When creating a validator copy the passed in name

This allows the instance of the name the validator is using to be
independent of the caller's structures.  Keep the actual pointer
so that the caller can recover state.  With the validator no longer
using the caller's memory we don't need dns_validator_shutdown
anymore.

lib/dns/adb.c

@@ -2909,6 +2909,7 @@ fetch_name(dns_adbname_t *adbname, bool start_at_zone, bool no_validation,
 	 * createfetch to find deepest cached name when we're providing
 	 * domain and nameservers.
 	 */
+	dns_adbname_ref(adbname);
 	result = dns_resolver_createfetch(
 		adb->res, adbname->name, type, name, nameservers, NULL, NULL, 0,
 		options, depth, qc, gqc, isc_loop(), fetch_callback, adbname,
@@ -2916,11 +2917,10 @@ fetch_name(dns_adbname_t *adbname, bool start_at_zone, bool no_validation,
 	if (result != ISC_R_SUCCESS) {
 		DP(ENTER_LEVEL, "fetch_name: createfetch failed with %s",
 		   isc_result_totext(result));
+		dns_adbname_unref(adbname);
 		goto cleanup;
 	}
 
-	dns_adbname_ref(adbname);
-
 	if (type == dns_rdatatype_a) {
 		adbname->fetch_a = fetch;
 		inc_resstats(adb, dns_resstatscounter_gluefetchv4);

lib/dns/include/dns/validator.h

@@ -79,8 +79,12 @@ struct dns_validator {
 	uint32_t       tid;
 	isc_refcount_t references;
 
-	/* Name and type of the response to be validated. */
-	dns_name_t     *name;
+	/*
+	 * Name and type of the response to be validated and
+	 * the passed in name.
+	 */
+	dns_name_t	name;
+	dns_name_t     *thename;
 	dns_rdatatype_t type;
 
 	/*
@@ -238,20 +242,6 @@ dns_validator_cancel(dns_validator_t *validator);
  *	event, it will send it with result code ISC_R_CANCELED.
  */
 
-void
-dns_validator_shutdown(dns_validator_t *val);
-/*%<
- * Release the name associated with the DNSSEC validator.
- *
- * Requires:
- * \li	'val' points to a valid DNSSEC validator.
- * \li	The validator must have completed and sent its completion
- *	event.
- *
- * Ensures:
- *\li	The name associated with the DNSSEC validator is released.
- */
-
 #if DNS_VALIDATOR_TRACE
 #define dns_validator_ref(ptr) \
 	dns_validator__ref(ptr, __func__, __FILE__, __LINE__)

lib/dns/resolver.c

@@ -5434,8 +5434,8 @@ validated(void *arg) {
 		if (fctx->vresult != DNS_R_BROKENCHAIN) {
 			result = ISC_R_NOTFOUND;
 			if (val->rdataset != NULL) {
-				result = dns_db_findnode(fctx->cache, val->name,
-							 false, &node);
+				result = dns_db_findnode(
+					fctx->cache, &val->name, false, &node);
 			}
 			if (result == ISC_R_SUCCESS) {
 				(void)dns_db_deleterdataset(fctx->cache, node,
@@ -5458,8 +5458,8 @@ validated(void *arg) {
 			 */
 			result = ISC_R_NOTFOUND;
 			if (val->rdataset != NULL) {
-				result = dns_db_findnode(fctx->cache, val->name,
-							 true, &node);
+				result = dns_db_findnode(
+					fctx->cache, &val->name, true, &node);
 			}
 			if (result == ISC_R_SUCCESS) {
 				(void)dns_db_addrdataset(
@@ -5528,7 +5528,7 @@ validated(void *arg) {
 			fctx->qmin_warning = ISC_R_SUCCESS;
 		}
 
-		result = dns_db_findnode(fctx->cache, val->name, true, &node);
+		result = dns_db_findnode(fctx->cache, &val->name, true, &node);
 		if (result != ISC_R_SUCCESS) {
 			/* fctx->lock unlocked in noanswer_response */
 			goto noanswer_response;
@@ -5577,7 +5577,7 @@ validated(void *arg) {
 	{
 		isc_result_t tresult;
 		dns_name_t *noqname = NULL;
-		tresult = findnoqname(fctx, message, val->name,
+		tresult = findnoqname(fctx, message, val->thename,
 				      val->rdataset->type, &noqname);
 		if (tresult == ISC_R_SUCCESS && noqname != NULL) {
 			tresult = dns_rdataset_addnoqname(val->rdataset,
@@ -5592,7 +5592,7 @@ validated(void *arg) {
 	 * rdatasets to the first event on the fetch
 	 * event list.
 	 */
-	result = dns_db_findnode(fctx->cache, val->name, true, &node);
+	result = dns_db_findnode(fctx->cache, &val->name, true, &node);
 	if (result != ISC_R_SUCCESS) {
 		goto noanswer_response;
 	}
@@ -5805,7 +5805,7 @@ answer_response:
 		}
 
 		hresp->result = eresult;
-		dns_name_copy(val->name, hresp->foundname);
+		dns_name_copy(&val->name, hresp->foundname);
 		dns_db_attach(fctx->cache, &hresp->db);
 		dns_db_transfernode(fctx->cache, &node, &hresp->node);
 		clone_results(fctx);
@@ -5824,12 +5824,6 @@ cleanup_fetchctx:
 		fctx_done_unref(fctx, result);
 	}
 
-	/*
-	 * val->name points to name on a message on one of the
-	 * queries on the fetch context so the name has to be
-	 * released first with a dns_validator_shutdown() call.
-	 */
-	dns_validator_shutdown(val);
 	dns_validator_detach(&val);
 	fetchctx_detach(&fctx);
 	INSIST(node == NULL);

lib/dns/validator.c

@@ -398,8 +398,7 @@ fetch_callback_dnskey(void *arg) {
 	dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg;
 	dns_validator_t *val = resp->arg;
 	dns_rdataset_t *rdataset = &val->frdataset;
-	isc_result_t eresult = resp->result;
-	isc_result_t result;
+	isc_result_t result = resp->result;
 
 	/* Free resources which are not of interest. */
 	if (resp->node != NULL) {
@@ -421,7 +420,7 @@ fetch_callback_dnskey(void *arg) {
 		goto cleanup;
 	}
 
-	switch (eresult) {
+	switch (result) {
 	case ISC_R_SUCCESS:
 	case DNS_R_NCACHENXRRSET:
 		/*
@@ -429,13 +428,13 @@ fetch_callback_dnskey(void *arg) {
 		 * RRset or a NODATA response.
 		 */
 		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
-			      eresult == ISC_R_SUCCESS ? "keyset"
-						       : "NCACHENXRRSET",
+			      result == ISC_R_SUCCESS ? "keyset"
+						      : "NCACHENXRRSET",
 			      dns_trust_totext(rdataset->trust));
 		/*
 		 * Only extract the dst key if the keyset exists and is secure.
 		 */
-		if (eresult == ISC_R_SUCCESS &&
+		if (result == ISC_R_SUCCESS &&
 		    rdataset->trust >= dns_trust_secure)
 		{
 			result = validate_helper_run(val,
@@ -447,7 +446,7 @@ fetch_callback_dnskey(void *arg) {
 	default:
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "fetch_callback_dnskey: got %s",
-			      isc_result_totext(eresult));
+			      isc_result_totext(result));
 		result = DNS_R_BROKENCHAIN;
 	}
 
@@ -466,8 +465,7 @@ fetch_callback_ds(void *arg) {
 	dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg;
 	dns_validator_t *val = resp->arg;
 	dns_rdataset_t *rdataset = &val->frdataset;
-	isc_result_t eresult = resp->result;
-	isc_result_t result;
+	isc_result_t result = resp->result;
 	bool trustchain;
 
 	/*
@@ -497,7 +495,7 @@ fetch_callback_ds(void *arg) {
 	}
 
 	if (trustchain) {
-		switch (eresult) {
+		switch (result) {
 		case ISC_R_SUCCESS:
 			/*
 			 * We looked for a DS record as part of
@@ -520,18 +518,18 @@ fetch_callback_ds(void *arg) {
 			 */
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "falling back to insecurity proof (%s)",
-				      isc_result_totext(eresult));
+				      isc_result_totext(result));
 			result = proveunsecure(val, false, false);
 			break;
 		default:
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "fetch_callback_ds: got %s",
-				      isc_result_totext(eresult));
+				      isc_result_totext(result));
 			result = DNS_R_BROKENCHAIN;
 			break;
 		}
 	} else {
-		switch (eresult) {
+		switch (result) {
 		case DNS_R_NXDOMAIN:
 		case DNS_R_NCACHENXDOMAIN:
 			/*
@@ -554,7 +552,7 @@ fetch_callback_ds(void *arg) {
 		case DNS_R_NXRRSET:
 		case DNS_R_NCACHENXRRSET:
 			if (isdelegation(resp->foundname, &val->frdataset,
-					 eresult))
+					 result))
 			{
 				/*
 				 * Failed to find a DS while trying to prove
@@ -575,7 +573,7 @@ fetch_callback_ds(void *arg) {
 		default:
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "fetch_callback_ds: got %s",
-				      isc_result_totext(eresult));
+				      isc_result_totext(result));
 			result = DNS_R_BROKENCHAIN;
 		}
 	}
@@ -597,7 +595,7 @@ validator_callback_dnskey(void *arg) {
 	dns_validator_t *val = subvalidator->parent;
 	isc_result_t result = subvalidator->result;
 
-	val->subvalidator = NULL;
+	dns_validator_detach(&val->subvalidator);
 
 	if (CANCELED(val) || CANCELING(val)) {
 		result = ISC_R_CANCELED;
@@ -634,9 +632,6 @@ validator_callback_dnskey(void *arg) {
 	}
 
 cleanup:
-	dns_validator_detach(&subvalidator->parent);
-	dns_validator_shutdown(subvalidator);
-	dns_validator_detach(&subvalidator);
 	validate_async_done(val, result);
 }
 
@@ -651,7 +646,7 @@ validator_callback_ds(void *arg) {
 	dns_validator_t *val = subvalidator->parent;
 	isc_result_t result = subvalidator->result;
 
-	val->subvalidator = NULL;
+	dns_validator_detach(&val->subvalidator);
 
 	if (CANCELED(val) || CANCELING(val)) {
 		result = ISC_R_CANCELED;
@@ -686,7 +681,7 @@ validator_callback_ds(void *arg) {
 			      isc_result_totext(result));
 		if (result != DNS_R_BROKENCHAIN) {
 			expire_rdatasets(val);
-			result = create_fetch(val, val->name, dns_rdatatype_ds,
+			result = create_fetch(val, &val->name, dns_rdatatype_ds,
 					      fetch_callback_ds,
 					      "validator_callback_ds");
 			if (result == ISC_R_SUCCESS) {
@@ -696,9 +691,6 @@ validator_callback_ds(void *arg) {
 	}
 
 cleanup:
-	dns_validator_detach(&subvalidator->parent);
-	dns_validator_shutdown(subvalidator);
-	dns_validator_detach(&subvalidator);
 	validate_async_done(val, result);
 }
 
@@ -711,12 +703,11 @@ static void
 validator_callback_cname(void *arg) {
 	dns_validator_t *subvalidator = (dns_validator_t *)arg;
 	dns_validator_t *val = subvalidator->parent;
-	isc_result_t result;
-	isc_result_t eresult = subvalidator->result;
+	isc_result_t result = subvalidator->result;
 
 	INSIST((val->attributes & VALATTR_INSECURITY) != 0);
 
-	val->subvalidator = NULL;
+	dns_validator_detach(&val->subvalidator);
 
 	if (CANCELED(val) || CANCELING(val)) {
 		result = ISC_R_CANCELED;
@@ -724,24 +715,21 @@ validator_callback_cname(void *arg) {
 	}
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_cname");
-	if (eresult == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
 			      dns_trust_totext(val->frdataset.trust));
 		result = proveunsecure(val, false, true);
 	} else {
-		if (eresult != DNS_R_BROKENCHAIN) {
+		if (result != DNS_R_BROKENCHAIN) {
 			expire_rdatasets(val);
 		}
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "validator_callback_cname: got %s",
-			      isc_result_totext(eresult));
+			      isc_result_totext(result));
 		result = DNS_R_BROKENCHAIN;
 	}
 
 cleanup:
-	dns_validator_detach(&subvalidator->parent);
-	dns_validator_shutdown(subvalidator);
-	dns_validator_detach(&subvalidator);
 	validate_async_done(val, result);
 }
 
@@ -756,12 +744,12 @@ static void
 validator_callback_nsec(void *arg) {
 	dns_validator_t *subvalidator = (dns_validator_t *)arg;
 	dns_validator_t *val = subvalidator->parent;
+	dns_name_t *name = subvalidator->thename;
 	dns_rdataset_t *rdataset = subvalidator->rdataset;
-	isc_result_t result;
-	isc_result_t eresult = subvalidator->result;
+	isc_result_t result = subvalidator->result;
 	bool exists, data;
 
-	val->subvalidator = NULL;
+	dns_validator_detach(&val->subvalidator);
 
 	if (CANCELED(val) || CANCELING(val)) {
 		result = ISC_R_CANCELED;
@@ -769,7 +757,7 @@ validator_callback_nsec(void *arg) {
 	}
 
 	validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_nsec");
-	if (eresult == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		dns_name_t **proofs = val->proofs;
 		dns_name_t *wild = dns_fixedname_name(&val->wild);
 
@@ -777,16 +765,15 @@ validator_callback_nsec(void *arg) {
 		    rdataset->trust == dns_trust_secure &&
 		    (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
 		    !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
-		    dns_nsec_noexistnodata(val->type, val->name,
-					   subvalidator->name, rdataset,
-					   &exists, &data, wild, validator_log,
-					   val) == ISC_R_SUCCESS)
+		    dns_nsec_noexistnodata(val->type, &val->name, name,
+					   rdataset, &exists, &data, wild,
+					   validator_log, val) == ISC_R_SUCCESS)
 		{
 			if (exists && !data) {
 				val->attributes |= VALATTR_FOUNDNODATA;
 				if (NEEDNODATA(val)) {
 					proofs[DNS_VALIDATOR_NODATAPROOF] =
-						subvalidator->name;
+						name;
 				}
 			}
 			if (!exists) {
@@ -815,7 +802,7 @@ validator_callback_nsec(void *arg) {
 				 */
 				if (NEEDNOQNAME(val)) {
 					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
-						subvalidator->name;
+						name;
 				}
 			}
 		}
@@ -824,11 +811,10 @@ validator_callback_nsec(void *arg) {
 	} else {
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "validator_callback_nsec: got %s",
-			      isc_result_totext(eresult));
-		switch (eresult) {
+			      isc_result_totext(result));
+		switch (result) {
 		case ISC_R_CANCELED:
 		case ISC_R_SHUTTINGDOWN:
-			result = eresult;
 			break;
 		case DNS_R_BROKENCHAIN:
 			val->authfail++;
@@ -839,9 +825,6 @@ validator_callback_nsec(void *arg) {
 	}
 
 cleanup:
-	dns_validator_detach(&subvalidator->parent);
-	dns_validator_shutdown(subvalidator);
-	dns_validator_detach(&subvalidator);
 	validate_async_done(val, result);
 }
 
@@ -901,7 +884,7 @@ check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 
 	for (parent = val; parent != NULL; parent = parent->parent) {
 		if (parent->type == type &&
-		    dns_name_equal(parent->name, name) &&
+		    dns_name_equal(&parent->name, name) &&
 		    /*
 		     * As NSEC3 records are meta data you sometimes
 		     * need to prove a NSEC3 record which says that
@@ -1075,7 +1058,7 @@ seek_dnskey(dns_validator_t *val) {
 	 * The signer name must be at the same level as the owner name
 	 * or closer to the DNS root.
 	 */
-	namereln = dns_name_fullcompare(val->name, &siginfo->signer, &order,
+	namereln = dns_name_fullcompare(&val->name, &siginfo->signer, &order,
 					&nlabels);
 	if (namereln != dns_namereln_subdomain &&
 	    namereln != dns_namereln_equal)
@@ -1280,7 +1263,7 @@ static isc_result_t
 selfsigned_dnskey(dns_validator_t *val) {
 	dns_rdataset_t *rdataset = val->rdataset;
 	dns_rdataset_t *sigrdataset = val->sigrdataset;
-	dns_name_t *name = val->name;
+	dns_name_t *name = &val->name;
 	isc_result_t result;
 	isc_mem_t *mctx = val->view->mctx;
 
@@ -1414,7 +1397,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 		return ISC_R_QUOTA;
 	}
 again:
-	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
+	result = dns_dnssec_verify(&val->name, val->rdataset, key, ignore,
 				   val->view->maxbits, val->view->mctx, rdata,
 				   wild);
 	if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
@@ -1441,7 +1424,7 @@ again:
 			      isc_result_totext(result));
 	}
 	if (result == DNS_R_FROMWILDCARD) {
-		if (!dns_name_equal(val->name, wild)) {
+		if (!dns_name_equal(&val->name, wild)) {
 			dns_name_t *closest;
 			unsigned int labels;
 
@@ -1653,7 +1636,7 @@ validate_answer_process(void *arg) {
 	 * At this point we could check that the signature algorithm
 	 * was known and "sufficiently good".
 	 */
-	if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
+	if (!dns_resolver_algorithm_supported(val->view->resolver, &val->name,
 					      val->siginfo->algorithm))
 	{
 		if (val->unsupported_algorithm == 0) {
@@ -1794,6 +1777,11 @@ static void
 resume_answer(void *arg) {
 	dns_validator_t *val = arg;
 
+	if (CANCELED(val) || CANCELING(val)) {
+		validate_async_done(val, ISC_R_CANCELED);
+		return;
+	}
+
 	val->resume = true;
 	validate_answer_iter_start(val);
 }
@@ -1864,7 +1852,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
 		}
 		if (dstkey == NULL) {
 			result = dns_dnssec_keyfromrdata(
-				val->name, keyrdata, val->view->mctx, &dstkey);
+				&val->name, keyrdata, val->view->mctx, &dstkey);
 			if (result != ISC_R_SUCCESS) {
 				/*
 				 * This really shouldn't happen, but...
@@ -2016,7 +2004,7 @@ validate_dnskey_dsset(dns_validator_t *val) {
 		return DNS_R_BADALG;
 	}
 
-	if (!dns_resolver_ds_digest_supported(val->view->resolver, val->name,
+	if (!dns_resolver_ds_digest_supported(val->view->resolver, &val->name,
 					      ds.digest_type))
 	{
 		if (val->unsupported_digest == 0) {
@@ -2025,7 +2013,7 @@ validate_dnskey_dsset(dns_validator_t *val) {
 		return DNS_R_BADALG;
 	}
 
-	if (!dns_resolver_algorithm_supported(val->view->resolver, val->name,
+	if (!dns_resolver_algorithm_supported(val->view->resolver, &val->name,
 					      ds.algorithm))
 	{
 		if (val->unsupported_algorithm == 0) {
@@ -2037,7 +2025,7 @@ validate_dnskey_dsset(dns_validator_t *val) {
 	/*
 	 * Find the DNSKEY matching the DS...
 	 */
-	result = dns_dnssec_matchdskey(val->name, &dsrdata, val->rdataset,
+	result = dns_dnssec_matchdskey(&val->name, &dsrdata, val->rdataset,
 				       &keyrdata);
 	if (result != ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3), "no DNSKEY matching DS");
@@ -2149,7 +2137,7 @@ validate_dnskey(void *arg) {
 	 * a DS style trust anchor configured for this key.
 	 */
 	if (val->dsset == NULL) {
-		result = dns_keytable_find(val->keytable, val->name, &keynode);
+		result = dns_keytable_find(val->keytable, &val->name, &keynode);
 		if (result == ISC_R_SUCCESS) {
 			if (dns_keynode_dsset(keynode, &val->fdsset)) {
 				val->dsset = &val->fdsset;
@@ -2168,7 +2156,7 @@ validate_dnskey(void *arg) {
 		 * If this is the root name and there was no trust anchor,
 		 * we can give up now, since there's no DS at the root.
 		 */
-		if (dns_name_equal(val->name, dns_rootname)) {
+		if (dns_name_equal(&val->name, dns_rootname)) {
 			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
 				validator_log(val, ISC_LOG_DEBUG(3),
 					      "root key failed to validate");
@@ -2183,7 +2171,7 @@ validate_dnskey(void *arg) {
 		/*
 		 * Look up the DS RRset for this name.
 		 */
-		result = get_dsset(val, val->name, &tresult);
+		result = get_dsset(val, &val->name, &tresult);
 		if (result == ISC_R_COMPLETE) {
 			result = tresult;
 			goto cleanup;
@@ -2225,13 +2213,13 @@ validate_dnskey(void *arg) {
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		if (!dns_resolver_ds_digest_supported(
-			    val->view->resolver, val->name, ds.digest_type))
+			    val->view->resolver, &val->name, ds.digest_type))
 		{
 			continue;
 		}
 
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->name, ds.algorithm))
+						      &val->name, ds.algorithm))
 		{
 			continue;
 		}
@@ -2479,7 +2467,7 @@ findnsec3proofs(dns_validator_t *val) {
 			continue;
 		}
 
-		result = dns_nsec3_noexistnodata(val->type, val->name, name,
+		result = dns_nsec3_noexistnodata(val->type, &val->name, name,
 						 rdataset, zonename, NULL, NULL,
 						 NULL, NULL, NULL, NULL, NULL,
 						 NULL, validator_log, val);
@@ -2540,9 +2528,9 @@ findnsec3proofs(dns_validator_t *val) {
 		optout = false;
 		unknown = false;
 		result = dns_nsec3_noexistnodata(
-			val->type, val->name, name, rdataset, zonename, &exists,
-			&data, &optout, &unknown, setclosestp, &setnearest,
-			closestp, nearest, validator_log, val);
+			val->type, &val->name, name, rdataset, zonename,
+			&exists, &data, &optout, &unknown, setclosestp,
+			&setnearest, closestp, nearest, validator_log, val);
 		if (unknown) {
 			val->attributes |= VALATTR_FOUNDUNKNOWN;
 		}
@@ -2660,7 +2648,7 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
 	 */
 	if (val->type == dns_rdatatype_dnskey &&
 	    rdataset->type == dns_rdatatype_nsec &&
-	    dns_name_equal(name, val->name))
+	    dns_name_equal(name, &val->name))
 	{
 		dns_rdata_t nsec = DNS_RDATA_INIT;
 
@@ -2975,10 +2963,10 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
 	dns_name_t *found = dns_fixedname_initname(&fixedfound);
 	dns_name_t *tname = dns_fixedname_initname(&val->fname);
 
-	if (val->labels == dns_name_countlabels(val->name)) {
-		dns_name_copy(val->name, tname);
+	if (val->labels == dns_name_countlabels(&val->name)) {
+		dns_name_copy(&val->name, tname);
 	} else {
-		dns_name_split(val->name, val->labels, NULL, tname);
+		dns_name_split(&val->name, val->labels, NULL, tname);
 	}
 
 	dns_name_format(tname, namebuf, sizeof(namebuf));
@@ -3194,7 +3182,7 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
 	 */
 	val->attributes |= VALATTR_INSECURITY;
 
-	dns_name_copy(val->name, secroot);
+	dns_name_copy(&val->name, secroot);
 
 	/*
 	 * If this is a response to a DS query, we need to look in
@@ -3247,7 +3235,7 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
 	 * Walk down through each of the remaining labels in the name,
 	 * looking for DS records.
 	 */
-	while (val->labels <= dns_name_countlabels(val->name)) {
+	while (val->labels <= dns_name_countlabels(&val->name)) {
 		isc_result_t tresult;
 
 		result = seek_ds(val, &tresult);
@@ -3403,7 +3391,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		.result = DNS_R_NOVALIDSIG,
 		.rdataset = rdataset,
 		.sigrdataset = sigrdataset,
-		.name = name,
+		.name = DNS_NAME_INITEMPTY,
+		.thename = name,
 		.type = type,
 		.options = options,
 		.keytable = kt,
@@ -3415,6 +3404,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		.edectx = edectx,
 	};
 
+	dns_name_dup(name, view->mctx, &val->name);
+
 	isc_refcount_init(&val->references, 1);
 	dns_view_attach(view, &val->view);
 	if (message != NULL) {
@@ -3507,6 +3498,9 @@ destroy_validator(dns_validator_t *val) {
 	REQUIRE(val->subvalidator == NULL);
 
 	val->magic = 0;
+	if (val->parent != NULL) {
+		dns_validator_detach(&val->parent);
+	}
 	if (val->key != NULL) {
 		dst_key_free(&val->key);
 	}
@@ -3536,28 +3530,10 @@ destroy_validator(dns_validator_t *val) {
 
 	dns_view_detach(&val->view);
 	isc_loop_detach(&val->loop);
-
+	dns_name_free(&val->name, mctx);
 	isc_mem_put(mctx, val, sizeof(*val));
 }
 
-void
-dns_validator_shutdown(dns_validator_t *val) {
-	REQUIRE(VALID_VALIDATOR(val));
-	REQUIRE(COMPLETE(val));
-	REQUIRE(val->tid == isc_tid());
-
-	validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_shutdown");
-
-	/*
-	 * The validation is now complete and the owner is no longer interested
-	 * in any further results. If there are still callback events queued up
-	 * which hold a validator reference, they should not be allowed to use
-	 * val->name during logging, because the owner may destroy it after this
-	 * function is called.
-	 */
-	val->name = NULL;
-}
-
 static void
 validator_logv(dns_validator_t *val, isc_logcategory_t category,
 	       isc_logmodule_t module, int level, const char *fmt, va_list ap) {
@@ -3590,20 +3566,14 @@ validator_logv(dns_validator_t *val, isc_logcategory_t category,
 		sep2 = ": ";
 	}
 
-	if (val->name != NULL) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
 
-		dns_name_format(val->name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(val->type, typebuf, sizeof(typebuf));
-		isc_log_write(category, module, level,
-			      "%s%s%s%.*svalidating %s/%s: %s", sep1, viewname,
-			      sep2, depth, spaces, namebuf, typebuf, msgbuf);
-	} else {
-		isc_log_write(category, module, level,
-			      "%s%s%s%.*svalidator @%p: %s", sep1, viewname,
-			      sep2, depth, spaces, val, msgbuf);
-	}
+	dns_name_format(&val->name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(val->type, typebuf, sizeof(typebuf));
+	isc_log_write(category, module, level, "%s%s%s%.*svalidating %s/%s: %s",
+		      sep1, viewname, sep2, depth, spaces, namebuf, typebuf,
+		      msgbuf);
 }
 
 static void
@@ -3649,7 +3619,7 @@ validator_addede(dns_validator_t *val, uint16_t code, const char *extra) {
 		isc_buffer_putuint8(&b, ' ');
 	}
 
-	dns_name_totext(val->name, DNS_NAME_OMITFINALDOT, &b);
+	dns_name_totext(&val->name, DNS_NAME_OMITFINALDOT, &b);
 	isc_buffer_putuint8(&b, '/');
 	dns_rdatatype_totext(val->type, &b);
 	isc_buffer_putuint8(&b, '\0');