdatasetiter_next(rdsiter)) {
+ dns_rdatasetiter_current(rdsiter, &rdataset);
+ type = rdataset.type;
+ covers = rdataset.covers;
+ dns_rdataset_disassociate(&rdataset);
+ if (type == which || covers == which) {
+ result = dns_db_deleterdataset(gdb, node, gversion,
+ type, covers);
+ check_result(result, "dns_db_deleterdataset()");
+ continue;
+ }
+ }
+ dns_rdatasetiter_destroy(&rdsiter);
+}
+
/*%
* Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
*/
@@ -1990,35 +2033,25 @@ nsecify(void) {
result = dns_dbiterator_first(dbiter);
check_result(result, "dns_dbiterator_first()");
- result = dns_dbiterator_current(dbiter, &node, name);
- check_dns_dbiterator_current(result);
- /*
- * Delete any NSEC3PARAM records at the apex.
- */
- result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
- check_result(result, "dns_db_allrdatasets()");
- for (result = dns_rdatasetiter_first(rdsiter);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(rdsiter)) {
- dns_rdatasetiter_current(rdsiter, &rdataset);
- type = rdataset.type;
- covers = rdataset.covers;
- dns_rdataset_disassociate(&rdataset);
- if (type == dns_rdatatype_nsec3param ||
- covers == dns_rdatatype_nsec3param) {
- result = dns_db_deleterdataset(gdb, node, gversion,
- type, covers);
- check_result(result,
- "dns_db_deleterdataset(nsec3param/rrsig)");
- continue;
- }
- }
- dns_rdatasetiter_destroy(&rdsiter);
- dns_db_detachnode(gdb, &node);
-
while (!done) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
+ /*
+ * Skip out-of-zone records.
+ */
+ if (!dns_name_issubdomain(name, gorigin)) {
+ result = dns_dbiterator_next(dbiter);
+ if (result == ISC_R_NOMORE)
+ done = ISC_TRUE;
+ else
+ check_result(result, "dns_dbiterator_next()");
+ dns_db_detachnode(gdb, &node);
+ continue;
+ }
+
+ if (dns_name_equal(name, gorigin))
+ remove_records(node, dns_rdatatype_nsec3param);
+
if (delegation(name, node, &nsttl)) {
zonecut = dns_fixedname_name(&fzonecut);
dns_name_copy(name, zonecut, NULL);
@@ -2299,8 +2332,6 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
dns_fixedname_t fname, fnextname, fzonecut;
dns_name_t *name, *nextname, *zonecut;
dns_rdataset_t rdataset;
- dns_rdatasetiter_t *rdsiter = NULL;
- dns_rdatatype_t type, covers;
int order;
isc_boolean_t active;
isc_boolean_t done = ISC_FALSE;
@@ -2325,35 +2356,25 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
result = dns_dbiterator_first(dbiter);
check_result(result, "dns_dbiterator_first()");
- result = dns_dbiterator_current(dbiter, &node, name);
- check_dns_dbiterator_current(result);
- /*
- * Delete any NSEC records at the apex.
- */
- result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
- check_result(result, "dns_db_allrdatasets()");
- for (result = dns_rdatasetiter_first(rdsiter);
- result == ISC_R_SUCCESS;
- result = dns_rdatasetiter_next(rdsiter)) {
- dns_rdatasetiter_current(rdsiter, &rdataset);
- type = rdataset.type;
- covers = rdataset.covers;
- dns_rdataset_disassociate(&rdataset);
- if (type == dns_rdatatype_nsec ||
- covers == dns_rdatatype_nsec) {
- result = dns_db_deleterdataset(gdb, node, gversion,
- type, covers);
- check_result(result,
- "dns_db_deleterdataset(nsec3param/rrsig)");
- continue;
- }
- }
- dns_rdatasetiter_destroy(&rdsiter);
- dns_db_detachnode(gdb, &node);
-
while (!done) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
+ /*
+ * Skip out-of-zone records.
+ */
+ if (!dns_name_issubdomain(name, gorigin)) {
+ result = dns_dbiterator_next(dbiter);
+ if (result == ISC_R_NOMORE)
+ done = ISC_TRUE;
+ else
+ check_result(result, "dns_dbiterator_next()");
+ dns_db_detachnode(gdb, &node);
+ continue;
+ }
+
+ if (dns_name_equal(name, gorigin))
+ remove_records(node, dns_rdatatype_nsec);
+
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
while (result == ISC_R_SUCCESS) {
@@ -2470,6 +2491,18 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
while (!done) {
result = dns_dbiterator_current(dbiter, &node, name);
check_dns_dbiterator_current(result);
+ /*
+ * Skip out-of-zone records.
+ */
+ if (!dns_name_issubdomain(name, gorigin)) {
+ result = dns_dbiterator_next(dbiter);
+ if (result == ISC_R_NOMORE)
+ done = ISC_TRUE;
+ else
+ check_result(result, "dns_dbiterator_next()");
+ dns_db_detachnode(gdb, &node);
+ continue;
+ }
result = dns_dbiterator_next(dbiter);
nextnode = NULL;
while (result == ISC_R_SUCCESS) {
OpenPOWER on IntegriCloud