← Back to branch summary

~andreserl/ubuntu/lucid/bind9/bind9-apport-533601

« back to all changes in this revision

Viewing changes to lib/dns/validator.c

  • Committer: Bazaar Package Importer
  • Author(s): LaMont Jones
  • Date: 2006-01-05 12:29:28 UTC
  • mfrom: (1.1.2 upstream)
  • Revision ID: james.westby@ubuntu.com-20060105122928-oih7ttkkmpb90q8q
Tags: 1:9.3.2-1
* New upstream
* use lsb-base for start/stop messages in init.d.
* switch to debhelper 4

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/dns/validator.c
15
15
 * PERFORMANCE OF THIS SOFTWARE.
16
16
 */
17
17
 
18
 
/* $Id: validator.c,v 1.91.2.5.8.15 2005/02/09 05:13:02 marka Exp $ */
 
18
/* $Id: validator.c,v 1.91.2.5.8.21 2005/11/02 02:07:47 marka Exp $ */
19
19
 
20
20
#include <config.h>
21
21
 
51
51
#define VALATTR_TRIEDVERIFY             0x0004
52
52
#define VALATTR_NEGATIVE                0x0008
53
53
#define VALATTR_INSECURITY              0x0010
54
 
#define VALATTR_DLV                     0x0020
55
 
#define VALATTR_DLVTRIED                0x0040
56
 
#define VALATTR_DLVSEPTRIED             0x0080
 
54
#define VALATTR_DLVTRIED                0x0020
57
55
 
58
56
#define VALATTR_NEEDNOQNAME             0x0100
59
57
#define VALATTR_NEEDNOWILDCARD          0x0200
63
61
#define VALATTR_FOUNDNOWILDCARD         0x2000
64
62
#define VALATTR_FOUNDNODATA             0x4000
65
63
 
66
 
 
67
64
#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
68
65
#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
69
66
#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
70
 
#define DLV(val) ((val->attributes & VALATTR_DLV) != 0)
71
67
#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
72
 
#define DLVSEPTRIED(val) ((val->attributes & VALATTR_DLVSEPTRIED) != 0)
73
68
 
74
69
#define SHUTDOWN(v)             (((v)->attributes & VALATTR_SHUTDOWN) != 0)
75
70
 
110
105
dlv_validatezonekey(dns_validator_t *val);
111
106
 
112
107
static isc_result_t
 
108
dlv_validator_start(dns_validator_t *val);
 
109
 
 
110
static isc_result_t
113
111
finddlvsep(dns_validator_t *val, isc_boolean_t resume);
114
112
 
 
113
static inline void
 
114
markanswer(dns_validator_t *val) {
 
115
        validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
 
116
        if (val->event->rdataset)
 
117
                val->event->rdataset->trust = dns_trust_answer;
 
118
        if (val->event->sigrdataset)
 
119
                val->event->sigrdataset->trust = dns_trust_answer;
 
120
}
 
121
 
115
122
static void
116
123
validator_done(dns_validator_t *val, isc_result_t result) {
117
124
        isc_task_t *task;
219
226
        rdataset = &val->frdataset;
220
227
        eresult = devent->result;
221
228
 
 
229
        /* Free resources which are not of interest. */
 
230
        if (devent->node != NULL)
 
231
                dns_db_detachnode(devent->db, &devent->node);
 
232
        if (devent->db != NULL)
 
233
                dns_db_detach(&devent->db);
 
234
        if (dns_rdataset_isassociated(&val->fsigrdataset))
 
235
                dns_rdataset_disassociate(&val->fsigrdataset);
222
236
        isc_event_free(&event);
223
237
        dns_resolver_destroyfetch(&val->fetch);
224
238
 
271
285
        rdataset = &val->frdataset;
272
286
        eresult = devent->result;
273
287
 
 
288
        /* Free resources which are not of interest. */
 
289
        if (devent->node != NULL)
 
290
                dns_db_detachnode(devent->db, &devent->node);
 
291
        if (devent->db != NULL)
 
292
                dns_db_detach(&devent->db);
 
293
        if (dns_rdataset_isassociated(&val->fsigrdataset))
 
294
                dns_rdataset_disassociate(&val->fsigrdataset);
274
295
        isc_event_free(&event);
275
296
        dns_resolver_destroyfetch(&val->fetch);
276
297
 
285
306
                result = validatezonekey(val);
286
307
                if (result != DNS_R_WAIT)
287
308
                        validator_done(val, result);
288
 
        } else if (val->view->dlv != NULL && !DLVTRIED(val) &&
289
 
                   (eresult == DNS_R_NXRRSET ||
290
 
                    eresult == DNS_R_NCACHENXRRSET) &&
291
 
                   !dns_name_issubdomain(val->event->name,
292
 
                                         val->view->dlv))
293
 
        {
294
 
                validator_log(val, ISC_LOG_DEBUG(2),
295
 
                              "no DS record: looking for DLV");
296
 
 
297
 
                result = dlv_validatezonekey(val);
298
 
                if (result != DNS_R_WAIT)
299
 
                        validator_done(val, result);
300
309
        } else if (eresult == DNS_R_NXRRSET ||
301
310
                   eresult == DNS_R_NCACHENXRRSET)
302
311
        {
328
337
dsfetched2(isc_task_t *task, isc_event_t *event) {
329
338
        dns_fetchevent_t *devent;
330
339
        dns_validator_t *val;
331
 
        dns_rdataset_t *rdataset;
332
340
        dns_name_t *tname;
333
341
        isc_boolean_t want_destroy;
334
342
        isc_result_t result;
338
346
        INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
339
347
        devent = (dns_fetchevent_t *)event;
340
348
        val = devent->ev_arg;
341
 
        rdataset = &val->frdataset;
342
349
        eresult = devent->result;
343
350
 
 
351
        /* Free resources which are not of interest. */
 
352
        if (devent->node != NULL)
 
353
                dns_db_detachnode(devent->db, &devent->node);
 
354
        if (devent->db != NULL)
 
355
                dns_db_detach(&devent->db);
 
356
        if (dns_rdataset_isassociated(&val->fsigrdataset))
 
357
                dns_rdataset_disassociate(&val->fsigrdataset);
344
358
        dns_resolver_destroyfetch(&val->fetch);
345
359
 
346
360
        INSIST(val->event != NULL);
358
372
                                              "must be secure failure");
359
373
                                validator_done(val, DNS_R_MUSTBESECURE);
360
374
                        } else {
361
 
                                val->event->rdataset->trust = dns_trust_answer;
 
375
                                markanswer(val);
362
376
                                validator_done(val, ISC_R_SUCCESS);
363
377
                        }
364
378
                } else {
553
567
                              "nsec proves name exists (owner) data=%d",
554
568
                              *data);
555
569
                return (ISC_R_SUCCESS);
556
 
        } 
 
570
        }
557
571
 
558
572
        if (relation == dns_namereln_subdomain &&
559
573
            dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
627
641
authvalidated(isc_task_t *task, isc_event_t *event) {
628
642
        dns_validatorevent_t *devent;
629
643
        dns_validator_t *val;
630
 
        dns_rdataset_t *rdataset, *sigrdataset;
 
644
        dns_rdataset_t *rdataset;
631
645
        isc_boolean_t want_destroy;
632
646
        isc_result_t result;
633
647
        isc_boolean_t exists, data;
637
651
 
638
652
        devent = (dns_validatorevent_t *)event;
639
653
        rdataset = devent->rdataset;
640
 
        sigrdataset = devent->sigrdataset;
641
654
        val = devent->ev_arg;
642
655
        result = devent->result;
643
656
        dns_validator_destroy(&val->subvalidator);
916
929
                                      rdataset, sigrdataset, NULL, 0,
917
930
                                      val->task, action, val,
918
931
                                      &val->subvalidator);
919
 
        if (result == ISC_R_SUCCESS)
 
932
        if (result == ISC_R_SUCCESS) {
920
933
                val->subvalidator->parent = val;
 
934
                val->subvalidator->depth = val->depth + 1;
 
935
        }
921
936
        return (result);
922
937
}
923
938
 
1252
1267
                                              "must be secure failure");
1253
1268
                                return (DNS_R_MUSTBESECURE);
1254
1269
                        }
1255
 
                        event->rdataset->trust = dns_trust_answer;
1256
 
                        event->sigrdataset->trust = dns_trust_answer;
1257
 
                        validator_log(val, ISC_LOG_DEBUG(3),
1258
 
                                      "marking as answer");
 
1270
                        markanswer(val);
1259
1271
                        return (ISC_R_SUCCESS);
1260
1272
                }
1261
1273
 
1344
1356
        return (DNS_R_NOVALIDSIG);
1345
1357
}
1346
1358
 
1347
 
 
1348
 
static void
1349
 
dlv_validated(isc_task_t *task, isc_event_t *event) {
1350
 
        dns_validatorevent_t *devent;
1351
 
        dns_validator_t *val;
1352
 
        isc_boolean_t want_destroy;
1353
 
        isc_result_t result;
1354
 
        isc_result_t eresult;
1355
 
 
1356
 
        UNUSED(task);
1357
 
        INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
1358
 
 
1359
 
        devent = (dns_validatorevent_t *)event;
1360
 
        val = devent->ev_arg;
1361
 
        eresult = devent->result;
1362
 
 
1363
 
        isc_event_free(&event);
1364
 
        dns_validator_destroy(&val->subvalidator);
1365
 
 
1366
 
        INSIST(val->event != NULL);
1367
 
 
1368
 
        validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
1369
 
        LOCK(&val->lock);
1370
 
        if (eresult == ISC_R_SUCCESS) {
1371
 
                validator_log(val, ISC_LOG_DEBUG(3),
1372
 
                              "dlv with trust %d", val->frdataset.trust);
1373
 
                if ((val->attributes & VALATTR_INSECURITY) != 0)
1374
 
                        result = proveunsecure(val, ISC_TRUE);
1375
 
                else
1376
 
                        result = validatezonekey(val);
1377
 
                if (result != DNS_R_WAIT)
1378
 
                        validator_done(val, result);
1379
 
        } else {
1380
 
                validator_log(val, ISC_LOG_DEBUG(3),
1381
 
                              "dlv_validated: got %s",
1382
 
                              isc_result_totext(eresult));
1383
 
                validator_done(val, eresult);
1384
 
        }
1385
 
        want_destroy = exit_check(val);
1386
 
        UNLOCK(&val->lock);
1387
 
        if (want_destroy)
1388
 
                destroy(val);
1389
 
}
1390
 
 
1391
 
static void
1392
 
dlv_fetched(isc_task_t *task, isc_event_t *event) {
1393
 
        dns_fetchevent_t *devent;
1394
 
        dns_validator_t *val;
1395
 
        dns_rdataset_t *rdataset;
1396
 
        isc_boolean_t want_destroy;
1397
 
        isc_result_t result;
1398
 
        isc_result_t eresult;
1399
 
 
1400
 
        UNUSED(task);
1401
 
        INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
1402
 
        devent = (dns_fetchevent_t *)event;
1403
 
        val = devent->ev_arg;
1404
 
        rdataset = &val->frdataset;
1405
 
        eresult = devent->result;
1406
 
 
1407
 
        isc_event_free(&event);
1408
 
        dns_resolver_destroyfetch(&val->fetch);
1409
 
 
1410
 
        INSIST(val->event != NULL);
1411
 
 
1412
 
        validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched");
1413
 
        LOCK(&val->lock);
1414
 
        if (eresult == ISC_R_SUCCESS) {
1415
 
                validator_log(val, ISC_LOG_DEBUG(3),
1416
 
                              "dlv set with trust %d", rdataset->trust);
1417
 
                val->dlv = &val->frdataset;
1418
 
                result = dlv_validatezonekey(val);
1419
 
                if (result != DNS_R_WAIT)
1420
 
                        validator_done(val, result);
1421
 
        } else if (eresult == DNS_R_NXRRSET ||
1422
 
                   eresult == DNS_R_NCACHENXRRSET)
1423
 
        {
1424
 
                validator_log(val, ISC_LOG_DEBUG(3),
1425
 
                              "falling back to insecurity proof");
1426
 
                val->attributes |= VALATTR_INSECURITY;
1427
 
                result = proveunsecure(val, ISC_FALSE);
1428
 
                if (result != DNS_R_WAIT)
1429
 
                        validator_done(val, result);
1430
 
        } else {
1431
 
                validator_log(val, ISC_LOG_DEBUG(3),
1432
 
                              "dlv_fetched: got %s",
1433
 
                              isc_result_totext(eresult));
1434
 
                if (eresult == ISC_R_CANCELED)
1435
 
                        validator_done(val, eresult);
1436
 
                else
1437
 
                        validator_done(val, DNS_R_NOVALIDDS);
1438
 
        }
1439
 
        want_destroy = exit_check(val);
1440
 
        UNLOCK(&val->lock);
1441
 
        if (want_destroy)
1442
 
                destroy(val);
1443
 
}
1444
 
 
1445
1359
static isc_result_t
1446
1360
dlv_validatezonekey(dns_validator_t *val) {
1447
 
        dns_fixedname_t fixed;
1448
1361
        dns_keytag_t keytag;
1449
 
        dns_name_t *name;
1450
 
        dns_name_t tname;
1451
1362
        dns_rdata_dlv_t dlv;
1452
1363
        dns_rdata_dnskey_t key;
1453
1364
        dns_rdata_rrsig_t sig;
1460
1371
        isc_boolean_t supported_algorithm;
1461
1372
        isc_result_t result;
1462
1373
        unsigned char dsbuf[DNS_DS_BUFFERSIZE];
1463
 
        unsigned int labels;
1464
 
 
1465
 
        val->attributes |= VALATTR_DLVTRIED;
1466
 
 
1467
 
        dns_name_init(&tname, NULL);
1468
 
        dns_fixedname_init(&fixed);
1469
 
        name = dns_fixedname_name(&fixed);
1470
 
        labels = dns_name_countlabels(val->event->name);
1471
 
        dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname);
1472
 
        result = dns_name_concatenate(&tname, val->view->dlv, name, NULL);
1473
 
        if (result != ISC_R_SUCCESS) {
1474
 
                validator_log(val, ISC_LOG_DEBUG(2),
1475
 
                              "DLV concatenate failed");
1476
 
                return (DNS_R_NOVALIDSIG);
1477
 
        }
1478
 
        if (val->dlv == NULL) {
1479
 
                result = view_find(val, name, dns_rdatatype_dlv);
1480
 
                if (result == ISC_R_SUCCESS) {
1481
 
                        /*
1482
 
                         * We have DLV records.
1483
 
                         */
1484
 
                        val->dsset = &val->frdataset;
1485
 
                        if (val->frdataset.trust == dns_trust_pending &&
1486
 
                            dns_rdataset_isassociated(&val->fsigrdataset))
1487
 
                        {
1488
 
                                result = create_validator(val,
1489
 
                                                          val->event->name,
1490
 
                                                          dns_rdatatype_ds,
1491
 
                                                          &val->frdataset,
1492
 
                                                          &val->fsigrdataset,
1493
 
                                                          dlv_validated,
1494
 
                                                          "dlv_validatezonekey");
1495
 
                                if (result != ISC_R_SUCCESS)
1496
 
                                        return (result);
1497
 
                                return (DNS_R_WAIT);
1498
 
                        } else if (val->frdataset.trust == dns_trust_pending) {
1499
 
                                /*
1500
 
                                 * There should never be an unsigned DLV.
1501
 
                                 */
1502
 
                                dns_rdataset_disassociate(&val->frdataset);
1503
 
                                validator_log(val, ISC_LOG_DEBUG(2),
1504
 
                                              "unsigned DLV record");
1505
 
                                return (DNS_R_NOVALIDSIG);
1506
 
                        } else
1507
 
                                result = ISC_R_SUCCESS;
1508
 
                } else if (result == ISC_R_NOTFOUND) {
1509
 
                        result = create_fetch(val, name, dns_rdatatype_dlv,
1510
 
                                              dlv_fetched,
1511
 
                                              "dlv_validatezonekey");
1512
 
                        if (result != ISC_R_SUCCESS)
1513
 
                                return (result);
1514
 
                        return (DNS_R_WAIT);
1515
 
                } else if (result ==  DNS_R_NCACHENXDOMAIN ||
1516
 
                   result == DNS_R_NCACHENXRRSET ||
1517
 
                   result == DNS_R_NXDOMAIN ||
1518
 
                   result == DNS_R_NXRRSET)
1519
 
                {
1520
 
                        /*
1521
 
                         * The DS does not exist.
1522
 
                         */
1523
 
                        if (dns_rdataset_isassociated(&val->frdataset))
1524
 
                                dns_rdataset_disassociate(&val->frdataset);
1525
 
                        if (dns_rdataset_isassociated(&val->fsigrdataset))
1526
 
                                dns_rdataset_disassociate(&val->fsigrdataset);
1527
 
                        validator_log(val, ISC_LOG_DEBUG(2), "no DLV record");
1528
 
                        return (DNS_R_NOVALIDSIG);
1529
 
                }
1530
 
        }
1531
 
 
1532
 
        /*
1533
 
         * We have a DLV set.
1534
 
         */
1535
 
        INSIST(val->dlv != NULL);
1536
 
 
1537
 
        if (val->dlv->trust < dns_trust_secure) {
1538
 
                if (val->mustbesecure) {
1539
 
                        validator_log(val, ISC_LOG_WARNING,
1540
 
                                      "must be secure failure");
1541
 
                        return (DNS_R_MUSTBESECURE);
1542
 
                }
1543
 
                val->event->rdataset->trust = dns_trust_answer;
1544
 
                val->event->sigrdataset->trust = dns_trust_answer;
1545
 
                return (ISC_R_SUCCESS);
1546
 
        }
1547
 
 
 
1374
 
 
1375
        validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
1548
1376
        /*
1549
1377
         * Look through the DLV record and find the keys that can sign the
1550
1378
         * key set and the matching signature.  For each such key, attempt
1553
1381
 
1554
1382
        supported_algorithm = ISC_FALSE;
1555
1383
 
1556
 
        for (result = dns_rdataset_first(val->dlv);
 
1384
        for (result = dns_rdataset_first(&val->dlv);
1557
1385
             result == ISC_R_SUCCESS;
1558
 
             result = dns_rdataset_next(val->dlv))
 
1386
             result = dns_rdataset_next(&val->dlv))
1559
1387
        {
1560
1388
                dns_rdata_reset(&dlvrdata);
1561
 
                dns_rdataset_current(val->dlv, &dlvrdata);
 
1389
                dns_rdataset_current(&val->dlv, &dlvrdata);
1562
1390
                (void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
1563
1391
 
1564
 
                if (!dns_resolver_algorithm_supported(val->view->resolver,
 
1392
                if (dlv.digest_type != DNS_DSDIGEST_SHA1 ||
 
1393
                    !dns_resolver_algorithm_supported(val->view->resolver,
1565
1394
                                                      val->event->name,
1566
1395
                                                      dlv.algorithm))
1567
1396
                        continue;
1586
1415
                        result = dns_ds_buildrdata(val->event->name,
1587
1416
                                                   &keyrdata, dlv.digest_type,
1588
1417
                                                   dsbuf, &newdsrdata);
1589
 
                        if (result != ISC_R_SUCCESS)
 
1418
                        if (result != ISC_R_SUCCESS) {
 
1419
                                validator_log(val, ISC_LOG_DEBUG(3),
 
1420
                                              "dns_ds_buildrdata() -> %s",
 
1421
                                              dns_result_totext(result));
1590
1422
                                continue;
 
1423
                        }
1591
1424
                        /* Covert to DLV */
1592
1425
                        newdsrdata.type = dns_rdatatype_dlv;
1593
1426
                        if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
1598
1431
                                      "no DNSKEY matching DLV");
1599
1432
                        continue;
1600
1433
                }
1601
 
                
 
1434
                validator_log(val, ISC_LOG_DEBUG(3),
 
1435
                      "Found matching DLV record: checking for signature");
 
1436
 
1602
1437
                for (result = dns_rdataset_first(val->event->sigrdataset);
1603
1438
                     result == ISC_R_SUCCESS;
1604
1439
                     result = dns_rdataset_next(val->event->sigrdataset))
1610
1445
                        if (dlv.key_tag != sig.keyid &&
1611
1446
                            dlv.algorithm != sig.algorithm)
1612
1447
                                continue;
1613
 
 
1614
1448
                        dstkey = NULL;
1615
1449
                        result = dns_dnssec_keyfromrdata(val->event->name,
1616
1450
                                                         &keyrdata,
1644
1478
                                      "must be secure failure");
1645
1479
                        return (DNS_R_MUSTBESECURE);
1646
1480
                }
1647
 
                val->event->rdataset->trust = dns_trust_answer;
1648
 
                val->event->sigrdataset->trust = dns_trust_answer;
1649
1481
                validator_log(val, ISC_LOG_DEBUG(3),
1650
 
                              "no supported algorithm (dlv)");
 
1482
                              "no supported algorithm/digest (dlv)");
 
1483
                markanswer(val);
1651
1484
                return (ISC_R_SUCCESS);
1652
1485
        } else
1653
1486
                return (DNS_R_NOVALIDSIG);
1685
1518
 
1686
1519
        event = val->event;
1687
1520
 
 
1521
        if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
 
1522
            dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
 
1523
                return (dlv_validatezonekey(val));
 
1524
 
1688
1525
        if (val->dsset == NULL) {
1689
1526
                /*
1690
1527
                 * First, see if this key was signed by a trusted key.
1783
1620
                        if (result != ISC_R_SUCCESS)
1784
1621
                                return (result);
1785
1622
                        return (DNS_R_WAIT);
1786
 
                } else if (val->view->dlv != NULL && !DLVTRIED(val) &&
1787
 
                           (result == DNS_R_NCACHENXRRSET ||
1788
 
                            result == DNS_R_NXRRSET) &&
1789
 
                           !dns_name_issubdomain(val->event->name,
1790
 
                                                 val->view->dlv))
1791
 
                {
1792
 
 
1793
 
                        if (dns_rdataset_isassociated(&val->frdataset))
1794
 
                                dns_rdataset_disassociate(&val->frdataset);
1795
 
                        if (dns_rdataset_isassociated(&val->fsigrdataset))
1796
 
                                dns_rdataset_disassociate(&val->fsigrdataset);
1797
 
 
1798
 
                        validator_log(val, ISC_LOG_DEBUG(2),
1799
 
                                      "no DS record: looking for DLV");
1800
 
 
1801
 
                        return (dlv_validatezonekey(val));
1802
1623
                 } else if (result ==  DNS_R_NCACHENXDOMAIN ||
1803
1624
                           result == DNS_R_NCACHENXRRSET ||
1804
1625
                           result == DNS_R_NXDOMAIN ||
1827
1648
                                      "must be secure failure");
1828
1649
                        return (DNS_R_MUSTBESECURE);
1829
1650
                }
1830
 
                val->event->rdataset->trust = dns_trust_answer;
1831
 
                val->event->sigrdataset->trust = dns_trust_answer;
 
1651
                markanswer(val);
1832
1652
                return (ISC_R_SUCCESS);
1833
1653
        }
1834
1654
 
1848
1668
                dns_rdataset_current(val->dsset, &dsrdata);
1849
1669
                (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
1850
1670
 
 
1671
                if (ds.digest_type != DNS_DSDIGEST_SHA1)
 
1672
                        continue;
1851
1673
                if (!dns_resolver_algorithm_supported(val->view->resolver,
1852
1674
                                                      val->event->name,
1853
1675
                                                      ds.algorithm))
1923
1745
                event->sigrdataset->trust = dns_trust_secure;
1924
1746
                validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
1925
1747
                return (result);
1926
 
        } else if (result == ISC_R_NOMORE && val->view->dlv != NULL &&
1927
 
                   !DLVTRIED(val) && !dns_name_issubdomain(val->event->name,
1928
 
                                                           val->view->dlv))
1929
 
        {
1930
 
                validator_log(val, ISC_LOG_DEBUG(2),
1931
 
                              "no DS/DNSKEY pair: looking for DLV");
1932
 
 
1933
 
                return (dlv_validatezonekey(val));
1934
1748
        } else if (result == ISC_R_NOMORE && !supported_algorithm) {
1935
1749
                if (val->mustbesecure) {
1936
1750
                        validator_log(val, ISC_LOG_WARNING,
1937
1751
                                      "must be secure failure");
1938
1752
                        return (DNS_R_MUSTBESECURE);
1939
1753
                }
1940
 
                val->event->rdataset->trust = dns_trust_answer;
1941
 
                val->event->sigrdataset->trust = dns_trust_answer;
1942
1754
                validator_log(val, ISC_LOG_DEBUG(3),
1943
 
                              "no supported algorithm (ds)");
 
1755
                              "no supported algorithm/digest (DS)");
 
1756
                markanswer(val);
1944
1757
                return (ISC_R_SUCCESS);
1945
1758
        } else
1946
1759
                return (DNS_R_NOVALIDSIG);
2174
1987
 
2175
1988
        if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
2176
1989
                if (!val->seensig && val->soaset != NULL) {
2177
 
                        result = create_validator(val, name, dns_rdatatype_soa,
 
1990
                        result = create_validator(val, val->soaname,
 
1991
                                                  dns_rdatatype_soa,
2178
1992
                                                  val->soaset, NULL,
2179
1993
                                                  negauthvalidated,
2180
1994
                                                  "nsecvalidate");
2193
2007
}
2194
2008
 
2195
2009
static isc_boolean_t
2196
 
check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
2197
 
                   dns_rdataset_t *rdataset) {
 
2010
check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
2198
2011
        dns_rdata_t dsrdata = DNS_RDATA_INIT;
2199
2012
        dns_rdata_ds_t ds;
2200
2013
        isc_result_t result;
2205
2018
                dns_rdataset_current(rdataset, &dsrdata);
2206
2019
                (void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
2207
2020
 
2208
 
                if (dns_resolver_algorithm_supported(val->view->resolver,
2209
 
                                                     name, ds.algorithm))
 
2021
                if (ds.digest_type == DNS_DSDIGEST_SHA1 &&
 
2022
                    dns_resolver_algorithm_supported(val->view->resolver,
 
2023
                                                     name, ds.algorithm)) {
 
2024
                        dns_rdata_reset(&dsrdata);
2210
2025
                        return (ISC_TRUE);
 
2026
                }
2211
2027
                dns_rdata_reset(&dsrdata);
2212
2028
        }
2213
2029
        return (ISC_FALSE);
2214
2030
}
2215
2031
 
2216
2032
static void
2217
 
dlv_fetched2(isc_task_t *task, isc_event_t *event) {
 
2033
dlvfetched(isc_task_t *task, isc_event_t *event) {
 
2034
        char namebuf[DNS_NAME_FORMATSIZE];
2218
2035
        dns_fetchevent_t *devent;
2219
2036
        dns_validator_t *val;
2220
2037
        isc_boolean_t want_destroy;
2226
2043
        devent = (dns_fetchevent_t *)event;
2227
2044
        val = devent->ev_arg;
2228
2045
        eresult = devent->result;
2229
 
        
 
2046
 
 
2047
        /* Free resources which are not of interest. */
 
2048
        if (devent->node != NULL)
 
2049
                dns_db_detachnode(devent->db, &devent->node);
 
2050
        if (devent->db != NULL)
 
2051
                dns_db_detach(&devent->db);
 
2052
        if (dns_rdataset_isassociated(&val->fsigrdataset))
 
2053
                dns_rdataset_disassociate(&val->fsigrdataset);
2230
2054
        isc_event_free(&event);
2231
2055
        dns_resolver_destroyfetch(&val->fetch);
2232
 
        
 
2056
 
2233
2057
        INSIST(val->event != NULL);
2234
 
        validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched2: %s",
 
2058
        validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
2235
2059
                      dns_result_totext(eresult));
2236
2060
 
2237
2061
        LOCK(&val->lock);
2238
2062
        if (eresult == ISC_R_SUCCESS) {
 
2063
                dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 
2064
                                sizeof(namebuf));
 
2065
                dns_rdataset_clone(&val->frdataset, &val->dlv);
2239
2066
                val->havedlvsep = ISC_TRUE;
2240
 
                result = proveunsecure(val, ISC_FALSE);
 
2067
                validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 
2068
                result = dlv_validator_start(val);
2241
2069
                if (result != DNS_R_WAIT)
2242
2070
                        validator_done(val, result);
2243
2071
        } else if (eresult == DNS_R_NXRRSET ||
2246
2074
                   eresult == DNS_R_NCACHENXDOMAIN) {
2247
2075
                   result = finddlvsep(val, ISC_TRUE);
2248
2076
                if (result == ISC_R_SUCCESS) {
2249
 
                        result = proveunsecure(val, ISC_FALSE);
 
2077
                        dns_name_format(dns_fixedname_name(&val->dlvsep),
 
2078
                                        namebuf, sizeof(namebuf));
 
2079
                        validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
 
2080
                                      namebuf);
 
2081
                        result = dlv_validator_start(val);
2250
2082
                        if (result != DNS_R_WAIT)
2251
2083
                                validator_done(val, result);
2252
2084
                } else if (result == ISC_R_NOTFOUND) {
 
2085
                        validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 
2086
                        markanswer(val);
2253
2087
                        validator_done(val, ISC_R_SUCCESS);
2254
 
                } else if (result != DNS_R_WAIT)
2255
 
                        validator_done(val, result);
 
2088
                } else {
 
2089
                        validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
 
2090
                                      dns_result_totext(result));
 
2091
                        if (result != DNS_R_WAIT)
 
2092
                                validator_done(val, result);
 
2093
                }
 
2094
        } else {
 
2095
                validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
 
2096
                              dns_result_totext(eresult));
2256
2097
        }
2257
2098
        want_destroy = exit_check(val);
2258
2099
        UNLOCK(&val->lock);
2261
2102
}
2262
2103
 
2263
2104
static isc_result_t
 
2105
startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 
2106
        char namebuf[DNS_NAME_FORMATSIZE];
 
2107
        isc_result_t result;
 
2108
 
 
2109
        INSIST(!DLVTRIED(val));
 
2110
 
 
2111
        val->attributes |= VALATTR_DLVTRIED;
 
2112
 
 
2113
        dns_name_format(unsecure, namebuf, sizeof(namebuf));
 
2114
        validator_log(val, ISC_LOG_DEBUG(3),
 
2115
                      "plain DNSSEC returns unsecure (%s): looking for DLV",
 
2116
                      namebuf);
 
2117
 
 
2118
        if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
 
2119
                validator_log(val, ISC_LOG_WARNING, "must be secure failure");
 
2120
                return (DNS_R_MUSTBESECURE);
 
2121
        }
 
2122
 
 
2123
        val->dlvlabels = dns_name_countlabels(unsecure) - 1;
 
2124
        result = finddlvsep(val, ISC_FALSE);
 
2125
        if (result == ISC_R_NOTFOUND) {
 
2126
                validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
 
2127
                markanswer(val);
 
2128
                return (ISC_R_SUCCESS);
 
2129
        }
 
2130
        if (result != ISC_R_SUCCESS) {
 
2131
                validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
 
2132
                              dns_result_totext(result));
 
2133
                return (result);
 
2134
        }
 
2135
        dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
 
2136
                        sizeof(namebuf));
 
2137
        validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 
2138
        return (dlv_validator_start(val));
 
2139
}
 
2140
 
 
2141
static isc_result_t
2264
2142
finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 
2143
        char namebuf[DNS_NAME_FORMATSIZE];
2265
2144
        dns_fixedname_t dlvfixed;
2266
2145
        dns_name_t *dlvname;
2267
2146
        dns_name_t *dlvsep;
2268
2147
        dns_name_t noroot;
2269
2148
        isc_result_t result;
2270
2149
        unsigned int labels;
 
2150
                
 
2151
        INSIST(val->view->dlv != NULL);
2271
2152
 
2272
2153
        if (!resume) {
 
2154
 
 
2155
                if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
 
2156
                        validator_log(val, ISC_LOG_WARNING,
 
2157
                                      "must be secure failure");
 
2158
                        return (DNS_R_MUSTBESECURE);
 
2159
                }
 
2160
 
2273
2161
                dns_fixedname_init(&val->dlvsep);
2274
2162
                dlvsep = dns_fixedname_name(&val->dlvsep);
2275
2163
                dns_name_copy(val->event->name, dlvsep, NULL);
2276
 
                val->attributes |= VALATTR_DLVSEPTRIED;
 
2164
                if (val->event->type == dns_rdatatype_ds) {
 
2165
                        labels = dns_name_countlabels(dlvsep);
 
2166
                        if (labels == 0)
 
2167
                                return (ISC_R_NOTFOUND);
 
2168
                        dns_name_getlabelsequence(dlvsep, 1, labels - 1,
 
2169
                                                  dlvsep);
 
2170
                }
2277
2171
        } else {
2278
2172
                dlvsep = dns_fixedname_name(&val->dlvsep);
2279
2173
                labels = dns_name_countlabels(dlvsep);
2283
2177
        dns_fixedname_init(&dlvfixed);
2284
2178
        dlvname = dns_fixedname_name(&dlvfixed);
2285
2179
        labels = dns_name_countlabels(dlvsep);
 
2180
        if (labels == 0)
 
2181
                return (ISC_R_NOTFOUND);
2286
2182
        dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
2287
2183
        result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
2288
2184
        while (result == ISC_R_NOSPACE) {
2297
2193
                return (DNS_R_NOVALIDSIG);
2298
2194
        }
2299
2195
 
2300
 
        while (dns_name_countlabels(dlvname) >
2301
 
               dns_name_countlabels(val->view->dlv)) 
2302
 
        {
 
2196
        while (dns_name_countlabels(dlvname) >=
 
2197
               dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
 
2198
                dns_name_format(dlvname, namebuf, sizeof(namebuf));
 
2199
                validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
 
2200
                              namebuf);
2303
2201
                result = view_find(val, dlvname, dns_rdatatype_dlv);
2304
2202
                if (result == ISC_R_SUCCESS) {
2305
2203
                        if (val->frdataset.trust < dns_trust_secure)
2306
2204
                                return (DNS_R_NOVALIDSIG);
2307
2205
                        val->havedlvsep = ISC_TRUE;
 
2206
                        dns_rdataset_clone(&val->frdataset, &val->dlv);
2308
2207
                        return (ISC_R_SUCCESS);
2309
2208
                }
2310
2209
                if (result == ISC_R_NOTFOUND) {
2311
 
                        result = create_fetch(val, dlvname, dns_rdatatype_dlv,
2312
 
                                              dlv_fetched2, "finddlvsep");
2313
 
                        if (result != ISC_R_SUCCESS)
2314
 
                                return (result);
2315
 
                        return (DNS_R_WAIT);
 
2210
                        result = create_fetch(val, dlvname, dns_rdatatype_dlv,
 
2211
                                              dlvfetched, "finddlvsep");
 
2212
                        if (result != ISC_R_SUCCESS)
 
2213
                                return (result);
 
2214
                        return (DNS_R_WAIT);
2316
2215
                }
2317
2216
                if (result != DNS_R_NXRRSET &&
2318
2217
                    result != DNS_R_NXDOMAIN &&
2319
2218
                    result != DNS_R_NCACHENXRRSET &&
2320
 
                    result != DNS_R_NCACHENXDOMAIN) 
 
2219
                    result != DNS_R_NCACHENXDOMAIN)
2321
2220
                        return (result);
2322
2221
                /*
2323
2222
                 * Strip first labels from both dlvsep and dlvname.
2324
2223
                 */
2325
2224
                labels = dns_name_countlabels(dlvsep);
 
2225
                if (labels == 0)
 
2226
                        break;
2326
2227
                dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
2327
2228
                labels = dns_name_countlabels(dlvname);
2328
2229
                dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
2330
2231
        return (ISC_R_NOTFOUND);
2331
2232
}
2332
2233
 
 
2234
/*
 
2235
 * proveunsecure walks down from the SEP looking for a break in the
 
2236
 * chain of trust.   That occurs when we can prove the DS record does
 
2237
 * not exist at a delegation point or the DS exists at a delegation
 
2238
 * but we don't support the algorithm/digest.
 
2239
 */
2333
2240
static isc_result_t
2334
2241
proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
2335
2242
        isc_result_t result;
2336
 
        isc_result_t tresult;
2337
 
        dns_fixedname_t secroot;
 
2243
        dns_fixedname_t fixedsecroot;
 
2244
        dns_name_t *secroot;
2338
2245
        dns_name_t *tname;
2339
 
 
2340
 
        dns_fixedname_init(&secroot);
2341
 
        result = dns_keytable_finddeepestmatch(val->keytable,
2342
 
                                               val->event->name,
2343
 
                                               dns_fixedname_name(&secroot));
2344
 
        /*
2345
 
         * If the name is not under a security root, it must be insecure.
2346
 
         */
2347
 
        if (val->view->dlv != NULL && !DLVSEPTRIED(val) && 
2348
 
            !dns_name_issubdomain(val->event->name, val->view->dlv)) {
2349
 
                tresult = finddlvsep(val, ISC_FALSE);
2350
 
                if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) {
2351
 
                        validator_log(val, ISC_LOG_DEBUG(3),
2352
 
                                      "finddlvsep returned: %s",
2353
 
                                      dns_result_totext(tresult));
2354
 
                        return (tresult);
2355
 
                }
2356
 
        }
2357
 
 
2358
 
        if (result == ISC_R_NOTFOUND) {
2359
 
                if (!val->havedlvsep) {
2360
 
                        validator_log(val, ISC_LOG_DEBUG(3),
2361
 
                                      "not beneath secure root / DLV");
 
2246
        char namebuf[DNS_NAME_FORMATSIZE];
 
2247
 
 
2248
        dns_fixedname_init(&fixedsecroot);
 
2249
        secroot = dns_fixedname_name(&fixedsecroot);
 
2250
        if (val->havedlvsep)
 
2251
                dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
 
2252
        else {
 
2253
                result = dns_keytable_finddeepestmatch(val->keytable,
 
2254
                                                       val->event->name,
 
2255
                                                       secroot);
 
2256
 
 
2257
                if (result == ISC_R_NOTFOUND) {
 
2258
                        validator_log(val, ISC_LOG_DEBUG(3),
 
2259
                                      "not beneath secure root");
2362
2260
                        if (val->mustbesecure) {
2363
2261
                                validator_log(val, ISC_LOG_WARNING,
2364
2262
                                              "must be secure failure");
2365
2263
                                result = DNS_R_MUSTBESECURE;
2366
2264
                                goto out;
2367
2265
                        }
2368
 
                        val->event->rdataset->trust = dns_trust_answer;
2369
 
                        return (ISC_R_SUCCESS);
2370
 
                }
2371
 
                dns_name_copy(dns_fixedname_name(&val->dlvsep),
2372
 
                              dns_fixedname_name(&secroot), NULL);
2373
 
        } else if (result != ISC_R_SUCCESS)
2374
 
                return (result);
2375
 
        else if (val->havedlvsep &&
2376
 
                 dns_name_issubdomain(dns_fixedname_name(&val->dlvsep),
2377
 
                                      dns_fixedname_name(&secroot))) {
2378
 
                dns_name_copy(dns_fixedname_name(&val->dlvsep),
2379
 
                              dns_fixedname_name(&secroot), NULL);
 
2266
                        if (val->view->dlv == NULL || DLVTRIED(val)) {
 
2267
                                markanswer(val);
 
2268
                                return (ISC_R_SUCCESS);
 
2269
                        }
 
2270
                        return (startfinddlvsep(val, dns_rootname));
 
2271
                } else if (result != ISC_R_SUCCESS)
 
2272
                        return (result);
2380
2273
        }
2381
2274
 
2382
2275
        if (!resume) {
2383
 
                val->labels =
2384
 
                        dns_name_countlabels(dns_fixedname_name(&secroot)) + 1;
 
2276
                /*
 
2277
                 * We are looking for breaks below the SEP so add a label.
 
2278
                 */
 
2279
                val->labels = dns_name_countlabels(secroot) + 1;
2385
2280
        } else {
2386
2281
                validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
2387
2282
                if (val->frdataset.trust >= dns_trust_secure &&
2388
 
                    !check_ds_algorithm(val, dns_fixedname_name(&val->fname),
2389
 
                                        &val->frdataset)) {
 
2283
                    !check_ds(val, dns_fixedname_name(&val->fname),
 
2284
                              &val->frdataset)) {
 
2285
                        dns_name_format(dns_fixedname_name(&val->fname),
 
2286
                                        namebuf, sizeof(namebuf));
2390
2287
                        if (val->mustbesecure) {
2391
2288
                                validator_log(val, ISC_LOG_WARNING,
2392
 
                                              "must be secure failure");
 
2289
                                              "must be secure failure at '%s'",
 
2290
                                              namebuf);
2393
2291
                                result = DNS_R_MUSTBESECURE;
2394
2292
                                goto out;
2395
2293
                        }
2396
2294
                        validator_log(val, ISC_LOG_DEBUG(3),
2397
 
                                      "no supported algorithm (ds)");
2398
 
                        val->event->rdataset->trust = dns_trust_answer;
2399
 
                        result = ISC_R_SUCCESS;
 
2295
                                      "no supported algorithm/digest (%s/DS)",
 
2296
                                      namebuf);
 
2297
                        if (val->view->dlv == NULL || DLVTRIED(val)) {
 
2298
                                markanswer(val);
 
2299
                                result = ISC_R_SUCCESS;
 
2300
                                goto out;
 
2301
                        }
 
2302
                        result = startfinddlvsep(val,
 
2303
                                              dns_fixedname_name(&val->fname));
2400
2304
                        goto out;
2401
2305
                }
2402
2306
                val->labels++;
2406
2310
             val->labels <= dns_name_countlabels(val->event->name);
2407
2311
             val->labels++)
2408
2312
        {
2409
 
                char namebuf[DNS_NAME_FORMATSIZE];
2410
2313
 
2411
2314
                dns_fixedname_init(&val->fname);
2412
2315
                tname = dns_fixedname_name(&val->fname);
2425
2328
                if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
2426
2329
                        /*
2427
2330
                         * There is no DS.  If this is a delegation,
2428
 
                         * we're done.
 
2331
                         * we maybe done.
2429
2332
                         */
2430
2333
                        if (val->frdataset.trust < dns_trust_secure) {
2431
2334
                                /*
2443
2346
                                                      "must be secure failure");
2444
2347
                                        return (DNS_R_MUSTBESECURE);
2445
2348
                                }
2446
 
                                val->event->rdataset->trust = dns_trust_answer;
2447
 
                                return (ISC_R_SUCCESS);
 
2349
                                if (val->view->dlv == NULL || DLVTRIED(val)) {
 
2350
                                        markanswer(val);
 
2351
                                        return (ISC_R_SUCCESS);
 
2352
                                }
 
2353
                                return (startfinddlvsep(val, tname));
2448
2354
                        }
2449
2355
                        continue;
2450
2356
                } else if (result == ISC_R_SUCCESS) {
2453
2359
                         * continue.
2454
2360
                         */
2455
2361
                        if (val->frdataset.trust >= dns_trust_secure) {
2456
 
                                if (!check_ds_algorithm(val, tname,
2457
 
                                                        &val->frdataset)) {
 
2362
                                if (!check_ds(val, tname, &val->frdataset)) {
2458
2363
                                        validator_log(val, ISC_LOG_DEBUG(3),
2459
 
                                              "no supported algorithm (ds)");
 
2364
                                                     "no supported algorithm/"
 
2365
                                                     "digest (%s/DS)", namebuf);
2460
2366
                                        if (val->mustbesecure) {
2461
2367
                                                validator_log(val,
2462
2368
                                                              ISC_LOG_WARNING,
2464
2370
                                                result = DNS_R_MUSTBESECURE;
2465
2371
                                                goto out;
2466
2372
                                        }
2467
 
                                        val->event->rdataset->trust =
2468
 
                                                        dns_trust_answer;
2469
 
                                        result = ISC_R_SUCCESS;
 
2373
                                        if (val->view->dlv == NULL ||
 
2374
                                            DLVTRIED(val)) {
 
2375
                                                markanswer(val);
 
2376
                                                result = ISC_R_SUCCESS;
 
2377
                                                goto out;
 
2378
                                        }
 
2379
                                        result = startfinddlvsep(val, tname);
2470
2380
                                        goto out;
2471
2381
                                }
2472
2382
                                continue;
2531
2441
        return (result);
2532
2442
}
2533
2443
 
 
2444
static isc_result_t
 
2445
dlv_validator_start(dns_validator_t *val) {
 
2446
        isc_event_t *event;
 
2447
 
 
2448
        validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
 
2449
 
 
2450
        /*
 
2451
         * Reset state and try again.
 
2452
         */
 
2453
        val->attributes &= VALATTR_DLVTRIED;
 
2454
        val->options &= ~DNS_VALIDATOR_DLV;
 
2455
 
 
2456
        event = (isc_event_t *)val->event;
 
2457
        isc_task_send(val->task, &event);
 
2458
        return (DNS_R_WAIT);
 
2459
}
 
2460
 
2534
2461
static void
2535
2462
validator_start(isc_task_t *task, isc_event_t *event) {
2536
2463
        dns_validator_t *val;
2547
2474
        if (val->event == NULL)
2548
2475
                return;
2549
2476
 
2550
 
        validator_log(val, ISC_LOG_DEBUG(3), "starting");
 
2477
        if (DLVTRIED(val))
 
2478
                validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
 
2479
        else
 
2480
                validator_log(val, ISC_LOG_DEBUG(3), "starting");
2551
2481
 
2552
2482
        LOCK(&val->lock);
2553
2483
 
2554
 
        if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
 
2484
        if ((val->options & DNS_VALIDATOR_DLV) != 0) {
 
2485
                validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
 
2486
                result = startfinddlvsep(val, dns_rootname);
 
2487
        } else if (val->event->rdataset != NULL &&
 
2488
                   val->event->sigrdataset != NULL) {
2555
2489
                isc_result_t saved_result;
2556
2490
 
2557
2491
                /*
2635
2569
        REQUIRE(type != 0);
2636
2570
        REQUIRE(rdataset != NULL ||
2637
2571
                (rdataset == NULL && sigrdataset == NULL && message != NULL));
2638
 
        REQUIRE(options == 0);
2639
2572
        REQUIRE(validatorp != NULL && *validatorp == NULL);
2640
2573
 
2641
2574
        tclone = NULL;
2685
2618
        val->currentset = NULL;
2686
2619
        val->keyset = NULL;
2687
2620
        val->dsset = NULL;
2688
 
        val->dlv = NULL;
 
2621
        dns_rdataset_init(&val->dlv);
2689
2622
        val->soaset = NULL;
2690
2623
        val->nsecset = NULL;
2691
2624
        val->soaname = NULL;
2692
2625
        val->seensig = ISC_FALSE;
2693
2626
        val->havedlvsep = ISC_FALSE;
 
2627
        val->depth = 0;
2694
2628
        val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
2695
2629
        dns_rdataset_init(&val->frdataset);
2696
2630
        dns_rdataset_init(&val->fsigrdataset);
2749
2683
                dns_keytable_detach(&val->keytable);
2750
2684
        if (val->subvalidator != NULL)
2751
2685
                dns_validator_destroy(&val->subvalidator);
 
2686
        if (val->havedlvsep)
 
2687
                dns_rdataset_disassociate(&val->dlv);
 
2688
        if (dns_rdataset_isassociated(&val->frdataset))
 
2689
                dns_rdataset_disassociate(&val->frdataset);
 
2690
        if (dns_rdataset_isassociated(&val->fsigrdataset))
 
2691
                dns_rdataset_disassociate(&val->fsigrdataset);
2752
2692
        mctx = val->view->mctx;
2753
2693
        if (val->siginfo != NULL)
2754
2694
                isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
2787
2727
               isc_logmodule_t *module, int level, const char *fmt, va_list ap)
2788
2728
{
2789
2729
        char msgbuf[2048];
 
2730
        static const char spaces[] = "        *";
 
2731
        int depth = val->depth * 2;
2790
2732
 
2791
2733
        vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
2792
2734
 
 
2735
        if ((unsigned int) depth >= sizeof spaces)
 
2736
                depth = sizeof spaces - 1;
 
2737
 
2793
2738
        if (val->event != NULL && val->event->name != NULL) {
2794
2739
                char namebuf[DNS_NAME_FORMATSIZE];
2795
2740
                char typebuf[DNS_RDATATYPE_FORMATSIZE];
2798
2743
                dns_rdatatype_format(val->event->type, typebuf,
2799
2744
                                     sizeof(typebuf));
2800
2745
                isc_log_write(dns_lctx, category, module, level,
2801
 
                              "validating %s %s: %s", namebuf, typebuf,
2802
 
                              msgbuf);
 
2746
                              "%.*svalidating @%p: %s %s: %s", depth, spaces,
 
2747
                              val, namebuf, typebuf, msgbuf);
2803
2748
        } else {
2804
2749
                isc_log_write(dns_lctx, category, module, level,
2805
 
                              "validator @%p: %s", val, msgbuf);
 
2750
                              "%.*svalidator @%p: %s", depth, spaces,
 
2751
                               val, msgbuf);
2806
2752
        }
2807
2753
}
2808
2754