isc_result_t
dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
REQUIRE(dst_initialized == ISC_TRUE);
REQUIRE(VALID_KEY(key));
REQUIRE(target != NULL);
CHECKALG(key->key_alg);
if (key->func->todns == NULL)
return (DST_R_UNSUPPORTEDALG);
if (isc_buffer_availablelength(target) < 4)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
if (isc_buffer_availablelength(target) < 2)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(target,
(isc_uint16_t)((key->key_flags >> 16)
& 0xffff));
}
if (key->keydata.generic == NULL) /*%< NULL KEY */
return (ISC_R_SUCCESS);
return (key->func->todns(key, target));
}
static isc_result_t
pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
pk11_object_t *rsa;
CK_ATTRIBUTE *attr;
isc_region_t r;
unsigned int e_bytes = 0, mod_bytes = 0;
CK_BYTE *exponent = NULL, *modulus = NULL;
REQUIRE(key->keydata.pkey != NULL);
rsa = key->keydata.pkey;
for (attr = pk11_attribute_first(rsa);
attr != NULL;
attr = pk11_attribute_next(rsa, attr))
switch (attr->type) {
case CKA_PUBLIC_EXPONENT:
exponent = (CK_BYTE *) attr->pValue;
e_bytes = (unsigned int) attr->ulValueLen;
break;
case CKA_MODULUS:
modulus = (CK_BYTE *) attr->pValue;
mod_bytes = (unsigned int) attr->ulValueLen;
break;
}
REQUIRE((exponent != NULL) && (modulus != NULL));
isc_buffer_availableregion(data, &r);
if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
if (r.length < 1)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
isc_region_consume(&r, 1);
} else {
if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(data, 0);
isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
isc_region_consume(&r, 3);
}
if (r.length < e_bytes + mod_bytes)
return (ISC_R_NOSPACE);
memmove(r.base, exponent, e_bytes);
isc_region_consume(&r, e_bytes);
memmove(r.base, modulus, mod_bytes);
isc_buffer_add(data, e_bytes + mod_bytes);
return (ISC_R_SUCCESS);
}
/**
* @pre closure points to a valid isc_buffer
* @pre isc_buffer has non-NULL mctx
* @pre isc_buffer has NULL buffer OR a buffer allocated from mctx
*
* @post closure contains \0 terminated string which is concatenation
* of previous context and input text
*/
static void
buffer_append_str(void *closure, const char *text, int textlen) {
isc_buffer_t *out_buf = closure;
isc_region_t new_space;
isc_region_t old_space;
REQUIRE(ISC_BUFFER_VALID(out_buf));
REQUIRE(out_buf->mctx != NULL);
REQUIRE(text != NULL);
/* Allocate sufficiently long output buffer. */
isc_buffer_region(out_buf, &old_space);
new_space.length = isc_buffer_length(out_buf) + textlen + 1;
new_space.base = isc_mem_get(out_buf->mctx, new_space.length);
RUNTIME_CHECK(new_space.base != NULL);
isc_buffer_reinit(out_buf, new_space.base, new_space.length);
if (old_space.base != NULL)
isc_mem_put(out_buf->mctx, old_space.base, old_space.length);
/* Append output text and \0-terminate it.
* Overwrite \0 at the end if needed. */
if (isc_buffer_usedlength(out_buf) != 0)
/* Previous string is \0 terminated, chop \0. */
isc_buffer_subtract(out_buf, 1);
isc_buffer_putstr(out_buf, text);
isc_buffer_putuint8(out_buf, '\0');
}
/**
* Generate dummy string which looks like list of forwarders
* with list_len elements. This string might be fed into cfg parser.
*
* Caller has to deallocate resulting dummy_string.
*/
static isc_result_t
fwd_list_gen_dummy_config_string(isc_mem_t *mctx, size_t list_len,
isc_buffer_t **dummy_string) {
isc_result_t result;
const char prefix[] = "{ ";
const char suffix[] = "} // dummy string, please ignore";
const char fill[] = "127.0.0.1; ";
size_t target_size = sizeof(prefix) \
+ list_len*sizeof(fill)
+ sizeof(suffix)
+ 1; /* \0 */
isc_buffer_t *output = NULL;
REQUIRE(dummy_string != NULL && *dummy_string == NULL);
CHECK(isc_buffer_allocate(mctx, &output, target_size));
isc_buffer_putstr(output, prefix);
for (size_t i = 0; i < list_len; i++)
isc_buffer_putstr(output, fill);
isc_buffer_putstr(output, suffix);
isc_buffer_putuint8(output, '\0');
*dummy_string = output;
cleanup:
if (result != ISC_R_SUCCESS && output != NULL)
isc_buffer_free(&output);
return result;
}
static inline void
name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
gss_buffer_desc *gbuffer)
{
dns_name_t tname, *namep;
isc_region_t r;
isc_result_t result;
if (!dns_name_isabsolute(name))
namep = name;
else
{
unsigned int labels;
dns_name_init(&tname, NULL);
labels = dns_name_countlabels(name);
dns_name_getlabelsequence(name, 0, labels - 1, &tname);
namep = &tname;
}
result = dns_name_toprincipal(namep, buffer);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_buffer_putuint8(buffer, 0);
isc_buffer_usedregion(buffer, &r);
REGION_TO_GBUFFER(r, *gbuffer);
}
isc_result_t
dst_key_getfilename(dns_name_t *name, dns_keytag_t id,
unsigned int alg, int type, const char *directory,
isc_mem_t *mctx, isc_buffer_t *buf)
{
isc_result_t result;
REQUIRE(dst_initialized == ISC_TRUE);
REQUIRE(dns_name_isabsolute(name));
REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
REQUIRE(mctx != NULL);
REQUIRE(buf != NULL);
CHECKALG(alg);
result = buildfilename(name, id, alg, type, directory, buf);
if (result == ISC_R_SUCCESS) {
if (isc_buffer_availablelength(buf) > 0)
isc_buffer_putuint8(buf, 0);
else
result = ISC_R_NOSPACE;
}
return (result);
}
static isc_result_t
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
isc_result_t result;
char filename[PATH_MAX + 1];
isc_buffer_t buf;
dns_rdataset_init(rdataset);
isc_buffer_init(&buf, filename, sizeof(filename));
if (dirname != NULL) {
/* allow room for a trailing slash */
if (strlen(dirname) >= isc_buffer_availablelength(&buf))
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, dirname);
if (dirname[strlen(dirname) - 1] != '/')
isc_buffer_putstr(&buf, "/");
}
if (isc_buffer_availablelength(&buf) < 7)
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, "keyset-");
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&buf) == 0)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(&buf, 0);
return (loadsetfromfile(filename, rdataset));
}
static isc_result_t
opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
RSA *rsa;
isc_region_t r;
unsigned int e_bytes;
unsigned int mod_bytes;
REQUIRE(key->opaque != NULL);
rsa = (RSA *) key->opaque;
isc_buffer_availableregion(data, &r);
e_bytes = BN_num_bytes(rsa->e);
mod_bytes = BN_num_bytes(rsa->n);
if (e_bytes < 256) { /* key exponent is <= 2040 bits */
if (r.length < 1)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
} else {
if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(data, 0);
isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
}
if (r.length < e_bytes + mod_bytes)
return (ISC_R_NOSPACE);
isc_buffer_availableregion(data, &r);
BN_bn2bin(rsa->e, r.base);
r.base += e_bytes;
BN_bn2bin(rsa->n, r.base);
isc_buffer_add(data, e_bytes + mod_bytes);
return (ISC_R_SUCCESS);
}
static isc_result_t
read_one_line(perf_datafile_t *dfile, isc_buffer_t *lines)
{
const char *cur;
unsigned int length, curlen, nrem;
isc_result_t result;
while (ISC_TRUE) {
/* Get the current line */
cur = isc_buffer_current(&dfile->data);
curlen = strcspn(cur, "\n");
/*
* If the current line contains the rest of the buffer,
* we need to read more (unless the full file is cached).
*/
nrem = isc_buffer_remaininglength(&dfile->data);
if (curlen == nrem) {
if (! dfile->cached) {
result = read_more(dfile);
if (result != ISC_R_SUCCESS)
return (result);
}
if (isc_buffer_remaininglength(&dfile->data) == 0) {
dfile->nruns++;
return (ISC_R_EOF);
}
if (isc_buffer_remaininglength(&dfile->data) > nrem)
continue;
}
/* We now have a line. Advance the buffer past it. */
isc_buffer_forward(&dfile->data, curlen);
if (isc_buffer_remaininglength(&dfile->data) > 0)
isc_buffer_forward(&dfile->data, 1);
/* If the line is empty or a comment, we need to try again. */
if (curlen > 0 && cur[0] != ';')
break;
}
length = isc_buffer_availablelength(lines);
if (curlen > length - 1)
curlen = length - 1;
isc_buffer_putmem(lines, cur, curlen);
isc_buffer_putuint8(lines, 0);
return (ISC_R_SUCCESS);
}
void
dns_rdataclass_format(dns_rdataclass_t rdclass,
char *array, unsigned int size)
{
isc_result_t result;
isc_buffer_t buf;
isc_buffer_init(&buf, array, size);
result = dns_rdataclass_totext(rdclass, &buf);
/*
* Null terminate.
*/
if (result == ISC_R_SUCCESS) {
if (isc_buffer_availablelength(&buf) >= 1)
isc_buffer_putuint8(&buf, 0);
else
result = ISC_R_NOSPACE;
}
if (result != ISC_R_SUCCESS) {
snprintf(array, size, "<unknown>");
array[size - 1] = '\0';
}
}
void
dns_rdataclass_format(dns_rdataclass_t rdclass,
char *array, unsigned int size)
{
isc_result_t result;
isc_buffer_t buf;
if (size == 0U)
return;
isc_buffer_init(&buf, array, size);
result = dns_rdataclass_totext(rdclass, &buf);
/*
* Null terminate.
*/
if (result == ISC_R_SUCCESS) {
if (isc_buffer_availablelength(&buf) >= 1)
isc_buffer_putuint8(&buf, 0);
else
result = ISC_R_NOSPACE;
}
if (result != ISC_R_SUCCESS)
strlcpy(array, "<unknown>", size);
}
isc_result_t
dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_boolean_t ignoretime, isc_mem_t *mctx,
dns_rdata_t *sigrdata, dns_name_t *wild)
{
dns_rdata_rrsig_t sig;
dns_fixedname_t fnewname;
isc_region_t r;
isc_buffer_t envbuf;
dns_rdata_t *rdatas;
int nrdatas, i;
isc_stdtime_t now;
isc_result_t ret;
unsigned char data[300];
dst_context_t *ctx = NULL;
int labels = 0;
isc_uint32_t flags;
REQUIRE(name != NULL);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
if (isc_serial_lt(sig.timeexpire, sig.timesigned))
return (DNS_R_SIGINVALID);
if (!ignoretime) {
isc_stdtime_get(&now);
/*
* Is SIG temporally valid?
*/
if (isc_serial_lt((isc_uint32_t)now, sig.timesigned))
return (DNS_R_SIGFUTURE);
else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now))
return (DNS_R_SIGEXPIRED);
}
/*
* Is the key allowed to sign data?
*/
flags = dst_key_flags(key);
if (flags & DNS_KEYTYPE_NOAUTH)
return (DNS_R_KEYUNAUTHORIZED);
if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
return (DNS_R_KEYUNAUTHORIZED);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
/*
* Digest the SIG rdata (not including the signature).
*/
ret = digest_sig(ctx, sigrdata, &sig);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* If the name is an expanded wildcard, use the wildcard name.
*/
dns_fixedname_init(&fnewname);
labels = dns_name_countlabels(name) - 1;
RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
NULL) == ISC_R_SUCCESS);
if (labels - sig.labels > 0)
dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
NULL, dns_fixedname_name(&fnewname));
dns_name_toregion(dns_fixedname_name(&fnewname), &r);
/*
* Create an envelope for each rdata: <name|type|class|ttl>.
*/
isc_buffer_init(&envbuf, data, sizeof(data));
if (labels - sig.labels > 0) {
isc_buffer_putuint8(&envbuf, 1);
isc_buffer_putuint8(&envbuf, '*');
memcpy(data + 2, r.base, r.length);
}
else
memcpy(data, r.base, r.length);
isc_buffer_add(&envbuf, r.length);
isc_buffer_putuint16(&envbuf, set->type);
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, sig.originalttl);
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
isc_uint16_t len;
isc_buffer_t lenbuf;
isc_region_t lenr;
/*
* Skip duplicates.
*/
if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
continue;
/*
* Digest the envelope.
*/
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the rdata length.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
INSIST(rdatas[i].length < 65536);
isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
/*
* Digest the rdata.
*/
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
r.base = sig.signature;
r.length = sig.siglen;
ret = dst_context_verify(ctx, &r);
if (ret == DST_R_VERIFYFAILURE)
ret = DNS_R_SIGINVALID;
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_struct:
dns_rdata_freestruct(&sig);
if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
if (wild != NULL)
RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
dns_fixedname_name(&fnewname),
wild, NULL) == ISC_R_SUCCESS);
ret = DNS_R_FROMWILDCARD;
}
return (ret);
}
static isc_result_t
opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
isc_region_t r;
unsigned int e_bytes;
unsigned int mod_bytes;
isc_result_t ret;
RSA *rsa;
#if USE_EVP
EVP_PKEY *pkey;
#endif
#if USE_EVP
REQUIRE(key->keydata.pkey != NULL);
#else
REQUIRE(key->keydata.rsa != NULL);
#endif
#if USE_EVP
pkey = key->keydata.pkey;
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
#else
rsa = key->keydata.rsa;
#endif
isc_buffer_availableregion(data, &r);
e_bytes = BN_num_bytes(rsa->e);
mod_bytes = BN_num_bytes(rsa->n);
if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
if (r.length < 1)
DST_RET(ISC_R_NOSPACE);
isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
isc_region_consume(&r, 1);
} else {
if (r.length < 3)
DST_RET(ISC_R_NOSPACE);
isc_buffer_putuint8(data, 0);
isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
isc_region_consume(&r, 3);
}
if (r.length < e_bytes + mod_bytes)
DST_RET(ISC_R_NOSPACE);
BN_bn2bin(rsa->e, r.base);
isc_region_consume(&r, e_bytes);
BN_bn2bin(rsa->n, r.base);
isc_buffer_add(data, e_bytes + mod_bytes);
ret = ISC_R_SUCCESS;
err:
#if USE_EVP
if (rsa != NULL)
RSA_free(rsa);
#endif
return (ret);
}
isc_boolean_t
dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
dns_name_t *realm)
{
#ifdef GSSAPI
char sbuf[DNS_NAME_FORMATSIZE];
char nbuf[DNS_NAME_FORMATSIZE];
char rbuf[DNS_NAME_FORMATSIZE];
char *sname;
char *rname;
isc_buffer_t buffer;
/*
* It is far, far easier to write the names we are looking at into
* a string, and do string operations on them.
*/
isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
dns_name_toprincipal(signer, &buffer);
isc_buffer_putuint8(&buffer, 0);
if (name != NULL)
dns_name_format(name, nbuf, sizeof(nbuf));
dns_name_format(realm, rbuf, sizeof(rbuf));
/*
* Find the realm portion. This is the part after the @. If it
* does not exist, we don't have something we like, so we fail our
* compare.
*/
rname = strchr(sbuf, '@');
if (rname == NULL)
return (isc_boolean_false);
*rname = '\0';
rname++;
/*
* Find the host portion of the signer's name. We do this by
* searching for the first / character. We then check to make
* certain the instance name is "host"
*
* This will work for
* host/[email protected]
*/
sname = strchr(sbuf, '/');
if (sname == NULL)
return (isc_boolean_false);
*sname = '\0';
sname++;
if (strcmp(sbuf, "host") != 0)
return (isc_boolean_false);
/*
* Now, we do a simple comparison between the name and the realm.
*/
if (name != NULL) {
if ((strcasecmp(sname, nbuf) == 0)
&& (strcmp(rname, rbuf) == 0))
return (isc_boolean_true);
} else {
if (strcmp(rname, rbuf) == 0)
return (isc_boolean_true);
}
return (isc_boolean_false);
#else
UNUSED(signer);
UNUSED(name);
UNUSED(realm);
return (isc_boolean_false);
#endif
}
static void
nsec3hash(nsec3printer *nsec3print, const char *algostr, const char *flagstr,
const char *iterstr, const char *saltstr, const char *domain)
{
dns_fixedname_t fixed;
dns_name_t *name;
isc_buffer_t buffer;
isc_region_t region;
isc_result_t result;
unsigned char hash[NSEC3_MAX_HASH_LENGTH];
unsigned char salt[DNS_NSEC3_SALTSIZE];
unsigned char text[1024];
unsigned int hash_alg;
unsigned int flags;
unsigned int length;
unsigned int iterations;
unsigned int salt_length;
const char dash[] = "-";
if (strcmp(saltstr, "-") == 0) {
salt_length = 0;
salt[0] = 0;
} else {
isc_buffer_init(&buffer, salt, sizeof(salt));
result = isc_hex_decodestring(saltstr, &buffer);
check_result(result, "isc_hex_decodestring(salt)");
salt_length = isc_buffer_usedlength(&buffer);
if (salt_length > DNS_NSEC3_SALTSIZE)
fatal("salt too long");
if (salt_length == 0)
saltstr = dash;
}
hash_alg = atoi(algostr);
if (hash_alg > 255U)
fatal("hash algorithm too large");
flags = flagstr == NULL ? 0 : atoi(flagstr);
if (flags > 255U)
fatal("flags too large");
iterations = atoi(iterstr);
if (iterations > 0xffffU)
fatal("iterations to large");
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
isc_buffer_constinit(&buffer, domain, strlen(domain));
isc_buffer_add(&buffer, strlen(domain));
result = dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL);
check_result(result, "dns_name_fromtext() failed");
dns_name_downcase(name, name, NULL);
length = isc_iterated_hash(hash, hash_alg, iterations, salt,
salt_length, name->ndata, name->length);
if (length == 0)
fatal("isc_iterated_hash failed");
region.base = hash;
region.length = length;
isc_buffer_init(&buffer, text, sizeof(text));
isc_base32hexnp_totext(®ion, 1, "", &buffer);
isc_buffer_putuint8(&buffer, '\0');
nsec3print(hash_alg, flags, iterations, saltstr, domain, (char *)text);
}
int
main(int argc, char *argv[]) {
int i, ch;
char *startstr = NULL, *endstr = NULL;
dns_fixedname_t fdomain;
dns_name_t *domain = NULL;
char *output = NULL;
char *endp;
unsigned char data[65536];
dns_db_t *db;
dns_dbversion_t *version;
dns_diff_t diff;
dns_difftuple_t *tuple;
dns_fixedname_t tname;
dst_key_t *key = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_rdataclass_t rdclass;
isc_result_t result;
isc_buffer_t b;
isc_region_t r;
isc_log_t *log = NULL;
keynode_t *keynode;
unsigned int eflags;
isc_boolean_t pseudorandom = ISC_FALSE;
isc_boolean_t tryverify = ISC_FALSE;
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("failed to create memory context: %s",
isc_result_totext(result));
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
{
switch (ch) {
case 'a':
tryverify = ISC_TRUE;
break;
case 's':
startstr = isc_commandline_argument;
break;
case 'e':
endstr = isc_commandline_argument;
break;
case 't':
endp = NULL;
ttl = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("TTL must be numeric");
break;
case 'r':
setup_entropy(mctx, isc_commandline_argument, &ectx);
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("verbose level must be numeric");
break;
case 'p':
pseudorandom = ISC_TRUE;
break;
case 'h':
default:
usage();
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc < 1)
usage();
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
eflags = ISC_ENTROPY_BLOCKING;
if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY;
result = dst_lib_init(mctx, ectx, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_stdtime_get(&now);
if (startstr != NULL)
starttime = strtotime(startstr, now, now);
else
starttime = now;
if (endstr != NULL)
endtime = strtotime(endstr, now, starttime);
else
endtime = starttime + (30 * 24 * 60 * 60);
if (ttl == -1) {
ttl = 3600;
fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
program);
}
setup_logging(verbose, mctx, &log);
dns_diff_init(mctx, &diff);
rdclass = 0;
ISC_LIST_INIT(keylist);
for (i = 0; i < argc; i++) {
char namestr[DNS_NAME_FORMATSIZE];
isc_buffer_t namebuf;
key = NULL;
result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("error loading key from %s: %s", argv[i],
isc_result_totext(result));
if (rdclass == 0)
rdclass = dst_key_class(key);
isc_buffer_init(&namebuf, namestr, sizeof(namestr));
result = dns_name_tofilenametext(dst_key_name(key),
ISC_FALSE,
&namebuf);
check_result(result, "dns_name_tofilenametext");
isc_buffer_putuint8(&namebuf, 0);
if (domain == NULL) {
dns_fixedname_init(&fdomain);
domain = dns_fixedname_name(&fdomain);
dns_name_copy(dst_key_name(key), domain, NULL);
} else if (!dns_name_equal(domain, dst_key_name(key))) {
char str[DNS_NAME_FORMATSIZE];
dns_name_format(domain, str, sizeof(str));
fatal("all keys must have the same owner - %s "
"and %s do not match", str, namestr);
}
if (output == NULL) {
output = isc_mem_allocate(mctx,
strlen("keyset-") +
strlen(namestr) + 1);
if (output == NULL)
fatal("out of memory");
sprintf(output, "keyset-%s", namestr);
}
if (dst_key_iszonekey(key)) {
dst_key_t *zonekey = NULL;
result = dst_key_fromnamedfile(argv[i],
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &zonekey);
if (result != ISC_R_SUCCESS)
fatal("failed to read private key %s: %s",
argv[i], isc_result_totext(result));
if (!zonekey_on_list(zonekey)) {
keynode = isc_mem_get(mctx, sizeof(keynode_t));
if (keynode == NULL)
fatal("out of memory");
keynode->key = zonekey;
ISC_LIST_INITANDAPPEND(keylist, keynode, link);
} else
dst_key_free(&zonekey);
}
dns_rdata_reset(&rdata);
isc_buffer_init(&b, data, sizeof(data));
result = dst_key_todns(key, &b);
dst_key_free(&key);
if (result != ISC_R_SUCCESS)
fatal("failed to convert key %s to a DNS KEY: %s",
argv[i], isc_result_totext(result));
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
domain, ttl, &rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
db = NULL;
result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS)
fatal("failed to create a database");
version = NULL;
dns_db_newversion(db, &version);
result = dns_diff_apply(&diff, db, version);
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
dns_fixedname_init(&tname);
dns_rdataset_init(&rdataset);
result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
NULL, dns_fixedname_name(&tname), &rdataset,
NULL);
check_result(result, "dns_db_find");
if (ISC_LIST_EMPTY(keylist))
fprintf(stderr,
"%s: no private zone key found; not self-signing\n",
program);
for (keynode = ISC_LIST_HEAD(keylist);
keynode != NULL;
keynode = ISC_LIST_NEXT(keynode, link))
{
dns_rdata_reset(&rdata);
isc_buffer_init(&b, data, sizeof(data));
result = dns_dnssec_sign(domain, &rdataset, keynode->key,
&starttime, &endtime, mctx, &b,
&rdata);
isc_entropy_stopcallbacksources(ectx);
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(keynode->key, keystr, sizeof(keystr));
fatal("failed to sign keyset with key %s: %s",
keystr, isc_result_totext(result));
}
if (tryverify) {
result = dns_dnssec_verify(domain, &rdataset,
keynode->key, ISC_TRUE,
mctx, &rdata);
if (result != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(keynode->key, keystr, sizeof(keystr));
fatal("signature from key '%s' failed to "
"verify: %s",
keystr, isc_result_totext(result));
}
}
tuple = NULL;
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
domain, ttl, &rdata, &tuple);
check_result(result, "dns_difftuple_create");
dns_diff_append(&diff, &tuple);
}
result = dns_diff_apply(&diff, db, version);
check_result(result, "dns_diff_apply");
dns_diff_clear(&diff);
dns_rdataset_disassociate(&rdataset);
dns_db_closeversion(db, &version, ISC_TRUE);
result = dns_db_dump(db, version, output);
if (result != ISC_R_SUCCESS) {
char domainstr[DNS_NAME_FORMATSIZE];
dns_name_format(domain, domainstr, sizeof(domainstr));
fatal("failed to write database for %s to %s",
domainstr, output);
}
printf("%s\n", output);
dns_db_detach(&db);
while (!ISC_LIST_EMPTY(keylist)) {
keynode = ISC_LIST_HEAD(keylist);
ISC_LIST_UNLINK(keylist, keynode, link);
dst_key_free(&keynode->key);
isc_mem_put(mctx, keynode, sizeof(keynode_t));
}
cleanup_logging(&log);
cleanup_entropy(&ectx);
isc_mem_free(mctx, output);
dst_lib_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
return (0);
}
static isc_result_t
addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
isc_boolean_t optout, isc_boolean_t secure,
dns_rdataset_t *addedrdataset)
{
isc_result_t result;
isc_buffer_t buffer;
isc_region_t r;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
dns_name_t *name;
dns_ttl_t ttl;
dns_trust_t trust;
dns_rdata_t rdata[DNS_NCACHE_RDATA];
dns_rdataset_t ncrdataset;
dns_rdatalist_t ncrdatalist;
unsigned char data[4096];
unsigned int next = 0;
/*
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node'.
*/
REQUIRE(message != NULL);
/*
* We assume that all data in the authority section has been
* validated by the caller.
*/
/*
* Initialize the list.
*/
dns_rdatalist_init(&ncrdatalist);
ncrdatalist.rdclass = dns_db_class(cache);
ncrdatalist.covers = covers;
ncrdatalist.ttl = maxttl;
/*
* Build an ncache rdatas into buffer.
*/
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
if (message->counts[DNS_SECTION_AUTHORITY])
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
else
result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
&name);
if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if ((rdataset->attributes &
DNS_RDATASETATTR_NCACHE) == 0)
continue;
type = rdataset->type;
if (type == dns_rdatatype_rrsig)
type = rdataset->covers;
if (type == dns_rdatatype_soa ||
type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3) {
if (ttl > rdataset->ttl)
ttl = rdataset->ttl;
if (trust > rdataset->trust)
trust = rdataset->trust;
/*
* Copy the owner name to the buffer.
*/
dns_name_toregion(name, &r);
result = isc_buffer_copyregion(&buffer,
&r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
(unsigned char)rdataset->trust);
/*
* Copy the rdataset into the buffer.
*/
result = copy_rdataset(rdataset,
&buffer);
if (result != ISC_R_SUCCESS)
return (result);
if (next >= DNS_NCACHE_RDATA)
return (ISC_R_NOSPACE);
dns_rdata_init(&rdata[next]);
isc_buffer_remainingregion(&buffer, &r);
rdata[next].data = r.base;
rdata[next].length = r.length;
rdata[next].rdclass =
ncrdatalist.rdclass;
rdata[next].type = 0;
rdata[next].flags = 0;
ISC_LIST_APPEND(ncrdatalist.rdata,
&rdata[next], link);
isc_buffer_forward(&buffer, r.length);
next++;
}
}
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
if (result != ISC_R_NOMORE)
return (result);
if (trust == 0xffff) {
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
message->counts[DNS_SECTION_ANSWER] == 0) {
/*
* The response has aa set and we haven't followed
* any CNAME or DNAME chains.
*/
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
ttl = 0;
}
INSIST(trust != 0xffff);
ncrdatalist.ttl = ttl;
dns_rdataset_init(&ncrdataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
if (!secure && trust > dns_trust_answer)
trust = dns_trust_answer;
ncrdataset.trust = trust;
ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (optout)
ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
0, addedrdataset));
}
/*
* Perform an update-policy rule check against an external application
* over a socket.
*
* This currently only supports local: for unix domain datagram sockets.
*
* Note that by using a datagram socket and creating a new socket each
* time we avoid the need for locking and allow for parallel access to
* the authorization server.
*/
isc_boolean_t
dns_ssu_external_match(dns_name_t *identity,
dns_name_t *signer, dns_name_t *name,
isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
const dst_key_t *key, isc_mem_t *mctx)
{
char b_identity[DNS_NAME_FORMATSIZE];
char b_signer[DNS_NAME_FORMATSIZE];
char b_name[DNS_NAME_FORMATSIZE];
char b_addr[ISC_NETADDR_FORMATSIZE];
char b_type[DNS_RDATATYPE_FORMATSIZE];
char b_key[DST_KEY_FORMATSIZE];
isc_buffer_t *tkey_token = NULL;
int fd;
const char *sock_path;
unsigned int req_len;
isc_region_t token_region;
unsigned char *data;
isc_buffer_t buf;
isc_uint32_t token_len = 0;
isc_uint32_t reply;
ssize_t ret;
/* The identity contains local:/path/to/socket */
dns_name_format(identity, b_identity, sizeof(b_identity));
/* For now only local: is supported */
if (strncmp(b_identity, "local:", 6) != 0) {
ssu_e_log(3, "ssu_external: invalid socket path '%s'",
b_identity);
return (ISC_FALSE);
}
sock_path = &b_identity[6];
fd = ux_socket_connect(sock_path);
if (fd == -1)
return (ISC_FALSE);
if (key != NULL) {
dst_key_format(key, b_key, sizeof(b_key));
tkey_token = dst_key_tkeytoken(key);
} else
b_key[0] = 0;
if (tkey_token != NULL) {
isc_buffer_region(tkey_token, &token_region);
token_len = token_region.length;
}
/* Format the request elements */
if (signer != NULL)
dns_name_format(signer, b_signer, sizeof(b_signer));
else
b_signer[0] = 0;
dns_name_format(name, b_name, sizeof(b_name));
if (tcpaddr != NULL)
isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
else
b_addr[0] = 0;
dns_rdatatype_format(type, b_type, sizeof(b_type));
/* Work out how big the request will be */
req_len = sizeof(isc_uint32_t) + /* Format version */
sizeof(isc_uint32_t) + /* Length */
strlen(b_signer) + 1 + /* Signer */
strlen(b_name) + 1 + /* Name */
strlen(b_addr) + 1 + /* Address */
strlen(b_type) + 1 + /* Type */
strlen(b_key) + 1 + /* Key */
sizeof(isc_uint32_t) + /* tkey_token length */
token_len; /* tkey_token */
/* format the buffer */
data = isc_mem_allocate(mctx, req_len);
if (data == NULL) {
close(fd);
return (ISC_FALSE);
}
isc_buffer_init(&buf, data, req_len);
isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
isc_buffer_putuint32(&buf, req_len);
/* Strings must be null-terminated */
isc_buffer_putstr(&buf, b_signer);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_name);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_addr);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_type);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putstr(&buf, b_key);
isc_buffer_putuint8(&buf, 0);
isc_buffer_putuint32(&buf, token_len);
if (tkey_token && token_len != 0)
isc_buffer_putmem(&buf, token_region.base, token_len);
ENSURE(isc_buffer_availablelength(&buf) == 0);
/* Send the request */
ret = write(fd, data, req_len);
isc_mem_free(mctx, data);
if (ret != (ssize_t) req_len) {
char strbuf[ISC_STRERRORSIZE];
isc__strerror(errno, strbuf, sizeof(strbuf));
ssu_e_log(3, "ssu_external: unable to send request - %s",
strbuf);
close(fd);
return (ISC_FALSE);
}
/* Receive the reply */
ret = read(fd, &reply, sizeof(isc_uint32_t));
if (ret != (ssize_t) sizeof(isc_uint32_t)) {
char strbuf[ISC_STRERRORSIZE];
isc__strerror(errno, strbuf, sizeof(strbuf));
ssu_e_log(3, "ssu_external: unable to receive reply - %s",
strbuf);
close(fd);
return (ISC_FALSE);
}
close(fd);
reply = ntohl(reply);
if (reply == 0) {
ssu_e_log(3, "ssu_external: denied external auth for '%s'",
b_name);
return (ISC_FALSE);
} else if (reply == 1) {
ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
b_name);
return (ISC_TRUE);
}
ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
return (ISC_FALSE);
}
isc_boolean_t
dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
dns_name_t *realm)
{
#ifdef GSSAPI
char sbuf[DNS_NAME_FORMATSIZE];
char nbuf[DNS_NAME_FORMATSIZE];
char rbuf[DNS_NAME_FORMATSIZE];
char *sname;
char *nname;
char *rname;
isc_buffer_t buffer;
/*
* It is far, far easier to write the names we are looking at into
* a string, and do string operations on them.
*/
isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
dns_name_toprincipal(signer, &buffer);
isc_buffer_putuint8(&buffer, 0);
if (name != NULL)
dns_name_format(name, nbuf, sizeof(nbuf));
dns_name_format(realm, rbuf, sizeof(rbuf));
/*
* Find the realm portion. This is the part after the @. If it
* does not exist, we don't have something we like, so we fail our
* compare.
*/
rname = strchr(sbuf, '@');
if (rname == NULL)
return (isc_boolean_false);
sname = strchr(sbuf, '$');
if (sname == NULL)
return (isc_boolean_false);
/*
* Verify that the $ and @ follow one another.
*/
if (rname - sname != 1)
return (isc_boolean_false);
/*
* Find the host portion of the signer's name. Zero out the $ so
* it terminates the signer's name, and skip past the @ for
* the realm.
*
* All service principals in Microsoft format seem to be in
* [email protected]
* format.
*/
rname++;
*sname = '\0';
sname = sbuf;
/*
* Find the first . in the target name, and make it the end of
* the string. The rest of the name has to match the realm.
*/
if (name != NULL) {
nname = strchr(nbuf, '.');
if (nname == NULL)
return (isc_boolean_false);
*nname++ = '\0';
}
/*
* Now, we do a simple comparison between the name and the realm.
*/
if (name != NULL) {
if ((strcasecmp(sname, nbuf) == 0)
&& (strcmp(rname, rbuf) == 0)
&& (strcasecmp(nname, rbuf) == 0))
return (isc_boolean_true);
} else {
if (strcmp(rname, rbuf) == 0)
return (isc_boolean_true);
}
return (isc_boolean_false);
#else
UNUSED(signer);
UNUSED(name);
UNUSED(realm);
return (isc_boolean_false);
#endif
}
isc_result_t
dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
dns_dbnode_t *node, dns_rdatatype_t covers,
isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
isc_boolean_t optout, dns_rdataset_t *addedrdataset)
{
isc_result_t result;
isc_buffer_t buffer;
isc_region_t r;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
dns_name_t *name;
dns_ttl_t ttl;
dns_trust_t trust;
dns_rdata_t rdata[DNS_NCACHE_RDATA];
dns_rdataset_t ncrdataset;
dns_rdatalist_t ncrdatalist;
unsigned char data[4096];
unsigned int next = 0;
/*
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node'.
*/
REQUIRE(message != NULL);
/*
* We assume that all data in the authority section has been
* validated by the caller.
*/
/*
* Initialize the list.
*/
ncrdatalist.rdclass = dns_db_class(cache);
ncrdatalist.type = 0;
ncrdatalist.covers = covers;
ncrdatalist.ttl = maxttl;
ISC_LIST_INIT(ncrdatalist.rdata);
ISC_LINK_INIT(&ncrdatalist, link);
/*
* Build an ncache rdatas into buffer.
*/
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
if (message->counts[DNS_SECTION_AUTHORITY])
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
else
result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
&name);
if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if ((rdataset->attributes &
DNS_RDATASETATTR_NCACHE) == 0)
continue;
type = rdataset->type;
if (type == dns_rdatatype_rrsig)
type = rdataset->covers;
if (type == dns_rdatatype_soa ||
type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3) {
if (ttl > rdataset->ttl)
ttl = rdataset->ttl;
if (ttl < minttl)
ttl = minttl;
if (trust > rdataset->trust)
trust = rdataset->trust;
/*
* Copy the owner name to the buffer.
*/
dns_name_toregion(name, &r);
result = isc_buffer_copyregion(&buffer,
&r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 2)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
(unsigned char)rdataset->trust);
/*
* Copy the rdataset into the buffer.
*/
result = copy_rdataset(rdataset,
&buffer);
if (result != ISC_R_SUCCESS)
return (result);
if (next >= DNS_NCACHE_RDATA)
return (ISC_R_NOSPACE);
dns_rdata_init(&rdata[next]);
isc_buffer_remainingregion(&buffer, &r);
rdata[next].data = r.base;
rdata[next].length = r.length;
rdata[next].rdclass =
ncrdatalist.rdclass;
rdata[next].type = 0;
rdata[next].flags = 0;
ISC_LIST_APPEND(ncrdatalist.rdata,
&rdata[next], link);
isc_buffer_forward(&buffer, r.length);
next++;
}
}
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
if (result != ISC_R_NOMORE)
return (result);
if (trust == 0xffff) {
/*
* We didn't find any authority data from which to create a
* negative cache rdataset. In particular, we have no SOA.
*
* We trust that the caller wants negative caching, so this
* means we have a "type 3 nxdomain" or "type 3 nodata"
* response (see RFC2308 for details).
*
* We will now build a suitable negative cache rdataset that
* will cause zero bytes to be emitted when converted to
* wire format.
*/
/*
* The ownername must exist, but it doesn't matter what value
* it has. We use the root name.
*/
dns_name_toregion(dns_rootname, &r);
result = isc_buffer_copyregion(&buffer, &r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type and a zero rdata count to the buffer.
*/
isc_buffer_availableregion(&buffer, &r);
if (r.length < 5)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer, 0); /* type */
/*
* RFC2308, section 5, says that negative answers without
* SOAs should not be cached.
*/
ttl = 0;
/*
* Set trust.
*/
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
message->counts[DNS_SECTION_ANSWER] == 0) {
/*
* The response has aa set and we haven't followed
* any CNAME or DNAME chains.
*/
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
isc_buffer_putuint8(&buffer, (unsigned char)trust); /* trust */
isc_buffer_putuint16(&buffer, 0); /* count */
/*
* Now add it to the cache.
*/
if (next >= DNS_NCACHE_RDATA)
return (ISC_R_NOSPACE);
dns_rdata_init(&rdata[next]);
isc_buffer_remainingregion(&buffer, &r);
rdata[next].data = r.base;
rdata[next].length = r.length;
rdata[next].rdclass = ncrdatalist.rdclass;
rdata[next].type = 0;
rdata[next].flags = 0;
ISC_LIST_APPEND(ncrdatalist.rdata, &rdata[next], link);
}
INSIST(trust != 0xffff);
ncrdatalist.ttl = ttl;
dns_rdataset_init(&ncrdataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (optout)
ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
0, addedrdataset));
}
