From fc7e537b45ba3d7735e4a28fbf6c19e1ef3bf55f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 1 Mar 2011 23:22:42 +0000 Subject: [PATCH] 3048. [bug] Fully seperate view key mangement. [RT #23419] --- CHANGES | 8 +- bin/tests/system/conf.sh.in | 4 +- bin/tests/system/dlvauto/clean.sh | 29 +++++++ .../system/dlvauto/ns1/dlv.isc.org.db.in | 25 ++++++ bin/tests/system/dlvauto/ns1/named.conf | 45 ++++++++++ bin/tests/system/dlvauto/ns1/root.db.in | 28 ++++++ bin/tests/system/dlvauto/ns1/sign.sh | 44 ++++++++++ bin/tests/system/dlvauto/ns2/named.conf | 48 +++++++++++ bin/tests/system/dlvauto/setup.sh | 23 +++++ bin/tests/system/dlvauto/tests.sh | 45 ++++++++++ lib/dns/zone.c | 86 ++++++------------- 11 files changed, 319 insertions(+), 66 deletions(-) create mode 100644 bin/tests/system/dlvauto/clean.sh create mode 100644 bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in create mode 100644 bin/tests/system/dlvauto/ns1/named.conf create mode 100644 bin/tests/system/dlvauto/ns1/root.db.in create mode 100644 bin/tests/system/dlvauto/ns1/sign.sh create mode 100644 bin/tests/system/dlvauto/ns2/named.conf create mode 100644 bin/tests/system/dlvauto/setup.sh create mode 100644 bin/tests/system/dlvauto/tests.sh diff --git a/CHANGES b/CHANGES index 3e598e3e6a..80362e08c1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -3047. [bug] DNSKEY NODATA responses not cached fixed in - validator.c. Tests added to dnssec system test. - [RT #22908] +3048. [bug] Fully seperate view key mangement. [RT #23419] + +3047. [bug] DNSKEY NODATA responses not cached fixed in + validator.c. Tests added to dnssec system test. + [RT #22908] 3046. [bug] Use RRSIG original TTL to compute validated RRset and RRSIG TTL. [RT #23332] diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index bb96967e02..4945dac760 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: conf.sh.in,v 1.43.8.12 2011/02/28 01:19:27 tbox Exp $ +# $Id: conf.sh.in,v 1.43.8.13 2011/03/01 23:22:41 marka Exp $ # # Common configuration data for system tests, to be sourced into @@ -53,7 +53,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint # load on the machine to make it unusable to other users. # v6synth SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames - database dlv @DLZ_SYSTEM_TEST@ dnssec forward glue + database dlv autodlv @DLZ_SYSTEM_TEST@ dnssec forward glue ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending pkcs11 resolver rrsetorder sortlist smartsign stub tkey unknown upforwd diff --git a/bin/tests/system/dlvauto/clean.sh b/bin/tests/system/dlvauto/clean.sh new file mode 100644 index 0000000000..5739f744cd --- /dev/null +++ b/bin/tests/system/dlvauto/clean.sh @@ -0,0 +1,29 @@ +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.2.4.2 2011/03/01 23:22:41 marka Exp $ + +rm -f random.data +rm -f ns1/K* +rm -f ns1/*.signed +rm -f ns1/*.db +rm -f ns1/dlv.conf +rm -f ns1/*.mkeys.jnl +rm -f ns1/*.mkeys +rm -f */named.run +rm -f */named.memstats +rm -f ns1/dsset-*. +rm -f ns2/*.mkeys +rm -f ns2/*.mkeys.jnl +rm -f dig.out.ns?.test* diff --git a/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in b/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in new file mode 100644 index 0000000000..0c548a6bc9 --- /dev/null +++ b/bin/tests/system/dlvauto/ns1/dlv.isc.org.db.in @@ -0,0 +1,25 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: dlv.isc.org.db.in,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ + +$TTL 300 +@ IN SOA a.root-servers.nil. hostmaster.isc.org. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +@ NS a.root-servers.nil. diff --git a/bin/tests/system/dlvauto/ns1/named.conf b/bin/tests/system/dlvauto/ns1/named.conf new file mode 100644 index 0000000000..967913472d --- /dev/null +++ b/bin/tests/system/dlvauto/ns1/named.conf @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ */ + +// NS1 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-enable yes; + dnssec-validation yes; +}; + +zone "." { + type master; + file "root.db"; +}; + +zone "dlv.isc.org" { + type master; + file "dlv.isc.org.db.signed"; +}; diff --git a/bin/tests/system/dlvauto/ns1/root.db.in b/bin/tests/system/dlvauto/ns1/root.db.in new file mode 100644 index 0000000000..6e5c0a970c --- /dev/null +++ b/bin/tests/system/dlvauto/ns1/root.db.in @@ -0,0 +1,28 @@ +; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id: root.db.in,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +dlv.isc.org. NS a.root-servers.nil. diff --git a/bin/tests/system/dlvauto/ns1/sign.sh b/bin/tests/system/dlvauto/ns1/sign.sh new file mode 100644 index 0000000000..e8197884c3 --- /dev/null +++ b/bin/tests/system/dlvauto/ns1/sign.sh @@ -0,0 +1,44 @@ +#!/bin/sh -e +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: sign.sh,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +RANDFILE=../random.data + +zone=dlv.isc.org +infile=dlv.isc.org.db.in +zonefile=dlv.isc.org.db + +keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone` +cat $infile $keyname.key > $zonefile +$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null + +cp root.db.in root.db + +# Configure the resolving server with a trusted key. + +cat $keyname.key | grep -v '^; ' | $PERL -n -e ' +local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split; +local $key = join("", @rest); +print < dlv.conf diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf new file mode 100644 index 0000000000..12b06256d0 --- /dev/null +++ b/bin/tests/system/dlvauto/ns2/named.conf @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named.conf,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + dnssec-enable yes; + dnssec-validation yes; + bindkeys-file "../ns1/dlv.conf"; + dnssec-lookaside "auto"; +}; + +view "in" { + recursion yes; + zone "." { + type hint; + file "../../common/root.hint"; + }; +}; + +view "ch" ch { + match-clients { 127.0.0.1; }; +}; diff --git a/bin/tests/system/dlvauto/setup.sh b/bin/tests/system/dlvauto/setup.sh new file mode 100644 index 0000000000..90d9e3ba2e --- /dev/null +++ b/bin/tests/system/dlvauto/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e +# +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.2.4.2 2011/03/01 23:22:41 marka Exp $ + +sh clean.sh + +../../../tools/genrandom 400 random.data + +cd ns1 && sh sign.sh diff --git a/bin/tests/system/dlvauto/tests.sh b/bin/tests/system/dlvauto/tests.sh new file mode 100644 index 0000000000..abb95dd4b6 --- /dev/null +++ b/bin/tests/system/dlvauto/tests.sh @@ -0,0 +1,45 @@ +# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.2.4.2 2011/03/01 23:22:42 marka Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300" + +status=0 +n=1 + +# +# When this was initialy reported there was a REQUIRE failure on restarting. +# +echo "I:checking dnssec-lookaside "'"auto"'"; with views of multiple classes ($n)" +if [ -s ns2/named.pid ] +then + ret=0 + kill -TERM `cat ns2/named.pid` + sleep 1 + (cd ns2; $NAMED -f -d 100 -c named.conf >> named.run 2>&1 & ) + sleep 2 + $DIG $DIGOPTS soa . @10.53.0.2 > dig.out.ns2.test$n || ret=1 + grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo "I:failed"; fi + status=`expr $status + $ret` +else + echo "I:failed" + status=1 +fi + +exit $status diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 4bdb003827..abecf3b646 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.540.2.46 2011/02/22 04:30:46 marka Exp $ */ +/* $Id: zone.c,v 1.540.2.47 2011/03/01 23:22:42 marka Exp $ */ /*! \file */ @@ -2831,16 +2831,15 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, } /* - * Add key to the security roots for all views. + * Add key to the security roots. */ static void -trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, +trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; unsigned char data[4096]; isc_buffer_t buffer; - dns_view_t *view; dns_keytable_t *sr = NULL; dst_key_t *dstkey = NULL; @@ -2849,17 +2848,13 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, dns_rdatatype_dnskey, dnskey, &buffer); - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) { + result = dns_view_getsecroots(zone->view, &sr); + if (result != ISC_R_SUCCESS) + goto failure; - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; - - CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); - CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); - dns_keytable_detach(&sr); - } + CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey)); + CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey)); + dns_keytable_detach(&sr); failure: if (dstkey != NULL) @@ -2870,37 +2865,16 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, } /* - * Remove key from the security roots for all views. - */ -static void -untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx, - dns_rdata_dnskey_t *dnskey) -{ - dns_view_t *view; - - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) - dns_view_untrust(view, keyname, dnskey, mctx); -} - -/* - * Add a null key to the security roots for all views, so that all queries + * Add a null key to the security roots for so that all queries * to the zone will fail. */ static void -fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) { +fail_secure(dns_zone_t *zone, dns_name_t *keyname) { isc_result_t result; - dns_view_t *view; - - for (view = ISC_LIST_HEAD(*viewlist); - view != NULL; - view = ISC_LIST_NEXT(view, link)) { - dns_keytable_t *sr = NULL; - - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; + dns_keytable_t *sr = NULL; + result = dns_view_getsecroots(zone->view, &sr); + if (result == ISC_R_SUCCESS) { dns_keytable_marksecure(sr, keyname); dns_keytable_detach(&sr); } @@ -2908,8 +2882,7 @@ fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) { /* * Scan a set of KEYDATA records from the key zone. The ones that are - * valid (i.e., the add holddown timer has expired) become trusted keys for - * all views. + * valid (i.e., the add holddown timer has expired) become trusted keys. */ static void load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { @@ -2918,22 +2891,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { dns_rdata_keydata_t keydata; dns_rdata_dnskey_t dnskey; isc_mem_t *mctx = zone->mctx; - dns_view_t *view = zone->view; - dns_viewlist_t *viewlist = view->viewlist; int trusted = 0, revoked = 0, pending = 0; isc_stdtime_t now; + dns_keytable_t *sr = NULL; isc_stdtime_get(&now); - /* For each view, delete references to this key from secroots. */ - for (view = ISC_LIST_HEAD(*viewlist); view != NULL; - view = ISC_LIST_NEXT(view, link)) { - dns_keytable_t *sr = NULL; - - result = dns_view_getsecroots(view, &sr); - if (result != ISC_R_SUCCESS) - continue; - + result = dns_view_getsecroots(zone->view, &sr); + if (result == ISC_R_SUCCESS) { dns_keytable_delete(sr, name); dns_keytable_detach(&sr); } @@ -2971,7 +2936,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { /* Add to keytables. */ trusted++; - trust_key(viewlist, name, &dnskey, mctx); + trust_key(zone, name, &dnskey, mctx); } if (trusted == 0 && pending != 0) { @@ -2984,7 +2949,7 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) { revoked, pending); dns_zone_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail", namebuf); - fail_secure(viewlist, name); + fail_secure(zone, name); } } @@ -7465,8 +7430,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { deletekey = ISC_TRUE; } else if (keydata.removehd == 0) { /* Remove from secroots */ - untrust_key(zone->view->viewlist, - keyname, mctx, &dnskey); + dns_view_untrust(zone->view, keyname, + &dnskey, mctx); /* If initializing, delete now */ if (keydata.addhd == 0) @@ -7576,10 +7541,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { } if (trustkey) { - /* Trust this key in all views */ + /* Trust this key. */ dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL); - trust_key(zone->view->viewlist, keyname, &dnskey, - mctx); + trust_key(zone, keyname, &dnskey, mctx); } if (!deletekey) @@ -7596,7 +7560,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { * the security roots; then all queries to the zone will fail. */ if (pending != 0) - fail_secure(zone->view->viewlist, keyname); + fail_secure(zone, keyname); failure: if (changed) {