dnssec-signzone.c

bind-3.2.

	dns_rdataset_init(&rdataset);
	rdsiter = NULL;
	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
	check_result(result, "dns_db_allrdatasets()");
	result = dns_rdatasetiter_first(rdsiter);
	while (result == ISC_R_SUCCESS) {
		dns_rdatasetiter_current(rdsiter, &rdataset);
		if (rdataset.type != dns_rdatatype_nxt)
			active = ISC_TRUE;
		dns_rdataset_disassociate(&rdataset);
		if (!active)
			result = dns_rdatasetiter_next(rdsiter);
		else
			result = ISC_R_NOMORE;
	}
	if (result != ISC_R_NOMORE)
		fatal("rdataset iteration failed: %s",
		      isc_result_totext(result));
	dns_rdatasetiter_destroy(&rdsiter);

	if (!active) {
		/*
		 * Make sure there is no NXT record for this node.
		 */
		result = dns_db_deleterdataset(gdb, node, gversion,
					       dns_rdatatype_nxt, 0);
		if (result == DNS_R_UNCHANGED)
			result = ISC_R_SUCCESS;
		check_result(result, "dns_db_deleterdataset");
	}

	return (active);
}

static inline isc_result_t
next_active(dns_name_t *name, dns_dbnode_t **nodep) {
	isc_result_t result;
	isc_boolean_t active;

	do {
		active = ISC_FALSE;
		result = dns_dbiterator_current(gdbiter, nodep, name);
		if (result == ISC_R_SUCCESS) {
			active = active_node(*nodep);
			if (!active) {
				dns_db_detachnode(gdb, nodep);
				result = dns_dbiterator_next(gdbiter);
			}
		}
	} while (result == ISC_R_SUCCESS && !active);

	return (result);
}

static inline isc_result_t
next_nonglue(dns_name_t *name, dns_dbnode_t **nodep, dns_name_t *origin,
	     dns_name_t *lastcut)
{
	isc_result_t result;

	do {
		result = next_active(name, nodep);
		if (result == ISC_R_SUCCESS) {
			if (dns_name_issubdomain(name, origin) &&
			    (lastcut == NULL ||
			     !dns_name_issubdomain(name, lastcut)))
				return (ISC_R_SUCCESS);
			result = dns_master_dumpnodetostream(mctx, gdb,
							     gversion,
							     *nodep, name,
							     masterstyle, fp);
			check_result(result, "dns_master_dumpnodetostream");
			dns_db_detachnode(gdb, nodep);
			result = dns_dbiterator_next(gdbiter);
		}
	} while (result == ISC_R_SUCCESS);
	return (result);
}

/*
 * Extracts the TTL from the SOA.
 */
static dns_ttl_t
soattl(void) {
	dns_rdataset_t soaset;
	dns_fixedname_t fname;
	dns_name_t *name;
	isc_result_t result;
	dns_ttl_t ttl;

	dns_fixedname_init(&fname);
	name = dns_fixedname_name(&fname);
	dns_rdataset_init(&soaset);
	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa,
			     0, 0, NULL, name, &soaset, NULL);
	if (result != ISC_R_SUCCESS) {
		char namestr[DNS_NAME_FORMATSIZE];
		dns_name_format(name, namestr, sizeof namestr);
		fatal("failed to find '%s SOA' in the zone: %s",
		      namestr, isc_result_totext(result));
	}
	ttl = soaset.ttl;
	dns_rdataset_disassociate(&soaset);
	return (ttl);
}

/*
 * Delete any SIG records at a node.
 */
static void
cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
	dns_rdatasetiter_t *rdsiter = NULL;
	dns_rdataset_t set;
	isc_result_t result, dresult;

	dns_rdataset_init(&set);
	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
	check_result(result, "dns_db_allrdatasets");
	result = dns_rdatasetiter_first(rdsiter);
	while (result == ISC_R_SUCCESS) {
		isc_boolean_t destroy = ISC_FALSE;
		dns_rdatatype_t covers = 0;
		dns_rdatasetiter_current(rdsiter, &set);
		if (set.type == dns_rdatatype_sig) {
			covers = set.covers;
			destroy = ISC_TRUE;
		}
		dns_rdataset_disassociate(&set);
		result = dns_rdatasetiter_next(rdsiter);
		if (destroy) {
			dresult = dns_db_deleterdataset(db, node, version,
							dns_rdatatype_sig,
							covers);
			check_result(dresult, "dns_db_deleterdataset");
		}
	}
	if (result != ISC_R_NOMORE)
		fatal("rdataset iteration failed: %s",
		      isc_result_totext(result));
	dns_rdatasetiter_destroy(&rdsiter);
}

/*
 * Set up the iterator and global state before starting the tasks.
 */
static void
presign(void) {
	isc_result_t result;

	gdbiter = NULL;
	result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter);
	check_result(result, "dns_db_createiterator()");

	result = dns_dbiterator_first(gdbiter);
	check_result(result, "dns_dbiterator_first()");

	lastzonecut = NULL;

	zonettl = soattl();

}

/*
 * Clean up the iterator and global state after the tasks complete.
 */
static void
postsign(void) {
	if (lastzonecut != NULL) {
		dns_name_free(lastzonecut, mctx);
		isc_mem_put(mctx, lastzonecut, sizeof(dns_name_t));
	}
	dns_dbiterator_destroy(&gdbiter);
}

/*
 * Find the next name to nxtify & sign
 */
static isc_result_t
getnextname(dns_name_t *name, dns_name_t *nextname, dns_dbnode_t **nodep) {
	isc_result_t result;
	dns_dbnode_t *nextnode, *curnode;

	LOCK(&namelock);

	if (shuttingdown || finished) {
		result = ISC_R_NOMORE;
		if (gnode != NULL)
			dns_db_detachnode(gdb, &gnode);
		goto out;
	}

	if (gnode == NULL) {
		dns_fixedname_t ftname;
		dns_name_t *tname;

		dns_fixedname_init(&ftname);
		tname = dns_fixedname_name(&ftname);

		result = next_nonglue(tname, &gnode, gorigin, lastzonecut);
		if (result != ISC_R_SUCCESS)
			fatal("failed to iterate through the zone");
	}

	nextnode = NULL;
	curnode = NULL;
	dns_dbiterator_current(gdbiter, &curnode, name);
	if (!dns_name_equal(name, gorigin)) {
		dns_rdatasetiter_t *rdsiter = NULL;
		dns_rdataset_t set;

		dns_rdataset_init(&set);
		result = dns_db_allrdatasets(gdb, curnode, gversion, 0,
					     &rdsiter);
		check_result(result, "dns_db_allrdatasets");
		result = dns_rdatasetiter_first(rdsiter);
		while (result == ISC_R_SUCCESS) {
			dns_rdatasetiter_current(rdsiter, &set);
			if (set.type == dns_rdatatype_ns) {
				dns_rdataset_disassociate(&set);
				break;
			}
			dns_rdataset_disassociate(&set);
			result = dns_rdatasetiter_next(rdsiter);
		}
		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
			fatal("rdataset iteration failed: %s",
			      isc_result_totext(result));
		if (result == ISC_R_SUCCESS) {
			if (lastzonecut != NULL)
				dns_name_free(lastzonecut, mctx);
			else {
				lastzonecut = isc_mem_get(mctx,
							  sizeof(dns_name_t));
				if (lastzonecut == NULL)
					fatal("out of memory");
			}
			dns_name_init(lastzonecut, NULL);
			result = dns_name_dup(name, mctx, lastzonecut);
			check_result(result, "dns_name_dup()");
		}
		dns_rdatasetiter_destroy(&rdsiter);
	}
	result = dns_dbiterator_next(gdbiter);
	if (result == ISC_R_SUCCESS)
		result = next_nonglue(nextname, &nextnode, gorigin,
				      lastzonecut);
	if (result == ISC_R_NOMORE) {
		dns_name_clone(gorigin, nextname);
		finished = ISC_TRUE;
		result = ISC_R_SUCCESS;
	} else if (result != ISC_R_SUCCESS)
		fatal("iterating through the database failed: %s",
		      isc_result_totext(result));
	dns_db_detachnode(gdb, &curnode);

	*nodep = gnode;
	gnode = nextnode;

 out:
	UNLOCK(&namelock);
	return (result);
}

/*
 * Assigns a node to a worker thread.  This is protected by the master task's
 * lock.
 */
static void
assignwork(isc_task_t *task, isc_task_t *worker) {
	dns_fixedname_t *fname, *fnextname;
	dns_dbnode_t *node;
	sevent_t *sevent;
	isc_result_t result;

	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
	fnextname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
	if (fname == NULL || fnextname == NULL)
		fatal("out of memory");
	dns_fixedname_init(fname);
	dns_fixedname_init(fnextname);
	node = NULL;
	result = getnextname(dns_fixedname_name(fname),
			     dns_fixedname_name(fnextname), &node);
	if (result == ISC_R_NOMORE) {
		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
		isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t));
		if (assigned == completed) {
			isc_task_detach(&task);
			isc_app_shutdown();
		}
		return;
	}
	sevent = (sevent_t *)
		 isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
				    sign, NULL, sizeof(sevent_t));
	if (sevent == NULL)
		fatal("failed to allocate event\n");

	sevent->node = node;
	sevent->fname = fname;
	sevent->fnextname = fnextname;
	isc_task_send(worker, (isc_event_t **)&sevent);
	assigned++;
}

/*
 * Start a worker task
 */
static void
startworker(isc_task_t *task, isc_event_t *event) {
	isc_task_t *worker;

	worker = (isc_task_t *)event->ev_arg;
	assignwork(task, worker);
	isc_event_free(&event);
}

/*
 * Write a node to the output file, and restart the worker task.
 */
static void
writenode(isc_task_t *task, isc_event_t *event) {
	isc_result_t result;
	isc_task_t *worker;
	sevent_t *sevent = (sevent_t *)event;

	completed++;
	worker = (isc_task_t *)event->ev_sender;
	result = dns_master_dumpnodetostream(mctx, gdb, gversion,
					     sevent->node,
					     dns_fixedname_name(sevent->fname),
					     masterstyle, fp);
	check_result(result, "dns_master_dumpnodetostream");
	cleannode(gdb, gversion, sevent->node);
	dns_db_detachnode(gdb, &sevent->node);
	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
	assignwork(task, worker);
	isc_event_free(&event);
}

/*
 *  Sign and nxtify a database node.
 */
static void
sign(isc_task_t *task, isc_event_t *event) {
	dns_fixedname_t *fname, *fnextname;
	dns_dbnode_t *node;
	sevent_t *sevent, *wevent;
	isc_result_t result;

	sevent = (sevent_t *)event;
	node = sevent->node;
	fname = sevent->fname;
	fnextname = sevent->fnextname;
	isc_event_free(&event);

	result = dns_nxt_build(gdb, gversion, node,
			       dns_fixedname_name(fnextname), zonettl);
	check_result(result, "dns_nxt_build()");
	isc_mem_put(mctx, fnextname, sizeof(dns_fixedname_t));
	signname(node, dns_fixedname_name(fname));
	wevent = (sevent_t *)
		 isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
				    writenode, NULL, sizeof(sevent_t));
	if (wevent == NULL)
		fatal("failed to allocate event\n");
	wevent->node = node;
	wevent->fname = fname;
	isc_task_send(master, (isc_event_t **)&wevent);
}

/*
 * Load the zone file from disk
 */
static void
loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
	isc_buffer_t b;
	int len;
	dns_fixedname_t fname;
	dns_name_t *name;
	isc_result_t result;

	len = strlen(origin);
	isc_buffer_init(&b, origin, len);
	isc_buffer_add(&b, len);

	dns_fixedname_init(&fname);
	name = dns_fixedname_name(&fname);
	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
	if (result != ISC_R_SUCCESS)
		fatal("failed converting name '%s' to dns format: %s",
		      origin, isc_result_totext(result));

	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
			       rdclass, 0, NULL, db);
	check_result(result, "dns_db_create()");

	result = dns_db_load(*db, file);
	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
		fatal("failed loading zone from '%s': %s",
		      file, isc_result_totext(result));
}

/*
 * Finds all public zone keys in the zone, and attempts to load the
 * private keys from disk.
 */
static void
loadzonekeys(dns_db_t *db) {
	dns_dbnode_t *node;
	dns_dbversion_t *currentversion;
	isc_result_t result;
	dst_key_t *keys[20];
	unsigned int nkeys, i;

	currentversion = NULL;
	dns_db_currentversion(db, &currentversion);

	node = NULL;
	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
	if (result != ISC_R_SUCCESS)
		fatal("failed to find the zone's origin: %s",
		      isc_result_totext(result));

	result = dns_dnssec_findzonekeys(db, currentversion, node, gorigin,
					 mctx, 20, keys, &nkeys);
	if (result == ISC_R_NOTFOUND)
		result = ISC_R_SUCCESS;
	if (result != ISC_R_SUCCESS)
		fatal("failed to find the zone keys: %s",
		      isc_result_totext(result));

	for (i = 0; i < nkeys; i++) {
		signer_key_t *key;

		key = newkeystruct(keys[i], ISC_FALSE);
		ISC_LIST_APPEND(keylist, key, link);
	}
	dns_db_detachnode(db, &node);
	dns_db_closeversion(db, &currentversion, ISC_FALSE);
}

/*
 * Finds all public zone keys in the zone.
 */
static void
loadzonepubkeys(dns_db_t *db) {
	dns_dbversion_t *currentversion = NULL;
	dns_dbnode_t *node = NULL;
	dns_rdataset_t rdataset;
	dns_rdata_t rdata = DNS_RDATA_INIT;
	dst_key_t *pubkey;
	signer_key_t *key;
	isc_result_t result;

	dns_db_currentversion(db, &currentversion);

	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
	if (result != ISC_R_SUCCESS)
		fatal("failed to find the zone's origin: %s",
		      isc_result_totext(result));

	dns_rdataset_init(&rdataset);
	result = dns_db_findrdataset(db, node, currentversion,
				     dns_rdatatype_key, 0, 0, &rdataset, NULL);
	if (result != ISC_R_SUCCESS)
		fatal("failed to find keys at the zone apex: %s",
		      isc_result_totext(result));
	result = dns_rdataset_first(&rdataset);
	check_result(result, "dns_rdataset_first");