static inline isc_boolean_t
match(dns_name_t *name1, dns_name_t *name2) {
if (dns_name_iswildcard(name2))
return(dns_name_matcheswildcard(name1, name2));
return (dns_name_equal(name1, name2));
}
isc_boolean_t
dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
int order;
unsigned int nlabels, labels;
dns_name_t tname;
REQUIRE(VALID_NAME(name));
REQUIRE(name->labels > 0);
REQUIRE(VALID_NAME(wname));
labels = wname->labels;
REQUIRE(labels > 0);
REQUIRE(dns_name_iswildcard(wname));
DNS_NAME_INIT(&tname, NULL);
dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
dns_namereln_subdomain)
return (ISC_TRUE);
return (ISC_FALSE);
}
isc_boolean_t
dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
dns_name_t *name, isc_netaddr_t *tcpaddr,
dns_rdatatype_t type,
const dst_key_t *key)
{
dns_ssurule_t *rule;
unsigned int i;
dns_fixedname_t fixed;
dns_name_t *wildcard;
dns_name_t *tcpself;
dns_name_t *stfself;
isc_result_t result;
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(signer == NULL || dns_name_isabsolute(signer));
REQUIRE(dns_name_isabsolute(name));
if (signer == NULL && tcpaddr == NULL)
return (ISC_FALSE);
for (rule = ISC_LIST_HEAD(table->rules);
rule != NULL;
rule = ISC_LIST_NEXT(rule, link))
{
switch (rule->matchtype) {
case DNS_SSUMATCHTYPE_NAME:
case DNS_SSUMATCHTYPE_SUBDOMAIN:
case DNS_SSUMATCHTYPE_WILDCARD:
case DNS_SSUMATCHTYPE_SELF:
case DNS_SSUMATCHTYPE_SELFSUB:
case DNS_SSUMATCHTYPE_SELFWILD:
if (signer == NULL)
continue;
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(signer,
rule->identity))
continue;
} else {
if (!dns_name_equal(signer, rule->identity))
continue;
}
break;
case DNS_SSUMATCHTYPE_SELFKRB5:
case DNS_SSUMATCHTYPE_SELFMS:
case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
case DNS_SSUMATCHTYPE_SUBDOMAINMS:
if (signer == NULL)
continue;
break;
case DNS_SSUMATCHTYPE_TCPSELF:
case DNS_SSUMATCHTYPE_6TO4SELF:
if (tcpaddr == NULL)
continue;
break;
}
switch (rule->matchtype) {
case DNS_SSUMATCHTYPE_NAME:
if (!dns_name_equal(name, rule->name))
continue;
break;
case DNS_SSUMATCHTYPE_SUBDOMAIN:
if (!dns_name_issubdomain(name, rule->name))
continue;
break;
case DNS_SSUMATCHTYPE_WILDCARD:
if (!dns_name_matcheswildcard(name, rule->name))
continue;
break;
case DNS_SSUMATCHTYPE_SELF:
if (!dns_name_equal(signer, name))
continue;
break;
case DNS_SSUMATCHTYPE_SELFSUB:
if (!dns_name_issubdomain(name, signer))
continue;
break;
case DNS_SSUMATCHTYPE_SELFWILD:
dns_fixedname_init(&fixed);
wildcard = dns_fixedname_name(&fixed);
result = dns_name_concatenate(dns_wildcardname, signer,
wildcard, NULL);
if (result != ISC_R_SUCCESS)
continue;
if (!dns_name_matcheswildcard(name, wildcard))
continue;
break;
case DNS_SSUMATCHTYPE_SELFKRB5:
if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_SELFMS:
if (!dst_gssapi_identitymatchesrealmms(signer, name,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_SUBDOMAINMS:
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_TCPSELF:
dns_fixedname_init(&fixed);
tcpself = dns_fixedname_name(&fixed);
reverse_from_address(tcpself, tcpaddr);
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(tcpself,
rule->identity))
continue;
} else {
if (!dns_name_equal(tcpself, rule->identity))
continue;
}
if (!dns_name_equal(tcpself, name))
continue;
break;
case DNS_SSUMATCHTYPE_6TO4SELF:
dns_fixedname_init(&fixed);
stfself = dns_fixedname_name(&fixed);
stf_from_address(stfself, tcpaddr);
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(stfself,
rule->identity))
continue;
} else {
if (!dns_name_equal(stfself, rule->identity))
continue;
}
if (!dns_name_equal(stfself, name))
continue;
break;
case DNS_SSUMATCHTYPE_EXTERNAL:
if (!dns_ssu_external_match(rule->identity, signer,
name, tcpaddr, type, key,
table->mctx))
continue;
break;
case DNS_SSUMATCHTYPE_DLZ:
if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
name, tcpaddr, type, key))
continue;
break;
}
if (rule->ntypes == 0) {
/*
* If this is a DLZ rule, then the DLZ ssu
* checks will have already checked
* the type.
*/
if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ &&
!isusertype(type))
continue;
} else {
for (i = 0; i < rule->ntypes; i++) {
if (rule->types[i] == dns_rdatatype_any ||
rule->types[i] == type)
break;
}
if (i == rule->ntypes)
continue;
}
return (rule->grant);
}
return (ISC_FALSE);
}
isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
dns_name_t *identity, unsigned int matchtype,
dns_name_t *name, unsigned int ntypes,
dns_rdatatype_t *types)
{
dns_ssurule_t *rule;
isc_mem_t *mctx;
isc_result_t result;
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(dns_name_isabsolute(identity));
REQUIRE(dns_name_isabsolute(name));
REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
REQUIRE(dns_name_iswildcard(name));
if (ntypes > 0)
REQUIRE(types != NULL);
mctx = table->mctx;
rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
if (rule == NULL)
return (ISC_R_NOMEMORY);
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = grant;
rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->identity == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
dns_name_init(rule->identity, NULL);
result = dns_name_dup(identity, mctx, rule->identity);
if (result != ISC_R_SUCCESS)
goto failure;
rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
if (rule->name == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
dns_name_init(rule->name, NULL);
result = dns_name_dup(name, mctx, rule->name);
if (result != ISC_R_SUCCESS)
goto failure;
rule->matchtype = matchtype;
rule->ntypes = ntypes;
if (ntypes > 0) {
rule->types = isc_mem_get(mctx,
ntypes * sizeof(dns_rdatatype_t));
if (rule->types == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
} else
rule->types = NULL;
rule->magic = SSURULEMAGIC;
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
return (ISC_R_SUCCESS);
failure:
if (rule->identity != NULL) {
if (dns_name_dynamic(rule->identity))
dns_name_free(rule->identity, mctx);
isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
}
if (rule->name != NULL) {
if (dns_name_dynamic(rule->name))
dns_name_free(rule->name, mctx);
isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
}
if (rule->types != NULL)
isc_mem_put(mctx, rule->types,
ntypes * sizeof(dns_rdatatype_t));
isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
return (result);
}
isc_result_t
dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_stdtime_t *inception, isc_stdtime_t *expire,
isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
{
dns_rdata_rrsig_t sig;
dns_rdata_t tmpsigrdata;
dns_rdata_t *rdatas;
int nrdatas, i;
isc_buffer_t sigbuf, envbuf;
isc_region_t r;
dst_context_t *ctx = NULL;
isc_result_t ret;
isc_buffer_t *databuf = NULL;
char data[256 + 8];
isc_uint32_t flags;
unsigned int sigsize;
dns_fixedname_t fnewname;
REQUIRE(name != NULL);
REQUIRE(dns_name_countlabels(name) <= 255);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(inception != NULL);
REQUIRE(expire != NULL);
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL);
if (*inception >= *expire)
return (DNS_R_INVALIDTIME);
/*
* Is the key allowed to sign data?
*/
flags = dst_key_flags(key);
if (flags & DNS_KEYTYPE_NOAUTH)
return (DNS_R_KEYUNAUTHORIZED);
if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
return (DNS_R_KEYUNAUTHORIZED);
sig.mctx = mctx;
sig.common.rdclass = set->rdclass;
sig.common.rdtype = dns_rdatatype_rrsig;
ISC_LINK_INIT(&sig.common, link);
dns_name_init(&sig.signer, NULL);
dns_name_clone(dst_key_name(key), &sig.signer);
sig.covered = set->type;
sig.algorithm = dst_key_alg(key);
sig.labels = dns_name_countlabels(name) - 1;
if (dns_name_iswildcard(name))
sig.labels--;
sig.originalttl = set->ttl;
sig.timesigned = *inception;
sig.timeexpire = *expire;
sig.keyid = dst_key_id(key);
ret = dst_key_sigsize(key, &sigsize);
if (ret != ISC_R_SUCCESS)
return (ret);
sig.siglen = sigsize;
/*
* The actual contents of sig.signature are not important yet, since
* they're not used in digest_sig().
*/
sig.signature = isc_mem_get(mctx, sig.siglen);
if (sig.signature == NULL)
return (ISC_R_NOMEMORY);
ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
dns_rdata_init(&tmpsigrdata);
ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
sig.common.rdtype, &sig, databuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
/*
* Digest the SIG rdata.
*/
ret = digest_sig(ctx, &tmpsigrdata, &sig);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dns_fixedname_init(&fnewname);
RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
NULL) == ISC_R_SUCCESS);
dns_name_toregion(dns_fixedname_name(&fnewname), &r);
/*
* Create an envelope for each rdata: <name|type|class|ttl>.
*/
isc_buffer_init(&envbuf, data, sizeof(data));
memcpy(data, r.base, r.length);
isc_buffer_add(&envbuf, r.length);
isc_buffer_putuint16(&envbuf, set->type);
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, set->ttl);
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
isc_uint16_t len;
isc_buffer_t lenbuf;
isc_region_t lenr;
/*
* Skip duplicates.
*/
if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
continue;
/*
* Digest the envelope.
*/
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the length of the rdata.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
INSIST(rdatas[i].length < 65536);
isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the rdata.
*/
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
isc_buffer_usedregion(&sigbuf, &r);
if (r.length != sig.siglen) {
ret = ISC_R_NOSPACE;
goto cleanup_array;
}
memcpy(sig.signature, r.base, sig.siglen);
ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
sig.common.rdtype, &sig, buffer);
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_databuf:
isc_buffer_free(&databuf);
cleanup_signature:
isc_mem_put(mctx, sig.signature, sig.siglen);
return (ret);
}
int
main(int argc, char *argv[]) {
char s[1000];
isc_result_t result;
dns_fixedname_t wname, wname2, oname, compname, downname;
isc_buffer_t source;
isc_region_t r;
dns_name_t *name, *origin, *comp, *down;
isc_boolean_t downcase = ISC_FALSE;
size_t len;
isc_boolean_t quiet = ISC_FALSE;
isc_boolean_t concatenate = ISC_FALSE;
isc_boolean_t got_name = ISC_FALSE;
isc_boolean_t check_absolute = ISC_FALSE;
isc_boolean_t check_wildcard = ISC_FALSE;
isc_boolean_t test_downcase = ISC_FALSE;
isc_boolean_t inplace = ISC_FALSE;
isc_boolean_t want_split = ISC_FALSE;
unsigned int labels, split_label = 0;
dns_fixedname_t fprefix, fsuffix;
dns_name_t *prefix, *suffix;
int ch;
while ((ch = isc_commandline_parse(argc, argv, "acdiqs:w")) != -1) {
switch (ch) {
case 'a':
check_absolute = ISC_TRUE;
break;
case 'c':
concatenate = ISC_TRUE;
break;
case 'd':
test_downcase = ISC_TRUE;
break;
case 'i':
inplace = ISC_TRUE;
break;
case 'q':
quiet = ISC_TRUE;
break;
case 's':
want_split = ISC_TRUE;
split_label = atoi(isc_commandline_argument);
break;
case 'w':
check_wildcard = ISC_TRUE;
break;
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc > 0) {
if (strcasecmp("none", argv[0]) == 0)
origin = NULL;
else {
len = strlen(argv[0]);
isc_buffer_init(&source, argv[0], len);
isc_buffer_add(&source, len);
dns_fixedname_init(&oname);
origin = &oname.name;
result = dns_name_fromtext(origin, &source,
dns_rootname, ISC_FALSE,
NULL);
if (result != 0) {
fprintf(stderr,
"dns_name_fromtext() failed: %d\n",
result);
exit(1);
}
}
} else if (concatenate)
origin = NULL;
else
origin = dns_rootname;
if (argc >= 1) {
if (strcasecmp("none", argv[1]) == 0)
comp = NULL;
else {
len = strlen(argv[1]);
isc_buffer_init(&source, argv[1], len);
isc_buffer_add(&source, len);
dns_fixedname_init(&compname);
comp = &compname.name;
result = dns_name_fromtext(comp, &source,
origin, ISC_FALSE, NULL);
if (result != 0) {
fprintf(stderr,
"dns_name_fromtext() failed: %d\n",
result);
exit(1);
}
}
} else
comp = NULL;
dns_fixedname_init(&wname);
name = dns_fixedname_name(&wname);
dns_fixedname_init(&wname2);
while (fgets(s, sizeof(s), stdin) != NULL) {
len = strlen(s);
if (len > 0U && s[len - 1] == '\n') {
s[len - 1] = '\0';
len--;
}
isc_buffer_init(&source, s, len);
isc_buffer_add(&source, len);
if (len > 0U)
result = dns_name_fromtext(name, &source, origin,
downcase, NULL);
else {
if (name == dns_fixedname_name(&wname))
dns_fixedname_init(&wname);
else
dns_fixedname_init(&wname2);
result = ISC_R_SUCCESS;
}
if (result != ISC_R_SUCCESS) {
printf("%s\n", dns_result_totext(result));
if (name == dns_fixedname_name(&wname))
dns_fixedname_init(&wname);
else
dns_fixedname_init(&wname2);
continue;
}
if (check_absolute && dns_name_countlabels(name) > 0) {
if (dns_name_isabsolute(name))
printf("absolute\n");
else
printf("relative\n");
}
if (check_wildcard && dns_name_countlabels(name) > 0) {
if (dns_name_iswildcard(name))
printf("wildcard\n");
else
printf("not wildcard\n");
}
dns_name_toregion(name, &r);
if (!quiet) {
print_wirename(&r);
printf("%u labels, %u bytes.\n",
dns_name_countlabels(name), r.length);
}
if (concatenate) {
if (got_name) {
printf("Concatenating.\n");
result = dns_name_concatenate(&wname.name,
&wname2.name,
&wname2.name,
NULL);
name = &wname2.name;
if (result == ISC_R_SUCCESS) {
if (check_absolute &&
dns_name_countlabels(name) > 0) {
if (dns_name_isabsolute(name))
printf("absolute\n");
else
printf("relative\n");
}
if (check_wildcard &&
dns_name_countlabels(name) > 0) {
if (dns_name_iswildcard(name))
printf("wildcard\n");
else
printf("not "
"wildcard\n");
}
dns_name_toregion(name, &r);
if (!quiet) {
print_wirename(&r);
printf("%u labels, "
"%u bytes.\n",
dns_name_countlabels(name),
r.length);
}
} else
printf("%s\n",
dns_result_totext(result));
got_name = ISC_FALSE;
} else
got_name = ISC_TRUE;
}
isc_buffer_init(&source, s, sizeof(s));
if (dns_name_countlabels(name) > 0)
result = dns_name_totext(name, ISC_FALSE, &source);
else
result = ISC_R_SUCCESS;
if (result == ISC_R_SUCCESS) {
isc_buffer_usedregion(&source, &r);
if (r.length > 0)
printf("%.*s\n", (int)r.length, r.base);
else
printf("<empty text name>\n");
if (!quiet) {
printf("%u bytes.\n", source.used);
}
} else
printf("%s\n", dns_result_totext(result));
if (test_downcase) {
if (inplace) {
down = name;
} else {
dns_fixedname_init(&downname);
down = dns_fixedname_name(&downname);
}
result = dns_name_downcase(name, down, NULL);
INSIST(result == ISC_R_SUCCESS);
if (!quiet) {
dns_name_toregion(down, &r);
print_wirename(&r);
printf("%u labels, %u bytes.\n",
dns_name_countlabels(down),
r.length);
}
isc_buffer_init(&source, s, sizeof(s));
print_name(down);
}
if (comp != NULL && dns_name_countlabels(name) > 0) {
int order;
unsigned int nlabels;
dns_namereln_t namereln;
namereln = dns_name_fullcompare(name, comp, &order,
&nlabels);
if (!quiet) {
if (order < 0)
printf("<");
else if (order > 0)
printf(">");
else
printf("=");
switch (namereln) {
case dns_namereln_contains:
printf(", contains");
break;
case dns_namereln_subdomain:
printf(", subdomain");
break;
case dns_namereln_commonancestor:
printf(", common ancestor");
break;
default:
break;
}
if (namereln != dns_namereln_none &&
namereln != dns_namereln_equal)
printf(", nlabels = %u", nlabels);
printf("\n");
}
printf("dns_name_equal() returns %s\n",
dns_name_equal(name, comp) ? "TRUE" : "FALSE");
}
labels = dns_name_countlabels(name);
if (want_split && split_label < labels) {
dns_fixedname_init(&fprefix);
prefix = dns_fixedname_name(&fprefix);
dns_fixedname_init(&fsuffix);
suffix = dns_fixedname_name(&fsuffix);
printf("splitting at label %u: ", split_label);
dns_name_split(name, split_label, prefix, suffix);
printf("\n prefix = ");
print_name(prefix);
printf(" suffix = ");
print_name(suffix);
}
if (concatenate) {
if (got_name)
name = &wname2.name;
else
name = &wname.name;
}
}
return (0);
}
isc_result_t
acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone)
{
isc_result_t result = ISC_R_SUCCESS;
cfg_parser_t *parser = NULL;
const cfg_listelt_t *el;
cfg_obj_t *policy = NULL;
dns_ssutable_t *table = NULL;
ld_string_t *new_policy_str = NULL;
isc_mem_t *mctx;
REQUIRE(zone != NULL);
mctx = dns_zone_getmctx(zone);
if (policy_str == NULL)
goto cleanup;
CHECK(bracket_str(mctx, policy_str, &new_policy_str));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
result = cfg_parse_strbuf(parser, str_buf(new_policy_str), &cfg_type_update_policy, &policy);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"failed to parse policy string");
goto cleanup;
}
CHECK(dns_ssutable_create(mctx, &table));
for (el = cfg_list_first(policy); el != NULL; el = cfg_list_next(el)) {
const cfg_obj_t *stmt;
isc_boolean_t grant;
unsigned int match_type;
dns_fixedname_t fname, fident;
dns_rdatatype_t *types;
unsigned int n;
types = NULL;
stmt = cfg_listelt_value(el);
CHECK(get_mode(stmt, &grant));
CHECK(get_match_type(stmt, &match_type));
CHECK(get_fixed_name(stmt, "identity", &fident));
/* Use zone name for 'zonesub' match type */
result = get_fixed_name(stmt, "name", &fname);
if (result == ISC_R_NOTFOUND &&
match_type == DNS_SSUMATCHTYPE_SUBDOMAIN) {
dns_fixedname_init(&fname);
CHECK(dns_name_copy(dns_zone_getorigin(zone),
dns_fixedname_name(&fname),
&fname.buffer));
}
else if (result != ISC_R_SUCCESS)
goto cleanup;
CHECK(get_types(mctx, stmt, &types, &n));
if (match_type == DNS_SSUMATCHTYPE_WILDCARD &&
!dns_name_iswildcard(dns_fixedname_name(&fname))) {
char name[DNS_NAME_FORMATSIZE];
dns_name_format(dns_fixedname_name(&fname), name,
DNS_NAME_FORMATSIZE);
dns_zone_log(zone, ISC_LOG_ERROR,
"invalid update policy: "
"name '%s' is expected to be a wildcard",
name);
CLEANUP_WITH(DNS_R_BADNAME);
}
result = dns_ssutable_addrule(table, grant,
dns_fixedname_name(&fident),
match_type,
dns_fixedname_name(&fname),
n, types);
SAFE_MEM_PUT(mctx, types, n * sizeof(dns_rdatatype_t));
if (result != ISC_R_SUCCESS)
goto cleanup;
}
cleanup:
if (result == ISC_R_SUCCESS)
dns_zone_setssutable(zone, table);
str_destroy(&new_policy_str);
if (policy != NULL)
cfg_obj_destroy(parser, &policy);
if (parser != NULL)
cfg_parser_destroy(&parser);
if (table != NULL)
dns_ssutable_detach(&table);
return result;
}
