Since idn_output_filter() no longer uses its 'absolute' argument and no
other callback is used with dns_name_settotextfilter(), remove the
'absolute' argument from the dns_name_totextfilter_t prototype.
Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.
If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated. Thus, mirror zones need
special handling in this regard.
Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself. Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.
Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones. Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used. If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key. Define
a new libdns result signifying a zone verification failure.
Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor. The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure. Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.
Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone. This commit does not
introduce any behavior changes yet.
Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers. Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c. This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.
