Extract check_apex_rrsets() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for fetching and preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from zone apex to a separate function.
This commit is contained in:
Michał Kępień
@@ -1157,6 +1157,62 @@ vctx_destroy(vctx_t *vctx) {
|
||||
isc_heap_destroy(&vctx->found_chains);
|
||||
}
|
||||
|
||||
static void
|
||||
check_apex_rrsets(vctx_t *vctx) {
|
||||
dns_dbnode_t *node = NULL;
|
||||
isc_result_t result;
|
||||
|
||||
result = dns_db_findnode(vctx->db, vctx->origin, ISC_FALSE, &node);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to find the zone's origin: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
|
||||
dns_rdatatype_dnskey, 0, 0,
|
||||
&vctx->keyset, &vctx->keysigs);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Zone contains no DNSSEC keys\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
|
||||
dns_rdatatype_soa, 0, 0,
|
||||
&vctx->soaset, &vctx->soasigs);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Zone contains no SOA record\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
|
||||
dns_rdatatype_nsec, 0, 0,
|
||||
&vctx->nsecset, &vctx->nsecsigs);
|
||||
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
|
||||
fatal("NSEC lookup failed\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx->db, node, vctx->ver,
|
||||
dns_rdatatype_nsec3param, 0, 0,
|
||||
&vctx->nsec3paramset,
|
||||
&vctx->nsec3paramsigs);
|
||||
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
|
||||
fatal("NSEC3PARAM lookup failed\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx->keysigs))
|
||||
fatal("DNSKEY is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx->soasigs))
|
||||
fatal("SOA is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (dns_rdataset_isassociated(&vctx->nsecset) &&
|
||||
!dns_rdataset_isassociated(&vctx->nsecsigs))
|
||||
fatal("NSEC is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (dns_rdataset_isassociated(&vctx->nsec3paramset) &&
|
||||
!dns_rdataset_isassociated(&vctx->nsec3paramsigs))
|
||||
fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx->nsecset) &&
|
||||
!dns_rdataset_isassociated(&vctx->nsec3paramset))
|
||||
fatal("No valid NSEC/NSEC3 chain for testing\n");
|
||||
|
||||
dns_db_detachnode(vctx->db, &node);
|
||||
}
|
||||
|
||||
void
|
||||
dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
dns_name_t *origin, isc_mem_t *mctx,
|
||||
@@ -1181,55 +1237,7 @@ dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
|
||||
return;
|
||||
}
|
||||
|
||||
result = dns_db_findnode(vctx.db, vctx.origin, ISC_FALSE, &node);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("failed to find the zone's origin: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
|
||||
dns_rdatatype_dnskey, 0, 0, &vctx.keyset,
|
||||
&vctx.keysigs);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Zone contains no DNSSEC keys\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
|
||||
dns_rdatatype_soa, 0, 0, &vctx.soaset,
|
||||
&vctx.soasigs);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
fatal("Zone contains no SOA record\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
|
||||
dns_rdatatype_nsec, 0, 0, &vctx.nsecset,
|
||||
&vctx.nsecsigs);
|
||||
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
|
||||
fatal("NSEC lookup failed\n");
|
||||
|
||||
result = dns_db_findrdataset(vctx.db, node, vctx.ver,
|
||||
dns_rdatatype_nsec3param, 0, 0,
|
||||
&vctx.nsec3paramset,
|
||||
&vctx.nsec3paramsigs);
|
||||
if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
|
||||
fatal("NSEC3PARAM lookup failed\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx.keysigs))
|
||||
fatal("DNSKEY is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx.soasigs))
|
||||
fatal("SOA is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (dns_rdataset_isassociated(&vctx.nsecset) &&
|
||||
!dns_rdataset_isassociated(&vctx.nsecsigs))
|
||||
fatal("NSEC is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (dns_rdataset_isassociated(&vctx.nsec3paramset) &&
|
||||
!dns_rdataset_isassociated(&vctx.nsec3paramsigs))
|
||||
fatal("NSEC3PARAM is not signed (keys offline or inactive?)\n");
|
||||
|
||||
if (!dns_rdataset_isassociated(&vctx.nsecset) &&
|
||||
!dns_rdataset_isassociated(&vctx.nsec3paramset))
|
||||
fatal("No valid NSEC/NSEC3 chain for testing\n");
|
||||
|
||||
dns_db_detachnode(vctx.db, &node);
|
||||
check_apex_rrsets(&vctx);
|
||||
|
||||
/*
|
||||
* Check that the DNSKEY RR has at least one self signing KSK
|
||||
|
||||
Reference in New Issue
Block a user