keytable.h File Reference

The keytable module provides services for storing and retrieving DNSSEC trusted keys, as well as the ability to find the deepest matching key for a given domain name. More...

#include <isc/lang.h>
#include <isc/magic.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dst/dst.h>

Go to the source code of this file.

Data Structures

struct  dns_keytable
struct  dns_keynode

Defines

#define DNS_KEYTABLE_H   1
#define KEYTABLE_MAGIC   ISC_MAGIC('K', 'T', 'b', 'l')
#define VALID_KEYTABLE(kt)   ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
#define KEYNODE_MAGIC   ISC_MAGIC('K', 'N', 'o', 'd')
#define VALID_KEYNODE(kn)   ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)

Functions

isc_result_t dns_keytable_create (isc_mem_t *mctx, dns_keytable_t **keytablep)
 Create a keytable.
void dns_keytable_attach (dns_keytable_t *source, dns_keytable_t **targetp)
 Attach *targetp to source.
void dns_keytable_detach (dns_keytable_t **keytablep)
 Detach *keytablep from its keytable.
isc_result_t dns_keytable_add (dns_keytable_t *keytable, isc_boolean_t managed, dst_key_t **keyp)
 Add '*keyp' to 'keytable' (using the name in '*keyp'). The value of keynode->managed is set to 'managed'.
isc_result_t dns_keytable_marksecure (dns_keytable_t *keytable, dns_name_t *name)
 Add a null key to 'keytable' for name 'name'. This marks the name as a secure domain, but doesn't supply any key data to allow the domain to be validated. (Used when automated trust anchor management has gotten broken by a zone misconfiguration; for example, when the active key has been revoked but the stand-by key was still in its 30-day waiting period for validity.).
isc_result_t dns_keytable_delete (dns_keytable_t *keytable, dns_name_t *keyname)
 Delete node(s) from 'keytable' matching name 'keyname'.
isc_result_t dns_keytable_deletekeynode (dns_keytable_t *keytable, dst_key_t *dstkey)
 Delete node(s) from 'keytable' containing copies of the key pointed to by 'dstkey'.
isc_result_t dns_keytable_find (dns_keytable_t *keytable, dns_name_t *keyname, dns_keynode_t **keynodep)
 Search for the first instance of a key named 'name' in 'keytable', without regard to keyid and algorithm. Use dns_keytable_nextkeynode() to find subsequent instances.
isc_result_t dns_keytable_nextkeynode (dns_keytable_t *keytable, dns_keynode_t *keynode, dns_keynode_t **nextnodep)
 Return for the next key after 'keynode' in 'keytable', without regard to keyid and algorithm.
isc_result_t dns_keytable_findkeynode (dns_keytable_t *keytable, dns_name_t *name, dns_secalg_t algorithm, dns_keytag_t tag, dns_keynode_t **keynodep)
 Search for a key named 'name', matching 'algorithm' and 'tag' in 'keytable'. This finds the first instance which matches. Use dns_keytable_findnextkeynode() to find other instances.
isc_result_t dns_keytable_findnextkeynode (dns_keytable_t *keytable, dns_keynode_t *keynode, dns_keynode_t **nextnodep)
 Search for the next key with the same properties as 'keynode' in 'keytable' as found by dns_keytable_findkeynode().
isc_result_t dns_keytable_finddeepestmatch (dns_keytable_t *keytable, dns_name_t *name, dns_name_t *foundname)
 Search for the deepest match of 'name' in 'keytable'.
void dns_keytable_attachkeynode (dns_keytable_t *keytable, dns_keynode_t *source, dns_keynode_t **target)
 Attach a keynode and and increment the active_nodes counter in a corresponding keytable.
void dns_keytable_detachkeynode (dns_keytable_t *keytable, dns_keynode_t **keynodep)
 Give back a keynode found via dns_keytable_findkeynode().
isc_result_t dns_keytable_issecuredomain (dns_keytable_t *keytable, dns_name_t *name, dns_name_t *foundname, isc_boolean_t *wantdnssecp)
 Is 'name' at or beneath a trusted key?
isc_result_t dns_keytable_dump (dns_keytable_t *keytable, FILE *fp)
 Dump the keytable on fp.
isc_result_t dns_keytable_totext (dns_keytable_t *keytable, isc_buffer_t **buf)
 Dump the keytable to buffer at 'buf'.
dst_key_tdns_keynode_key (dns_keynode_t *keynode)
 Get the DST key associated with keynode.
isc_boolean_t dns_keynode_managed (dns_keynode_t *keynode)
 Is this flagged as a managed key?
isc_result_t dns_keynode_create (isc_mem_t *mctx, dns_keynode_t **target)
 Allocate space for a keynode.
void dns_keynode_attach (dns_keynode_t *source, dns_keynode_t **target)
 Attach keynode 'source' to '*target'.
void dns_keynode_detach (isc_mem_t *mctx, dns_keynode_t **target)
 Detach a single keynode, without touching any keynodes that may be pointed to by its 'next' pointer.
void dns_keynode_detachall (isc_mem_t *mctx, dns_keynode_t **target)
 Detach a keynode and all its succesors.


Detailed Description

The keytable module provides services for storing and retrieving DNSSEC trusted keys, as well as the ability to find the deepest matching key for a given domain name.

MP:

Resources: Security:

Definition in file keytable.h.


Define Documentation

#define DNS_KEYTABLE_H   1

Definition at line 21 of file keytable.h.

#define KEYTABLE_MAGIC   ISC_MAGIC('K', 'T', 'b', 'l')

Definition at line 69 of file keytable.h.

Referenced by dns_keytable_create().

#define VALID_KEYTABLE ( kt   )     ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)

Definition at line 70 of file keytable.h.

Referenced by dns_keytable_attach(), dns_keytable_attachkeynode(), dns_keytable_delete(), dns_keytable_deletekeynode(), dns_keytable_detach(), dns_keytable_detachkeynode(), dns_keytable_dump(), dns_keytable_find(), dns_keytable_finddeepestmatch(), dns_keytable_findkeynode(), dns_keytable_findnextkeynode(), dns_keytable_issecuredomain(), dns_keytable_nextkeynode(), dns_keytable_totext(), and insert().

#define KEYNODE_MAGIC   ISC_MAGIC('K', 'N', 'o', 'd')

Definition at line 80 of file keytable.h.

Referenced by dns_keynode_create().

#define VALID_KEYNODE ( kn   )     ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)

Definition at line 81 of file keytable.h.

Referenced by dns_keynode_attach(), dns_keynode_detach(), dns_keynode_detachall(), dns_keynode_key(), dns_keynode_managed(), dns_keytable_attachkeynode(), dns_keytable_detachkeynode(), dns_keytable_findnextkeynode(), and dns_keytable_nextkeynode().


Function Documentation

isc_result_t dns_keytable_create ( isc_mem_t mctx,
dns_keytable_t **  keytablep 
)

Create a keytable.

Requires:

Ensures:

Returns:

Definition at line 44 of file keytable.c.

References dns_keytable::active_nodes, DESTROYLOCK, dns_rbt_create(), dns_rbt_destroy(), free_keynode(), isc_mem_attach(), isc_mem_get, isc_mem_putanddetach, isc_mutex_init, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_rwlock_init(), KEYTABLE_MAGIC, dns_keytable::lock, dns_keytable::magic, dns_keytable::mctx, dns_keytable::references, REQUIRE, dns_keytable::rwlock, and dns_keytable::table.

Referenced by dns_view_initsecroots().

void dns_keytable_attach ( dns_keytable_t source,
dns_keytable_t **  targetp 
)

Attach *targetp to source.

Requires:

Ensures:

Definition at line 93 of file keytable.c.

References INSIST, isc_rwlocktype_write, dns_keytable::references, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, and VALID_KEYTABLE.

Referenced by dns_view_getsecroots().

void dns_keytable_detach ( dns_keytable_t **  keytablep  ) 

Detach *keytablep from its keytable.

Requires:

Ensures:

Definition at line 114 of file keytable.c.

References dns_keytable::active_nodes, destroy(), DESTROYLOCK, dns_rbt_destroy(), INSIST, ISC_FALSE, isc_mem_putanddetach, isc_rwlock_destroy(), isc_rwlocktype_write, ISC_TRUE, dns_keytable::lock, LOCK, dns_keytable::magic, dns_keytable::mctx, dns_keytable::references, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, UNLOCK, and VALID_KEYTABLE.

Referenced by destroy(), dns_client_addtrustedkey(), dns_view_initsecroots(), dns_view_untrust(), fail_secure(), keyfetch_done(), load_secroots(), load_view_keys(), ns_server_dumpsecroots(), sync_keyzone(), and trust_key().

isc_result_t dns_keytable_add ( dns_keytable_t keytable,
isc_boolean_t  managed,
dst_key_t **  keyp 
)

Add '*keyp' to 'keytable' (using the name in '*keyp'). The value of keynode->managed is set to 'managed'.

Notes:

Requires:

Ensures:

Returns:

Definition at line 216 of file keytable.c.

References dst_key_name(), insert(), and REQUIRE.

Referenced by dns_client_addtrustedkey(), load_view_keys(), and trust_key().

isc_result_t dns_keytable_marksecure ( dns_keytable_t keytable,
dns_name_t name 
)

Add a null key to 'keytable' for name 'name'. This marks the name as a secure domain, but doesn't supply any key data to allow the domain to be validated. (Used when automated trust anchor management has gotten broken by a zone misconfiguration; for example, when the active key has been revoked but the stand-by key was still in its 30-day waiting period for validity.).

Notes:

Requires:

Returns:

Definition at line 224 of file keytable.c.

References insert(), and ISC_TRUE.

Referenced by fail_secure().

isc_result_t dns_keytable_delete ( dns_keytable_t keytable,
dns_name_t keyname 
)

Delete node(s) from 'keytable' matching name 'keyname'.

Requires:

Returns:

Definition at line 229 of file keytable.c.

References dns_rbtnode::data, DNS_R_PARTIALMATCH, dns_rbt_deletenode(), dns_rbt_findnode(), DNS_RBTFIND_NOOPTIONS, ISC_FALSE, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_write, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, and VALID_KEYTABLE.

Referenced by load_secroots().

isc_result_t dns_keytable_deletekeynode ( dns_keytable_t keytable,
dst_key_t dstkey 
)

Delete node(s) from 'keytable' containing copies of the key pointed to by 'dstkey'.

Requires:

Returns:

Definition at line 253 of file keytable.c.

References dns_rbtnode::data, dns_keynode_detach(), DNS_R_PARTIALMATCH, dns_rbt_deletenode(), dns_rbt_findnode(), DNS_RBTFIND_NOOPTIONS, dst_key_compare(), dst_key_free(), dst_key_name(), finish, ISC_FALSE, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_write, ISC_TRUE, dns_keynode::key, dns_keytable::mctx, dns_keynode::next, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, and VALID_KEYTABLE.

Referenced by dns_view_untrust().

isc_result_t dns_keytable_find ( dns_keytable_t keytable,
dns_name_t keyname,
dns_keynode_t **  keynodep 
)

Search for the first instance of a key named 'name' in 'keytable', without regard to keyid and algorithm. Use dns_keytable_nextkeynode() to find subsequent instances.

Requires:

Returns:

Definition at line 316 of file keytable.c.

References dns_keytable::active_nodes, dns_rbtnode::data, dns_keynode_attach(), DNS_R_PARTIALMATCH, dns_rbt_findnode(), DNS_RBTFIND_NOOPTIONS, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_read, dns_keytable::lock, LOCK, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, UNLOCK, and VALID_KEYTABLE.

Referenced by keyfetch_done(), and sync_keyzone().

isc_result_t dns_keytable_nextkeynode ( dns_keytable_t keytable,
dns_keynode_t keynode,
dns_keynode_t **  nextnodep 
)

Return for the next key after 'keynode' in 'keytable', without regard to keyid and algorithm.

Requires:

Returns:

Definition at line 345 of file keytable.c.

References dns_keytable::active_nodes, dns_keynode_attach(), ISC_R_NOTFOUND, ISC_R_SUCCESS, dns_keytable::lock, LOCK, dns_keynode::next, REQUIRE, UNLOCK, VALID_KEYNODE, and VALID_KEYTABLE.

Referenced by create_keydata(), and keyfetch_done().

isc_result_t dns_keytable_findkeynode ( dns_keytable_t keytable,
dns_name_t name,
dns_secalg_t  algorithm,
dns_keytag_t  tag,
dns_keynode_t **  keynodep 
)

Search for a key named 'name', matching 'algorithm' and 'tag' in 'keytable'. This finds the first instance which matches. Use dns_keytable_findnextkeynode() to find other instances.

Requires:

Returns:

Definition at line 369 of file keytable.c.

References dns_keytable::active_nodes, dns_keynode_attach(), dns_name_isabsolute(), DNS_R_PARTIALMATCH, dns_rbt_findname(), dst_key_alg(), dst_key_id(), INSIST, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_read, dns_keynode::key, dns_keytable::lock, LOCK, dns_keynode::next, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, UNLOCK, and VALID_KEYTABLE.

Referenced by validatezonekey().

isc_result_t dns_keytable_findnextkeynode ( dns_keytable_t keytable,
dns_keynode_t keynode,
dns_keynode_t **  nextnodep 
)

Search for the next key with the same properties as 'keynode' in 'keytable' as found by dns_keytable_findkeynode().

Requires:

Returns:

Definition at line 426 of file keytable.c.

References dns_keytable::active_nodes, dns_keynode_attach(), dst_key_alg(), dst_key_id(), ISC_R_NOTFOUND, ISC_R_SUCCESS, dns_keynode::key, dns_keytable::lock, LOCK, dns_keynode::next, REQUIRE, UNLOCK, VALID_KEYNODE, and VALID_KEYTABLE.

Referenced by validate(), and validatezonekey().

isc_result_t dns_keytable_finddeepestmatch ( dns_keytable_t keytable,
dns_name_t name,
dns_name_t foundname 
)

Search for the deepest match of 'name' in 'keytable'.

Requires:

Returns:

Definition at line 463 of file keytable.c.

References dns_name_isabsolute(), DNS_R_PARTIALMATCH, dns_rbt_findname(), ISC_R_SUCCESS, isc_rwlocktype_read, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, and VALID_KEYTABLE.

Referenced by proveunsecure(), and validatezonekey().

void dns_keytable_attachkeynode ( dns_keytable_t keytable,
dns_keynode_t source,
dns_keynode_t **  target 
)

Attach a keynode and and increment the active_nodes counter in a corresponding keytable.

Requires:

Definition at line 491 of file keytable.c.

References dns_keytable::active_nodes, dns_keynode_attach(), dns_keytable::lock, LOCK, REQUIRE, UNLOCK, VALID_KEYNODE, and VALID_KEYTABLE.

Referenced by sync_keyzone().

void dns_keytable_detachkeynode ( dns_keytable_t keytable,
dns_keynode_t **  keynodep 
)

Give back a keynode found via dns_keytable_findkeynode().

Requires:

Ensures:

Definition at line 510 of file keytable.c.

References dns_keytable::active_nodes, dns_keynode_detach(), INSIST, dns_keytable::lock, LOCK, dns_keytable::mctx, REQUIRE, UNLOCK, VALID_KEYNODE, and VALID_KEYTABLE.

Referenced by create_keydata(), destroy(), keyfetch_done(), sync_keyzone(), validate(), and validatezonekey().

isc_result_t dns_keytable_issecuredomain ( dns_keytable_t keytable,
dns_name_t name,
dns_name_t foundname,
isc_boolean_t wantdnssecp 
)

Is 'name' at or beneath a trusted key?

Requires:

Ensures:

Returns:

Definition at line 528 of file keytable.c.

References dns_rbtnode::data, dns_name_isabsolute(), DNS_R_PARTIALMATCH, dns_rbt_findnode(), DNS_RBTFIND_NOOPTIONS, INSIST, ISC_FALSE, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_read, ISC_TRUE, REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, and VALID_KEYTABLE.

Referenced by dns_view_issecuredomain().

isc_result_t dns_keytable_dump ( dns_keytable_t keytable,
FILE *  fp 
)

Dump the keytable on fp.

Definition at line 573 of file keytable.c.

References dns_keytable_totext(), isc_buffer_allocate(), isc_buffer_base, isc_buffer_free(), isc_buffer_usedlength, ISC_R_SUCCESS, isc_result_totext(), dns_keytable::mctx, putstr(), REQUIRE, text, and VALID_KEYTABLE.

isc_result_t dns_keytable_totext ( dns_keytable_t keytable,
isc_buffer_t **  buf 
)

Dump the keytable to buffer at 'buf'.

Definition at line 603 of file keytable.c.

References cleanup(), dns_rbtnode::data, DNS_NAME_FORMATSIZE, DNS_R_NEWORIGIN, dns_rbtnodechain_current(), dns_rbtnodechain_first(), dns_rbtnodechain_init(), dns_rbtnodechain_invalidate(), dns_rbtnodechain_next(), dst_key_format(), DST_KEY_FORMATSIZE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, isc_rwlocktype_read, dns_keynode::key, dns_keynode::managed, dns_keytable::mctx, dns_keynode::next, putstr(), REQUIRE, dns_keytable::rwlock, RWLOCK, RWUNLOCK, dns_keytable::table, and VALID_KEYTABLE.

Referenced by dns_keytable_dump(), and ns_server_dumpsecroots().

dst_key_t* dns_keynode_key ( dns_keynode_t keynode  ) 

Get the DST key associated with keynode.

Definition at line 650 of file keytable.c.

References dns_keynode::key, REQUIRE, and VALID_KEYNODE.

Referenced by create_keydata(), keyfetch_done(), sync_keyzone(), validate(), and validatezonekey().

isc_boolean_t dns_keynode_managed ( dns_keynode_t keynode  ) 

Is this flagged as a managed key?

Definition at line 662 of file keytable.c.

References dns_keynode::managed, REQUIRE, and VALID_KEYNODE.

Referenced by sync_keyzone().

isc_result_t dns_keynode_create ( isc_mem_t mctx,
dns_keynode_t **  target 
)

Allocate space for a keynode.

Definition at line 672 of file keytable.c.

References ISC_FALSE, isc_mem_get, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_refcount_init(), dns_keynode::key, KEYNODE_MAGIC, dns_keynode::magic, dns_keynode::managed, dns_keynode::next, dns_keynode::refcount, and REQUIRE.

Referenced by insert().

void dns_keynode_attach ( dns_keynode_t source,
dns_keynode_t **  target 
)

Attach keynode 'source' to '*target'.

Definition at line 696 of file keytable.c.

References isc_refcount_increment, dns_keynode::refcount, REQUIRE, and VALID_KEYNODE.

Referenced by dns_keytable_attachkeynode(), dns_keytable_find(), dns_keytable_findkeynode(), dns_keytable_findnextkeynode(), and dns_keytable_nextkeynode().

void dns_keynode_detach ( isc_mem_t mctx,
dns_keynode_t **  target 
)

Detach a single keynode, without touching any keynodes that may be pointed to by its 'next' pointer.

Definition at line 703 of file keytable.c.

References dst_key_free(), isc_mem_put, isc_refcount_decrement, isc_refcount_destroy, dns_keynode::key, dns_keynode::refcount, REQUIRE, and VALID_KEYNODE.

Referenced by dns_keynode_detachall(), dns_keytable_deletekeynode(), dns_keytable_detachkeynode(), and insert().

void dns_keynode_detachall ( isc_mem_t mctx,
dns_keynode_t **  target 
)

Detach a keynode and all its succesors.

Definition at line 718 of file keytable.c.

References dns_keynode_detach(), dns_keynode::next, REQUIRE, and VALID_KEYNODE.

Referenced by free_keynode().


Generated on Tue Apr 28 17:41:09 2015 by Doxygen 1.5.4 for BIND9 Internals 9.11.0pre-alpha