285
306
result = validatezonekey(val);
286
307
if (result != DNS_R_WAIT)
287
308
validator_done(val, result);
288
} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
289
(eresult == DNS_R_NXRRSET ||
290
eresult == DNS_R_NCACHENXRRSET) &&
291
!dns_name_issubdomain(val->event->name,
294
validator_log(val, ISC_LOG_DEBUG(2),
295
"no DS record: looking for DLV");
297
result = dlv_validatezonekey(val);
298
if (result != DNS_R_WAIT)
299
validator_done(val, result);
300
309
} else if (eresult == DNS_R_NXRRSET ||
301
310
eresult == DNS_R_NCACHENXRRSET)
1344
1356
return (DNS_R_NOVALIDSIG);
1349
dlv_validated(isc_task_t *task, isc_event_t *event) {
1350
dns_validatorevent_t *devent;
1351
dns_validator_t *val;
1352
isc_boolean_t want_destroy;
1353
isc_result_t result;
1354
isc_result_t eresult;
1357
INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
1359
devent = (dns_validatorevent_t *)event;
1360
val = devent->ev_arg;
1361
eresult = devent->result;
1363
isc_event_free(&event);
1364
dns_validator_destroy(&val->subvalidator);
1366
INSIST(val->event != NULL);
1368
validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
1370
if (eresult == ISC_R_SUCCESS) {
1371
validator_log(val, ISC_LOG_DEBUG(3),
1372
"dlv with trust %d", val->frdataset.trust);
1373
if ((val->attributes & VALATTR_INSECURITY) != 0)
1374
result = proveunsecure(val, ISC_TRUE);
1376
result = validatezonekey(val);
1377
if (result != DNS_R_WAIT)
1378
validator_done(val, result);
1380
validator_log(val, ISC_LOG_DEBUG(3),
1381
"dlv_validated: got %s",
1382
isc_result_totext(eresult));
1383
validator_done(val, eresult);
1385
want_destroy = exit_check(val);
1392
dlv_fetched(isc_task_t *task, isc_event_t *event) {
1393
dns_fetchevent_t *devent;
1394
dns_validator_t *val;
1395
dns_rdataset_t *rdataset;
1396
isc_boolean_t want_destroy;
1397
isc_result_t result;
1398
isc_result_t eresult;
1401
INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
1402
devent = (dns_fetchevent_t *)event;
1403
val = devent->ev_arg;
1404
rdataset = &val->frdataset;
1405
eresult = devent->result;
1407
isc_event_free(&event);
1408
dns_resolver_destroyfetch(&val->fetch);
1410
INSIST(val->event != NULL);
1412
validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched");
1414
if (eresult == ISC_R_SUCCESS) {
1415
validator_log(val, ISC_LOG_DEBUG(3),
1416
"dlv set with trust %d", rdataset->trust);
1417
val->dlv = &val->frdataset;
1418
result = dlv_validatezonekey(val);
1419
if (result != DNS_R_WAIT)
1420
validator_done(val, result);
1421
} else if (eresult == DNS_R_NXRRSET ||
1422
eresult == DNS_R_NCACHENXRRSET)
1424
validator_log(val, ISC_LOG_DEBUG(3),
1425
"falling back to insecurity proof");
1426
val->attributes |= VALATTR_INSECURITY;
1427
result = proveunsecure(val, ISC_FALSE);
1428
if (result != DNS_R_WAIT)
1429
validator_done(val, result);
1431
validator_log(val, ISC_LOG_DEBUG(3),
1432
"dlv_fetched: got %s",
1433
isc_result_totext(eresult));
1434
if (eresult == ISC_R_CANCELED)
1435
validator_done(val, eresult);
1437
validator_done(val, DNS_R_NOVALIDDS);
1439
want_destroy = exit_check(val);
1445
1359
static isc_result_t
1446
1360
dlv_validatezonekey(dns_validator_t *val) {
1447
dns_fixedname_t fixed;
1448
1361
dns_keytag_t keytag;
1451
1362
dns_rdata_dlv_t dlv;
1452
1363
dns_rdata_dnskey_t key;
1453
1364
dns_rdata_rrsig_t sig;
1460
1371
isc_boolean_t supported_algorithm;
1461
1372
isc_result_t result;
1462
1373
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1463
unsigned int labels;
1465
val->attributes |= VALATTR_DLVTRIED;
1467
dns_name_init(&tname, NULL);
1468
dns_fixedname_init(&fixed);
1469
name = dns_fixedname_name(&fixed);
1470
labels = dns_name_countlabels(val->event->name);
1471
dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname);
1472
result = dns_name_concatenate(&tname, val->view->dlv, name, NULL);
1473
if (result != ISC_R_SUCCESS) {
1474
validator_log(val, ISC_LOG_DEBUG(2),
1475
"DLV concatenate failed");
1476
return (DNS_R_NOVALIDSIG);
1478
if (val->dlv == NULL) {
1479
result = view_find(val, name, dns_rdatatype_dlv);
1480
if (result == ISC_R_SUCCESS) {
1482
* We have DLV records.
1484
val->dsset = &val->frdataset;
1485
if (val->frdataset.trust == dns_trust_pending &&
1486
dns_rdataset_isassociated(&val->fsigrdataset))
1488
result = create_validator(val,
1494
"dlv_validatezonekey");
1495
if (result != ISC_R_SUCCESS)
1497
return (DNS_R_WAIT);
1498
} else if (val->frdataset.trust == dns_trust_pending) {
1500
* There should never be an unsigned DLV.
1502
dns_rdataset_disassociate(&val->frdataset);
1503
validator_log(val, ISC_LOG_DEBUG(2),
1504
"unsigned DLV record");
1505
return (DNS_R_NOVALIDSIG);
1507
result = ISC_R_SUCCESS;
1508
} else if (result == ISC_R_NOTFOUND) {
1509
result = create_fetch(val, name, dns_rdatatype_dlv,
1511
"dlv_validatezonekey");
1512
if (result != ISC_R_SUCCESS)
1514
return (DNS_R_WAIT);
1515
} else if (result == DNS_R_NCACHENXDOMAIN ||
1516
result == DNS_R_NCACHENXRRSET ||
1517
result == DNS_R_NXDOMAIN ||
1518
result == DNS_R_NXRRSET)
1521
* The DS does not exist.
1523
if (dns_rdataset_isassociated(&val->frdataset))
1524
dns_rdataset_disassociate(&val->frdataset);
1525
if (dns_rdataset_isassociated(&val->fsigrdataset))
1526
dns_rdataset_disassociate(&val->fsigrdataset);
1527
validator_log(val, ISC_LOG_DEBUG(2), "no DLV record");
1528
return (DNS_R_NOVALIDSIG);
1533
* We have a DLV set.
1535
INSIST(val->dlv != NULL);
1537
if (val->dlv->trust < dns_trust_secure) {
1538
if (val->mustbesecure) {
1539
validator_log(val, ISC_LOG_WARNING,
1540
"must be secure failure");
1541
return (DNS_R_MUSTBESECURE);
1543
val->event->rdataset->trust = dns_trust_answer;
1544
val->event->sigrdataset->trust = dns_trust_answer;
1545
return (ISC_R_SUCCESS);
1375
validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1549
1377
* Look through the DLV record and find the keys that can sign the
1550
1378
* key set and the matching signature. For each such key, attempt
1554
1382
supported_algorithm = ISC_FALSE;
1556
for (result = dns_rdataset_first(val->dlv);
1384
for (result = dns_rdataset_first(&val->dlv);
1557
1385
result == ISC_R_SUCCESS;
1558
result = dns_rdataset_next(val->dlv))
1386
result = dns_rdataset_next(&val->dlv))
1560
1388
dns_rdata_reset(&dlvrdata);
1561
dns_rdataset_current(val->dlv, &dlvrdata);
1389
dns_rdataset_current(&val->dlv, &dlvrdata);
1562
1390
(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1564
if (!dns_resolver_algorithm_supported(val->view->resolver,
1392
if (dlv.digest_type != DNS_DSDIGEST_SHA1 ||
1393
!dns_resolver_algorithm_supported(val->view->resolver,
1565
1394
val->event->name,
1566
1395
dlv.algorithm))
1783
1620
if (result != ISC_R_SUCCESS)
1784
1621
return (result);
1785
1622
return (DNS_R_WAIT);
1786
} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
1787
(result == DNS_R_NCACHENXRRSET ||
1788
result == DNS_R_NXRRSET) &&
1789
!dns_name_issubdomain(val->event->name,
1793
if (dns_rdataset_isassociated(&val->frdataset))
1794
dns_rdataset_disassociate(&val->frdataset);
1795
if (dns_rdataset_isassociated(&val->fsigrdataset))
1796
dns_rdataset_disassociate(&val->fsigrdataset);
1798
validator_log(val, ISC_LOG_DEBUG(2),
1799
"no DS record: looking for DLV");
1801
return (dlv_validatezonekey(val));
1802
1623
} else if (result == DNS_R_NCACHENXDOMAIN ||
1803
1624
result == DNS_R_NCACHENXRRSET ||
1804
1625
result == DNS_R_NXDOMAIN ||
1923
1745
event->sigrdataset->trust = dns_trust_secure;
1924
1746
validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1925
1747
return (result);
1926
} else if (result == ISC_R_NOMORE && val->view->dlv != NULL &&
1927
!DLVTRIED(val) && !dns_name_issubdomain(val->event->name,
1930
validator_log(val, ISC_LOG_DEBUG(2),
1931
"no DS/DNSKEY pair: looking for DLV");
1933
return (dlv_validatezonekey(val));
1934
1748
} else if (result == ISC_R_NOMORE && !supported_algorithm) {
1935
1749
if (val->mustbesecure) {
1936
1750
validator_log(val, ISC_LOG_WARNING,
1937
1751
"must be secure failure");
1938
1752
return (DNS_R_MUSTBESECURE);
1940
val->event->rdataset->trust = dns_trust_answer;
1941
val->event->sigrdataset->trust = dns_trust_answer;
1942
1754
validator_log(val, ISC_LOG_DEBUG(3),
1943
"no supported algorithm (ds)");
1755
"no supported algorithm/digest (DS)");
1944
1757
return (ISC_R_SUCCESS);
1946
1759
return (DNS_R_NOVALIDSIG);
2205
2018
dns_rdataset_current(rdataset, &dsrdata);
2206
2019
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
2208
if (dns_resolver_algorithm_supported(val->view->resolver,
2209
name, ds.algorithm))
2021
if (ds.digest_type == DNS_DSDIGEST_SHA1 &&
2022
dns_resolver_algorithm_supported(val->view->resolver,
2023
name, ds.algorithm)) {
2024
dns_rdata_reset(&dsrdata);
2210
2025
return (ISC_TRUE);
2211
2027
dns_rdata_reset(&dsrdata);
2213
2029
return (ISC_FALSE);
2217
dlv_fetched2(isc_task_t *task, isc_event_t *event) {
2033
dlvfetched(isc_task_t *task, isc_event_t *event) {
2034
char namebuf[DNS_NAME_FORMATSIZE];
2218
2035
dns_fetchevent_t *devent;
2219
2036
dns_validator_t *val;
2220
2037
isc_boolean_t want_destroy;
2226
2043
devent = (dns_fetchevent_t *)event;
2227
2044
val = devent->ev_arg;
2228
2045
eresult = devent->result;
2047
/* Free resources which are not of interest. */
2048
if (devent->node != NULL)
2049
dns_db_detachnode(devent->db, &devent->node);
2050
if (devent->db != NULL)
2051
dns_db_detach(&devent->db);
2052
if (dns_rdataset_isassociated(&val->fsigrdataset))
2053
dns_rdataset_disassociate(&val->fsigrdataset);
2230
2054
isc_event_free(&event);
2231
2055
dns_resolver_destroyfetch(&val->fetch);
2233
2057
INSIST(val->event != NULL);
2234
validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched2: %s",
2058
validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2235
2059
dns_result_totext(eresult));
2237
2061
LOCK(&val->lock);
2238
2062
if (eresult == ISC_R_SUCCESS) {
2063
dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2065
dns_rdataset_clone(&val->frdataset, &val->dlv);
2239
2066
val->havedlvsep = ISC_TRUE;
2240
result = proveunsecure(val, ISC_FALSE);
2067
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2068
result = dlv_validator_start(val);
2241
2069
if (result != DNS_R_WAIT)
2242
2070
validator_done(val, result);
2243
2071
} else if (eresult == DNS_R_NXRRSET ||
2246
2074
eresult == DNS_R_NCACHENXDOMAIN) {
2247
2075
result = finddlvsep(val, ISC_TRUE);
2248
2076
if (result == ISC_R_SUCCESS) {
2249
result = proveunsecure(val, ISC_FALSE);
2077
dns_name_format(dns_fixedname_name(&val->dlvsep),
2078
namebuf, sizeof(namebuf));
2079
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
2081
result = dlv_validator_start(val);
2250
2082
if (result != DNS_R_WAIT)
2251
2083
validator_done(val, result);
2252
2084
} else if (result == ISC_R_NOTFOUND) {
2085
validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2253
2087
validator_done(val, ISC_R_SUCCESS);
2254
} else if (result != DNS_R_WAIT)
2255
validator_done(val, result);
2089
validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2090
dns_result_totext(result));
2091
if (result != DNS_R_WAIT)
2092
validator_done(val, result);
2095
validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2096
dns_result_totext(eresult));
2257
2098
want_destroy = exit_check(val);
2258
2099
UNLOCK(&val->lock);
2263
2104
static isc_result_t
2105
startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
2106
char namebuf[DNS_NAME_FORMATSIZE];
2107
isc_result_t result;
2109
INSIST(!DLVTRIED(val));
2111
val->attributes |= VALATTR_DLVTRIED;
2113
dns_name_format(unsecure, namebuf, sizeof(namebuf));
2114
validator_log(val, ISC_LOG_DEBUG(3),
2115
"plain DNSSEC returns unsecure (%s): looking for DLV",
2118
if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2119
validator_log(val, ISC_LOG_WARNING, "must be secure failure");
2120
return (DNS_R_MUSTBESECURE);
2123
val->dlvlabels = dns_name_countlabels(unsecure) - 1;
2124
result = finddlvsep(val, ISC_FALSE);
2125
if (result == ISC_R_NOTFOUND) {
2126
validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
2128
return (ISC_R_SUCCESS);
2130
if (result != ISC_R_SUCCESS) {
2131
validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
2132
dns_result_totext(result));
2135
dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
2137
validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
2138
return (dlv_validator_start(val));
2264
2142
finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
2143
char namebuf[DNS_NAME_FORMATSIZE];
2265
2144
dns_fixedname_t dlvfixed;
2266
2145
dns_name_t *dlvname;
2267
2146
dns_name_t *dlvsep;
2268
2147
dns_name_t noroot;
2269
2148
isc_result_t result;
2270
2149
unsigned int labels;
2151
INSIST(val->view->dlv != NULL);
2155
if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
2156
validator_log(val, ISC_LOG_WARNING,
2157
"must be secure failure");
2158
return (DNS_R_MUSTBESECURE);
2273
2161
dns_fixedname_init(&val->dlvsep);
2274
2162
dlvsep = dns_fixedname_name(&val->dlvsep);
2275
2163
dns_name_copy(val->event->name, dlvsep, NULL);
2276
val->attributes |= VALATTR_DLVSEPTRIED;
2164
if (val->event->type == dns_rdatatype_ds) {
2165
labels = dns_name_countlabels(dlvsep);
2167
return (ISC_R_NOTFOUND);
2168
dns_name_getlabelsequence(dlvsep, 1, labels - 1,
2278
2172
dlvsep = dns_fixedname_name(&val->dlvsep);
2279
2173
labels = dns_name_countlabels(dlvsep);
2297
2193
return (DNS_R_NOVALIDSIG);
2300
while (dns_name_countlabels(dlvname) >
2301
dns_name_countlabels(val->view->dlv))
2196
while (dns_name_countlabels(dlvname) >=
2197
dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
2198
dns_name_format(dlvname, namebuf, sizeof(namebuf));
2199
validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
2303
2201
result = view_find(val, dlvname, dns_rdatatype_dlv);
2304
2202
if (result == ISC_R_SUCCESS) {
2305
2203
if (val->frdataset.trust < dns_trust_secure)
2306
2204
return (DNS_R_NOVALIDSIG);
2307
2205
val->havedlvsep = ISC_TRUE;
2206
dns_rdataset_clone(&val->frdataset, &val->dlv);
2308
2207
return (ISC_R_SUCCESS);
2310
2209
if (result == ISC_R_NOTFOUND) {
2311
result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2312
dlv_fetched2, "finddlvsep");
2313
if (result != ISC_R_SUCCESS)
2315
return (DNS_R_WAIT);
2210
result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2211
dlvfetched, "finddlvsep");
2212
if (result != ISC_R_SUCCESS)
2214
return (DNS_R_WAIT);
2317
2216
if (result != DNS_R_NXRRSET &&
2318
2217
result != DNS_R_NXDOMAIN &&
2319
2218
result != DNS_R_NCACHENXRRSET &&
2320
result != DNS_R_NCACHENXDOMAIN)
2219
result != DNS_R_NCACHENXDOMAIN)
2321
2220
return (result);
2323
2222
* Strip first labels from both dlvsep and dlvname.
2325
2224
labels = dns_name_countlabels(dlvsep);
2326
2227
dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2327
2228
labels = dns_name_countlabels(dlvname);
2328
2229
dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2330
2231
return (ISC_R_NOTFOUND);
2235
* proveunsecure walks down from the SEP looking for a break in the
2236
* chain of trust. That occurs when we can prove the DS record does
2237
* not exist at a delegation point or the DS exists at a delegation
2238
* but we don't support the algorithm/digest.
2333
2240
static isc_result_t
2334
2241
proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
2335
2242
isc_result_t result;
2336
isc_result_t tresult;
2337
dns_fixedname_t secroot;
2243
dns_fixedname_t fixedsecroot;
2244
dns_name_t *secroot;
2338
2245
dns_name_t *tname;
2340
dns_fixedname_init(&secroot);
2341
result = dns_keytable_finddeepestmatch(val->keytable,
2343
dns_fixedname_name(&secroot));
2345
* If the name is not under a security root, it must be insecure.
2347
if (val->view->dlv != NULL && !DLVSEPTRIED(val) &&
2348
!dns_name_issubdomain(val->event->name, val->view->dlv)) {
2349
tresult = finddlvsep(val, ISC_FALSE);
2350
if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) {
2351
validator_log(val, ISC_LOG_DEBUG(3),
2352
"finddlvsep returned: %s",
2353
dns_result_totext(tresult));
2358
if (result == ISC_R_NOTFOUND) {
2359
if (!val->havedlvsep) {
2360
validator_log(val, ISC_LOG_DEBUG(3),
2361
"not beneath secure root / DLV");
2246
char namebuf[DNS_NAME_FORMATSIZE];
2248
dns_fixedname_init(&fixedsecroot);
2249
secroot = dns_fixedname_name(&fixedsecroot);
2250
if (val->havedlvsep)
2251
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
2253
result = dns_keytable_finddeepestmatch(val->keytable,
2257
if (result == ISC_R_NOTFOUND) {
2258
validator_log(val, ISC_LOG_DEBUG(3),
2259
"not beneath secure root");
2362
2260
if (val->mustbesecure) {
2363
2261
validator_log(val, ISC_LOG_WARNING,
2364
2262
"must be secure failure");
2365
2263
result = DNS_R_MUSTBESECURE;
2368
val->event->rdataset->trust = dns_trust_answer;
2369
return (ISC_R_SUCCESS);
2371
dns_name_copy(dns_fixedname_name(&val->dlvsep),
2372
dns_fixedname_name(&secroot), NULL);
2373
} else if (result != ISC_R_SUCCESS)
2375
else if (val->havedlvsep &&
2376
dns_name_issubdomain(dns_fixedname_name(&val->dlvsep),
2377
dns_fixedname_name(&secroot))) {
2378
dns_name_copy(dns_fixedname_name(&val->dlvsep),
2379
dns_fixedname_name(&secroot), NULL);
2266
if (val->view->dlv == NULL || DLVTRIED(val)) {
2268
return (ISC_R_SUCCESS);
2270
return (startfinddlvsep(val, dns_rootname));
2271
} else if (result != ISC_R_SUCCESS)
2384
dns_name_countlabels(dns_fixedname_name(&secroot)) + 1;
2277
* We are looking for breaks below the SEP so add a label.
2279
val->labels = dns_name_countlabels(secroot) + 1;
2386
2281
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2387
2282
if (val->frdataset.trust >= dns_trust_secure &&
2388
!check_ds_algorithm(val, dns_fixedname_name(&val->fname),
2283
!check_ds(val, dns_fixedname_name(&val->fname),
2285
dns_name_format(dns_fixedname_name(&val->fname),
2286
namebuf, sizeof(namebuf));
2390
2287
if (val->mustbesecure) {
2391
2288
validator_log(val, ISC_LOG_WARNING,
2392
"must be secure failure");
2289
"must be secure failure at '%s'",
2393
2291
result = DNS_R_MUSTBESECURE;
2396
2294
validator_log(val, ISC_LOG_DEBUG(3),
2397
"no supported algorithm (ds)");
2398
val->event->rdataset->trust = dns_trust_answer;
2399
result = ISC_R_SUCCESS;
2295
"no supported algorithm/digest (%s/DS)",
2297
if (val->view->dlv == NULL || DLVTRIED(val)) {
2299
result = ISC_R_SUCCESS;
2302
result = startfinddlvsep(val,
2303
dns_fixedname_name(&val->fname));
2547
2474
if (val->event == NULL)
2550
validator_log(val, ISC_LOG_DEBUG(3), "starting");
2478
validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
2480
validator_log(val, ISC_LOG_DEBUG(3), "starting");
2552
2482
LOCK(&val->lock);
2554
if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
2484
if ((val->options & DNS_VALIDATOR_DLV) != 0) {
2485
validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
2486
result = startfinddlvsep(val, dns_rootname);
2487
} else if (val->event->rdataset != NULL &&
2488
val->event->sigrdataset != NULL) {
2555
2489
isc_result_t saved_result;
2798
2743
dns_rdatatype_format(val->event->type, typebuf,
2799
2744
sizeof(typebuf));
2800
2745
isc_log_write(dns_lctx, category, module, level,
2801
"validating %s %s: %s", namebuf, typebuf,
2746
"%.*svalidating @%p: %s %s: %s", depth, spaces,
2747
val, namebuf, typebuf, msgbuf);
2804
2749
isc_log_write(dns_lctx, category, module, level,
2805
"validator @%p: %s", val, msgbuf);
2750
"%.*svalidator @%p: %s", depth, spaces,