/src/bind9/lib/dns/zone.c

Source (jump to first uncovered line)
/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

/*! \file */

#include <errno.h>
#include <inttypes.h>
#include <stdbool.h>

#include <isc/async.h>
#include <isc/atomic.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/hashmap.h>
#include <isc/hex.h>
#include <isc/loop.h>
#include <isc/md.h>
#include <isc/mutex.h>
#include <isc/overflow.h>
#include <isc/random.h>
#include <isc/ratelimiter.h>
#include <isc/refcount.h>
#include <isc/result.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/stats.h>
#include <isc/stdtime.h>
#include <isc/strerr.h>
#include <isc/string.h>
#include <isc/thread.h>
#include <isc/tid.h>
#include <isc/timer.h>
#include <isc/tls.h>
#include <isc/util.h>

#include <dns/acl.h>
#include <dns/adb.h>
#include <dns/callbacks.h>
#include <dns/catz.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/dlz.h>
#include <dns/dnssec.h>
#include <dns/journal.h>
#include <dns/kasp.h>
#include <dns/keydata.h>
#include <dns/keymgr.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/opcode.h>
#include <dns/peer.h>
#include <dns/private.h>
#include <dns/rcode.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/remote.h>
#include <dns/request.h>
#include <dns/resolver.h>
#include <dns/rriterator.h>
#include <dns/soa.h>
#include <dns/ssu.h>
#include <dns/stats.h>
#include <dns/time.h>
#include <dns/tsig.h>
#include <dns/update.h>
#include <dns/xfrin.h>
#include <dns/zone.h>
#include <dns/zoneverify.h>
#include <dns/zt.h>

#include <dst/dst.h>

#include "zone_p.h"

#define ZONE_MAGIC       ISC_MAGIC('Z', 'O', 'N', 'E')
#define DNS_ZONE_VALID(zone) ISC_MAGIC_VALID(zone, ZONE_MAGIC)

#define NOTIFY_MAGIC     ISC_MAGIC('N', 't', 'f', 'y')
#define DNS_NOTIFY_VALID(notify) ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)

#define CHECKDS_MAGIC      ISC_MAGIC('C', 'h', 'D', 'S')
#define DNS_CHECKDS_VALID(checkds) ISC_MAGIC_VALID(checkds, CHECKDS_MAGIC)

#define STUB_MAGIC       ISC_MAGIC('S', 't', 'u', 'b')
#define DNS_STUB_VALID(stub) ISC_MAGIC_VALID(stub, STUB_MAGIC)

#define ZONEMGR_MAGIC   ISC_MAGIC('Z', 'm', 'g', 'r')
#define DNS_ZONEMGR_VALID(stub) ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)

#define FORWARD_MAGIC   ISC_MAGIC('F', 'o', 'r', 'w')
#define DNS_FORWARD_VALID(load) ISC_MAGIC_VALID(load, FORWARD_MAGIC)

#define IO_MAGIC     ISC_MAGIC('Z', 'm', 'I', 'O')
#define DNS_IO_VALID(load) ISC_MAGIC_VALID(load, IO_MAGIC)

#define KEYMGMT_MAGIC   ISC_MAGIC('M', 'g', 'm', 't')
#define DNS_KEYMGMT_VALID(load) ISC_MAGIC_VALID(load, KEYMGMT_MAGIC)

#define KEYFILEIO_MAGIC     ISC_MAGIC('K', 'y', 'I', 'O')
#define DNS_KEYFILEIO_VALID(kfio) ISC_MAGIC_VALID(kfio, KEYFILEIO_MAGIC)

/*%
 * Ensure 'a' is at least 'min' but not more than 'max'.
 */
#define RANGE(a, min, max) (((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))

#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)

/*%
 * Key flags
 */
#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
#define KSK(x)    ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
#define ID(x)   dst_key_id(x)
#define ALG(x)    dst_key_alg(x)

/*%
 * KASP flags
 */
#define KASP_LOCK(k)                  \
  if ((k) != NULL) {            \
    LOCK((&((k)->lock))); \
  }

#define KASP_UNLOCK(k)                  \
  if ((k) != NULL) {              \
    UNLOCK((&((k)->lock))); \
  }

/*
 * Default values.
 */
#define DNS_DEFAULT_IDLEIN  3600       /*%< 1 hour */
#define DNS_DEFAULT_IDLEOUT 3600       /*%< 1 hour */
#define MAX_XFER_TIME     (2 * 3600) /*%< Documented default is 2 hours */
#define RESIGN_DELAY      3600       /*%< 1 hour */

#ifndef DNS_MAX_EXPIRE
#define DNS_MAX_EXPIRE 14515200 /*%< 24 weeks */
#endif        /* ifndef DNS_MAX_EXPIRE */

#ifndef DNS_DUMP_DELAY
#define DNS_DUMP_DELAY 900 /*%< 15 minutes */
#endif         /* ifndef DNS_DUMP_DELAY */

typedef struct dns_notify dns_notify_t;
typedef struct dns_checkds dns_checkds_t;
typedef struct dns_stub dns_stub_t;
typedef struct dns_load dns_load_t;
typedef struct dns_forward dns_forward_t;
typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
typedef struct dns_keymgmt dns_keymgmt_t;
typedef struct dns_signing dns_signing_t;
typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
typedef struct dns_nsec3chain dns_nsec3chain_t;
typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
typedef struct dns_nsfetch dns_nsfetch_t;
typedef struct dns_keyfetch dns_keyfetch_t;
typedef struct dns_asyncload dns_asyncload_t;
typedef struct dns_include dns_include_t;

#define DNS_ZONE_CHECKLOCK
#ifdef DNS_ZONE_CHECKLOCK
#define LOCK_ZONE(z)                  \
  do {                          \
    LOCK(&(z)->lock);     \
    INSIST(!(z)->locked); \
    (z)->locked = true;   \
  } while (0)
#define UNLOCK_ZONE(z)               \
  do {                         \
    (z)->locked = false; \
    UNLOCK(&(z)->lock);  \
  } while (0)
#define LOCKED_ZONE(z) ((z)->locked)
#define TRYLOCK_ZONE(result, z)                         \
  do {                                            \
    result = isc_mutex_trylock(&(z)->lock); \
    if (result == ISC_R_SUCCESS) {          \
      INSIST(!(z)->locked);           \
      (z)->locked = true;             \
    }                                       \
  } while (0)
#else /* ifdef DNS_ZONE_CHECKLOCK */
#define LOCK_ZONE(z)   LOCK(&(z)->lock)
#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
#define LOCKED_ZONE(z) true
#define TRYLOCK_ZONE(result, z)                         \
  do {                                            \
    result = isc_mutex_trylock(&(z)->lock); \
  } while (0)
#endif /* ifdef DNS_ZONE_CHECKLOCK */

#define ZONEDB_INITLOCK(l)    isc_rwlock_init((l))
#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
#define ZONEDB_LOCK(l, t)     RWLOCK((l), (t))
#define ZONEDB_UNLOCK(l, t)   RWUNLOCK((l), (t))

#ifdef ENABLE_AFL
extern bool dns_fuzzing_resolver;
#endif /* ifdef ENABLE_AFL */

/*%
 *  Hold key file IO locks.
 */
typedef struct dns_keyfileio {
  unsigned int magic;
  isc_mutex_t lock;
  isc_refcount_t references;
  dns_name_t *name;
  dns_fixedname_t fname;
} dns_keyfileio_t;

struct dns_keymgmt {
  unsigned int magic;
  isc_rwlock_t lock;
  isc_mem_t *mctx;
  isc_hashmap_t *table;
};

/*
 * Initial size of the keymgmt hash table.
 */
#define DNS_KEYMGMT_HASH_BITS 12

struct dns_zone {
  /* Unlocked */
  unsigned int magic;
  isc_mutex_t lock;
#ifdef DNS_ZONE_CHECKLOCK
  bool locked;
#endif /* ifdef DNS_ZONE_CHECKLOCK */
  isc_mem_t *mctx;
  isc_refcount_t references;

  isc_rwlock_t dblock;
  dns_db_t *db; /* Locked by dblock */

  unsigned int tid;

  /* Locked */
  dns_zonemgr_t *zmgr;
  ISC_LINK(dns_zone_t) link; /* Used by zmgr. */
  isc_loop_t *loop;
  isc_timer_t *timer;
  isc_refcount_t irefs;
  dns_name_t origin;
  char *masterfile;
  const FILE *stream;        /* loading from a stream? */
  ISC_LIST(dns_include_t) includes;    /* Include files */
  ISC_LIST(dns_include_t) newincludes; /* Loading */
  unsigned int nincludes;
  dns_masterformat_t masterformat;
  const dns_master_style_t *masterstyle;
  char *journal;
  int32_t journalsize;
  dns_rdataclass_t rdclass;
  dns_zonetype_t type;
  atomic_uint_fast64_t flags;
  atomic_uint_fast64_t options;
  unsigned int db_argc;
  char **db_argv;
  isc_time_t expiretime;
  isc_time_t refreshtime;
  isc_time_t dumptime;
  isc_time_t loadtime;
  isc_time_t notifytime;
  isc_time_t resigntime;
  isc_time_t keywarntime;
  isc_time_t signingtime;
  isc_time_t nsec3chaintime;
  isc_time_t refreshkeytime;
  isc_time_t xfrintime;
  uint32_t refreshkeyinterval;
  uint32_t refreshkeycount;
  uint32_t refresh;
  uint32_t retry;
  uint32_t expire;
  uint32_t minimum;
  isc_stdtime_t key_expiry;
  isc_stdtime_t log_key_expired_timer;
  char *keydirectory;
  dns_keyfileio_t *kfio;

  uint32_t maxrefresh;
  uint32_t minrefresh;
  uint32_t maxretry;
  uint32_t minretry;

  uint32_t maxrecords;

  dns_remote_t primaries;

  dns_remote_t parentals;
  dns_dnsseckeylist_t checkds_ok;
  dns_checkdstype_t checkdstype;
  uint32_t nsfetchcount;
  uint32_t parent_nscount;

  dns_remote_t notify;
  dns_notifytype_t notifytype;
  isc_sockaddr_t notifyfrom;
  isc_sockaddr_t notifysrc4;
  isc_sockaddr_t notifysrc6;
  isc_sockaddr_t parentalsrc4;
  isc_sockaddr_t parentalsrc6;
  isc_sockaddr_t xfrsource4;
  isc_sockaddr_t xfrsource6;
  isc_sockaddr_t sourceaddr;
  dns_xfrin_t *xfr;     /* loop locked */
  dns_tsigkey_t *tsigkey;     /* key used for xfr */
  dns_transport_t *transport; /* transport used for xfr */
  /* Access Control Lists */
  dns_acl_t *update_acl;
  dns_acl_t *forward_acl;
  dns_acl_t *notify_acl;
  dns_acl_t *query_acl;
  dns_acl_t *queryon_acl;
  dns_acl_t *xfr_acl;
  bool update_disabled;
  bool zero_no_soa_ttl;
  dns_severity_t check_names;
  ISC_LIST(dns_notify_t) notifies;
  ISC_LIST(dns_checkds_t) checkds_requests;
  dns_request_t *request;
  dns_loadctx_t *loadctx;
  dns_dumpctx_t *dumpctx;
  uint32_t maxxfrin;
  uint32_t maxxfrout;
  uint32_t idlein;
  uint32_t idleout;
  dns_ssutable_t *ssutable;
  uint32_t sigvalidityinterval;
  uint32_t keyvalidityinterval;
  uint32_t sigresigninginterval;
  dns_view_t *view;
  dns_view_t *prev_view;
  dns_kasp_t *kasp;
  dns_kasp_t *defaultkasp;
  dns_checkmxfunc_t checkmx;
  dns_checksrvfunc_t checksrv;
  dns_checknsfunc_t checkns;
  /*%
   * Zones in certain states such as "waiting for zone transfer"
   * or "zone transfer in progress" are kept on per-state linked lists
   * in the zone manager using the 'statelink' field.  The 'statelist'
   * field points at the list the zone is currently on.  It the zone
   * is not on any such list, statelist is NULL.
   */
  ISC_LINK(dns_zone_t) statelink;
  dns_zonelist_t *statelist;
  /*%
   * Statistics counters about zone management.
   */
  isc_stats_t *stats;
  /*%
   * Optional per-zone statistics counters.  Counted outside of this
   * module.
   */
  dns_zonestat_level_t statlevel;
  bool requeststats_on;
  isc_stats_t *requeststats;
  dns_stats_t *rcvquerystats;
  dns_stats_t *dnssecsignstats;
  uint32_t notifydelay;
  dns_isselffunc_t isself;
  void *isselfarg;

  char *strnamerd;
  char *strname;
  char *strrdclass;
  char *strviewname;

  /*%
   * Serial number for deferred journal compaction.
   */
  uint32_t compact_serial;
  /*%
   * Keys that are signing the zone for the first time.
   */
  dns_signinglist_t signing;
  dns_nsec3chainlist_t nsec3chain;
  /*%
   * List of outstanding NSEC3PARAM change requests.
   */
  ISC_LIST(struct np3) setnsec3param_queue;
  /*%
   * Signing / re-signing quantum stopping parameters.
   */
  uint32_t signatures;
  uint32_t nodes;
  dns_rdatatype_t privatetype;

  /*%
   * Autosigning/key-maintenance options
   */
  atomic_uint_fast64_t keyopts;

  /*%
   * True if added by "rndc addzone"
   */
  bool added;

  /*%
   * True if added by automatically by named.
   */
  bool automatic;

  /*%
   * response policy data to be relayed to the database
   */
  dns_rpz_zones_t *rpzs;
  dns_rpz_num_t rpz_num;

  /*%
   * catalog zone data
   */
  dns_catz_zones_t *catzs;

  /*%
   * parent catalog zone
   */
  dns_catz_zone_t *parentcatz;

  /*%
   * Serial number update method.
   */
  dns_updatemethod_t updatemethod;

  /*%
   * whether ixfr is requested
   */
  bool requestixfr;
  uint32_t ixfr_ratio;

  /*%
   * whether EDNS EXPIRE is requested
   */
  bool requestexpire;

  /*%
   * Outstanding forwarded UPDATE requests.
   */
  dns_forwardlist_t forwards;

  dns_zone_t *raw;
  dns_zone_t *secure;

  bool sourceserialset;
  uint32_t sourceserial;

  /*%
   * soa and maximum zone ttl
   */
  dns_ttl_t soattl;
  dns_ttl_t maxttl;

  /*
   * Inline zone signing state.
   */
  dns_diff_t rss_diff;
  dns_dbversion_t *rss_newver;
  dns_dbversion_t *rss_oldver;
  dns_db_t *rss_db;
  dns_zone_t *rss_raw;
  struct rss *rss;
  dns_update_state_t *rss_state;

  isc_stats_t *gluecachestats;
};

#define zonediff_init(z, d)                \
  do {                               \
    dns__zonediff_t *_z = (z); \
    (_z)->diff = (d);          \
    (_z)->offline = false;     \
  } while (0)

#define DNS_ZONE_FLAG(z, f)    ((atomic_load_relaxed(&(z)->flags) & (f)) != 0)
#define DNS_ZONE_SETFLAG(z, f) atomic_fetch_or(&(z)->flags, (f))
#define DNS_ZONE_CLRFLAG(z, f) atomic_fetch_and(&(z)->flags, ~(f))
typedef enum {
  DNS_ZONEFLG_REFRESH = 0x00000001U,     /*%< refresh check in progress */
  DNS_ZONEFLG_NEEDDUMP = 0x00000002U,    /*%< zone need consolidation */
  DNS_ZONEFLG_USEVC = 0x00000004U,       /*%< use tcp for refresh query */
  DNS_ZONEFLG_DUMPING = 0x00000008U,     /*%< a dump is in progress */
  DNS_ZONEFLG_HASINCLUDE = 0x00000010U,  /*%< $INCLUDE in zone file */
  DNS_ZONEFLG_LOADED = 0x00000020U,      /*%< database has loaded */
  DNS_ZONEFLG_EXITING = 0x00000040U,     /*%< zone is being destroyed */
  DNS_ZONEFLG_EXPIRED = 0x00000080U,     /*%< zone has expired */
  DNS_ZONEFLG_NEEDREFRESH = 0x00000100U, /*%< refresh check needed */
  DNS_ZONEFLG_UPTODATE = 0x00000200U,    /*%< zone contents are
            * up-to-date */
  DNS_ZONEFLG_NEEDNOTIFY = 0x00000400U,  /*%< need to send out notify
            * messages */
  DNS_ZONEFLG_FIXJOURNAL = 0x00000800U,  /*%< journal file had
            * recoverable error,
            * needs rewriting */
  DNS_ZONEFLG_NOPRIMARIES = 0x00001000U, /*%< an attempt to refresh a
            * zone with no primaries
            * occurred */
  DNS_ZONEFLG_LOADING = 0x00002000U,     /*%< load from disk in progress*/
  DNS_ZONEFLG_HAVETIMERS = 0x00004000U,  /*%< timer values have been set
            * from SOA (if not set, we
            * are still using
            * default timer values) */
  DNS_ZONEFLG_FORCEXFER = 0x00008000U,   /*%< Force a zone xfer */
  DNS_ZONEFLG_NOREFRESH = 0x00010000U,
  DNS_ZONEFLG_DIALNOTIFY = 0x00020000U,
  DNS_ZONEFLG_DIALREFRESH = 0x00040000U,
  DNS_ZONEFLG_SHUTDOWN = 0x00080000U,
  DNS_ZONEFLG_NOIXFR = 0x00100000U, /*%< IXFR failed, force AXFR */
  DNS_ZONEFLG_FLUSH = 0x00200000U,
  DNS_ZONEFLG_NOEDNS = 0x00400000U,
  DNS_ZONEFLG_USEALTXFRSRC = 0x00800000U, /*%< Obsoleted. */
  DNS_ZONEFLG_SOABEFOREAXFR = 0x01000000U,
  DNS_ZONEFLG_NEEDCOMPACT = 0x02000000U,
  DNS_ZONEFLG_REFRESHING = 0x04000000U, /*%< Refreshing keydata */
  DNS_ZONEFLG_THAW = 0x08000000U,
  DNS_ZONEFLG_LOADPENDING = 0x10000000U, /*%< Loading scheduled */
  DNS_ZONEFLG_NODELAY = 0x20000000U,
  DNS_ZONEFLG_SENDSECURE = 0x40000000U,
  DNS_ZONEFLG_NEEDSTARTUPNOTIFY = 0x80000000U, /*%< need to send out
                  * notify due to the zone
                  * just being loaded for
                  * the first time. */
  DNS_ZONEFLG___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
} dns_zoneflg_t;

#define DNS_ZONE_OPTION(z, o)  ((atomic_load_relaxed(&(z)->options) & (o)) != 0)
#define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
#define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))

#define DNS_ZONEKEY_OPTION(z, o) \
  ((atomic_load_relaxed(&(z)->keyopts) & (o)) != 0)
#define DNS_ZONEKEY_SETOPTION(z, o) atomic_fetch_or(&(z)->keyopts, (o))
#define DNS_ZONEKEY_CLROPTION(z, o) atomic_fetch_and(&(z)->keyopts, ~(o))

/* Flags for zone_load() */
typedef enum {
  DNS_ZONELOADFLAG_NOSTAT = 0x00000001U, /* Do not stat() master files */
  DNS_ZONELOADFLAG_THAW = 0x00000002U,   /* Thaw the zone on successful
            * load. */
} dns_zoneloadflag_t;

#define UNREACH_CACHE_SIZE 10U
#define UNREACH_HOLD_TIME  600 /* 10 minutes */

#define CHECK(op)                            \
  do {                                 \
    result = (op);               \
    if (result != ISC_R_SUCCESS) \
      goto failure;        \
  } while (0)

struct dns_unreachable {
  isc_sockaddr_t remote;
  isc_sockaddr_t local;
  atomic_uint_fast32_t expire;
  atomic_uint_fast32_t last;
  uint32_t count;
};

struct dns_zonemgr {
  unsigned int magic;
  isc_mem_t *mctx;
  isc_refcount_t refs;
  isc_loopmgr_t *loopmgr;
  isc_nm_t *netmgr;
  uint32_t workers;
  isc_mem_t **mctxpool;
  isc_ratelimiter_t *checkdsrl;
  isc_ratelimiter_t *notifyrl;
  isc_ratelimiter_t *refreshrl;
  isc_ratelimiter_t *startupnotifyrl;
  isc_ratelimiter_t *startuprefreshrl;
  isc_rwlock_t rwlock;
  isc_rwlock_t urlock;

  /* Locked by rwlock. */
  dns_zonelist_t zones;
  dns_zonelist_t waiting_for_xfrin;
  dns_zonelist_t xfrin_in_progress;

  /* Configuration data. */
  uint32_t transfersin;
  uint32_t transfersperns;
  unsigned int checkdsrate;
  unsigned int notifyrate;
  unsigned int startupnotifyrate;
  unsigned int serialqueryrate;
  unsigned int startupserialqueryrate;

  /* Locked by urlock. */
  /* LRU cache */
  struct dns_unreachable unreachable[UNREACH_CACHE_SIZE];

  dns_keymgmt_t *keymgmt;

  isc_tlsctx_cache_t *tlsctx_cache;
  isc_rwlock_t tlsctx_cache_rwlock;
};

/*%
 * Hold notify state.
 */
struct dns_notify {
  unsigned int magic;
  unsigned int flags;
  isc_mem_t *mctx;
  dns_zone_t *zone;
  dns_adbfind_t *find;
  dns_request_t *request;
  dns_name_t ns;
  isc_sockaddr_t src;
  isc_sockaddr_t dst;
  dns_tsigkey_t *key;
  dns_transport_t *transport;
  ISC_LINK(dns_notify_t) link;
  isc_rlevent_t *rlevent;
};

typedef enum dns_notify_flags {
  DNS_NOTIFY_NOSOA = 1 << 0,
  DNS_NOTIFY_STARTUP = 1 << 1,
  DNS_NOTIFY_TCP = 1 << 2,
} dns_notify_flags_t;

/*%
 * Hold checkds state.
 */
struct dns_checkds {
  unsigned int magic;
  dns_notify_flags_t flags;
  isc_mem_t *mctx;
  dns_zone_t *zone;
  dns_adbfind_t *find;
  dns_request_t *request;
  dns_name_t ns;
  isc_sockaddr_t src;
  isc_sockaddr_t dst;
  dns_tsigkey_t *key;
  dns_transport_t *transport;
  ISC_LINK(dns_checkds_t) link;
  isc_rlevent_t *rlevent;
};

/*%
 *  dns_stub holds state while performing a 'stub' transfer.
 *  'db' is the zone's 'db' or a new one if this is the initial
 *  transfer.
 */

struct dns_stub {
  unsigned int magic;
  isc_mem_t *mctx;
  dns_zone_t *zone;
  dns_db_t *db;
  dns_dbversion_t *version;
  atomic_uint_fast32_t pending_requests;
};

/*%
 *  Hold load state.
 */
struct dns_load {
  dns_zone_t *zone;
  dns_db_t *db;
  isc_time_t loadtime;
  dns_rdatacallbacks_t callbacks;
};

/*%
 *  Hold forward state.
 */
struct dns_forward {
  unsigned int magic;
  isc_mem_t *mctx;
  dns_zone_t *zone;
  isc_buffer_t *msgbuf;
  dns_request_t *request;
  uint32_t which;
  isc_sockaddr_t addr;
  dns_transport_t *transport;
  dns_updatecallback_t callback;
  void *callback_arg;
  unsigned int options;
  ISC_LINK(dns_forward_t) link;
};

/*%
 *  Hold state for when we are signing a zone with a new
 *  DNSKEY as result of an update.
 */
struct dns_signing {
  unsigned int magic;
  dns_db_t *db;
  dns_dbiterator_t *dbiterator;
  dns_secalg_t algorithm;
  uint16_t keyid;
  bool deleteit;
  bool done;
  ISC_LINK(dns_signing_t) link;
};

struct dns_nsec3chain {
  unsigned int magic;
  dns_db_t *db;
  dns_dbiterator_t *dbiterator;
  dns_rdata_nsec3param_t nsec3param;
  unsigned char salt[255];
  bool done;
  bool seen_nsec;
  bool delete_nsec;
  bool save_delete_nsec;
  ISC_LINK(dns_nsec3chain_t) link;
};

/*%<
 * 'dbiterator' contains a iterator for the database.  If we are creating
 * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
 * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
 * iterated.
 *
 * 'nsec3param' contains the parameters of the NSEC3 chain being created
 * or removed.
 *
 * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
 *
 * 'seen_nsec' will be set to true if, while iterating the zone to create a
 * NSEC3 chain, a NSEC record is seen.
 *
 * 'delete_nsec' will be set to true if, at the completion of the creation
 * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
 * are in the process of deleting the NSEC chain.
 *
 * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
 * so it can be recovered in the event of a error.
 */

struct dns_keyfetch {
  isc_mem_t *mctx;
  dns_fixedname_t name;
  dns_rdataset_t keydataset;
  dns_rdataset_t dnskeyset;
  dns_rdataset_t dnskeysigset;
  dns_zone_t *zone;
  dns_db_t *db;
  dns_fetch_t *fetch;
};

struct dns_nsfetch {
  isc_mem_t *mctx;
  dns_fixedname_t name;
  dns_name_t pname;
  dns_rdataset_t nsrrset;
  dns_rdataset_t nssigset;
  dns_zone_t *zone;
  dns_fetch_t *fetch;
};

/*%
 * Hold state for an asynchronous load
 */
struct dns_asyncload {
  dns_zone_t *zone;
  unsigned int flags;
  dns_zt_callback_t *loaded;
  void *loaded_arg;
};

/*%
 * Reference to an include file encountered during loading
 */
struct dns_include {
  char *name;
  isc_time_t filetime;
  ISC_LINK(dns_include_t) link;
};

/*
 * These can be overridden by the -T mkeytimers option on the command
 * line, so that we can test with shorter periods than specified in
 * RFC 5011.
 */
#define HOUR  3600
#define DAY   (24 * HOUR)
#define MONTH (30 * DAY)
unsigned int dns_zone_mkey_hour = HOUR;
unsigned int dns_zone_mkey_day = DAY;
unsigned int dns_zone_mkey_month = MONTH;

#define SEND_BUFFER_SIZE 2048

static void
zone_timer_set(dns_zone_t *zone, isc_time_t *next, isc_time_t *now);

typedef struct zone_settimer {
  dns_zone_t *zone;
  isc_time_t now;
} zone_settimer_t;

static void
zone_settimer(dns_zone_t *, isc_time_t *);
static void
cancel_refresh(dns_zone_t *);
static void
zone_debuglog(dns_zone_t *zone, const char *, int debuglevel, const char *msg,
        ...) ISC_FORMAT_PRINTF(4, 5);
static void
notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
  ISC_FORMAT_PRINTF(3, 4);
static void
dnssec_log(dns_zone_t *zone, int level, const char *fmt, ...)
  ISC_FORMAT_PRINTF(3, 4);
static void
queue_xfrin(dns_zone_t *zone);
static isc_result_t
update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
        dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
        dns_rdata_t *rdata);
static void
zone_unload(dns_zone_t *zone);
static void
zone_expire(dns_zone_t *zone);
static void
zone_refresh(dns_zone_t *zone);
static void
zone_iattach(dns_zone_t *source, dns_zone_t **target);
static void
zone_idetach(dns_zone_t **zonep);
static isc_result_t
zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
static void
zone_attachdb(dns_zone_t *zone, dns_db_t *db);
static void
zone_detachdb(dns_zone_t *zone);
static void
zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
static void
zone_catz_disable(dns_zone_t *zone);
static isc_result_t
default_journal(dns_zone_t *zone);
static void
zone_xfrdone(dns_zone_t *zone, uint32_t *expireopt, isc_result_t result);
static isc_result_t
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
        isc_result_t result);
static void
zone_needdump(dns_zone_t *zone, unsigned int delay);
static void
zone_shutdown(void *arg);
static void
zone_loaddone(void *arg, isc_result_t result);
static isc_result_t
zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime);
static void
zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
static void
zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
static void
zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
static void
zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
static isc_result_t
zone_send_secureserial(dns_zone_t *zone, uint32_t serial);
static void
refresh_callback(void *arg);
static void
stub_callback(void *arg);
static void
queue_soa_query(dns_zone_t *zone);
static void
soa_query(void *arg);
static void
ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub);
static int
message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type);
static void
checkds_cancel(dns_zone_t *zone);
static void
checkds_find_address(dns_checkds_t *checkds);
static void
checkds_send(dns_zone_t *zone);
static void
checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep);
static void
checkds_done(void *arg);
static void
checkds_send_tons(dns_checkds_t *checkds);
static void
checkds_send_toaddr(void *arg);
static void
nsfetch_levelup(dns_nsfetch_t *nsfetch);
static void
notify_cancel(dns_zone_t *zone);
static void
notify_find_address(dns_notify_t *notify);
static void
notify_send(dns_notify_t *notify);
static isc_result_t
notify_createmessage(dns_zone_t *zone, unsigned int flags,
         dns_message_t **messagep);
static void
notify_done(void *arg);
static void
notify_send_toaddr(void *arg);
static isc_result_t
zone_dump(dns_zone_t *, bool);
static void
got_transfer_quota(void *arg);
static isc_result_t
zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone);
static void
zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi);
static void
zonemgr_free(dns_zonemgr_t *zmgr);
static void
rss_post(void *arg);

static isc_result_t
zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
     unsigned int *soacount, uint32_t *soattl, uint32_t *serial,
     uint32_t *refresh, uint32_t *retry, uint32_t *expire,
     uint32_t *minimum, unsigned int *errors);

static void
zone_freedbargs(dns_zone_t *zone);
static void
forward_callback(void *arg);
static void
zone_saveunique(dns_zone_t *zone, const char *path, const char *templat);
static void
zone_maintenance(dns_zone_t *zone);
static void
zone_notify(dns_zone_t *zone, isc_time_t *now);
static void
dump_done(void *arg, isc_result_t result);
static isc_result_t
zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
     bool deleteit);
static isc_result_t
delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
      dns_name_t *name, dns_diff_t *diff);
static void
zone_rekey(dns_zone_t *zone);
static isc_result_t
zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
static dns_ttl_t
zone_nsecttl(dns_zone_t *zone);
static void
setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value);
static void
zone_journal_compact(dns_zone_t *zone, dns_db_t *db, uint32_t serial);
static isc_result_t
zone_journal_rollforward(dns_zone_t *zone, dns_db_t *db, bool *needdump,
       bool *fixjournal);
static void
setnsec3param(void *arg);

static void
zmgr_tlsctx_attach(dns_zonemgr_t *zmgr, isc_tlsctx_cache_t **ptlsctx_cache);
/*%<
 *  Attach to TLS client context cache used for zone transfers via
 *  encrypted transports (e.g. XoT).
 *
 * The obtained reference needs to be detached by a call to
 * 'isc_tlsctx_cache_detach()' when not needed anymore.
 *
 * Requires:
 *\li 'zmgr' is a valid zone manager.
 *\li 'ptlsctx_cache' is not 'NULL' and points to 'NULL'.
 */

#define ENTER zone_debuglog(zone, __func__, 1, "enter")

static const unsigned int dbargc_default = 1;
static const char *dbargv_default[] = { "rbt" };

#define DNS_ZONE_JITTER_ADD(a, b, c)                                         \
  do {                                                                 \
    isc_interval_t _i;                                           \
    uint32_t _j;                                                 \
    _j = (b)-isc_random_uniform((b) / 4);                        \
    isc_interval_set(&_i, _j, 0);                                \
    if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
      dns_zone_log(zone, ISC_LOG_WARNING,                  \
             "epoch approaching: upgrade required: " \
             "now + %s failed",                      \
             #b);                                    \
      isc_interval_set(&_i, _j / 2, 0);                    \
      (void)isc_time_add((a), &_i, (c));                   \
    }                                                            \
  } while (0)

#define DNS_ZONE_TIME_ADD(a, b, c)                                           \
  do {                                                                 \
    isc_interval_t _i;                                           \
    isc_interval_set(&_i, (b), 0);                               \
    if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) {          \
      dns_zone_log(zone, ISC_LOG_WARNING,                  \
             "epoch approaching: upgrade required: " \
             "now + %s failed",                      \
             #b);                                    \
      isc_interval_set(&_i, (b) / 2, 0);                   \
      (void)isc_time_add((a), &_i, (c));                   \
    }                                                            \
  } while (0)

typedef struct nsec3param nsec3param_t;
struct nsec3param {
  dns_rdata_nsec3param_t rdata;
  unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
  unsigned int length;
  bool nsec;
  bool replace;
  bool resalt;
  bool lookup;
  ISC_LINK(nsec3param_t) link;
};
typedef ISC_LIST(nsec3param_t) nsec3paramlist_t;

struct np3 {
  dns_zone_t *zone;
  nsec3param_t params;
  ISC_LINK(struct np3) link;
};

struct setserial {
  dns_zone_t *zone;
  uint32_t serial;
};

struct stub_cb_args {
  dns_stub_t *stub;
  dns_tsigkey_t *tsig_key;
  uint16_t udpsize;
  int timeout;
  bool reqnsid;
};

struct stub_glue_request {
  dns_request_t *request;
  dns_name_t name;
  struct stub_cb_args *args;
  bool ipv4;
};

/*%
 * Increment resolver-related statistics counters.  Zone must be locked.
 */
static void
inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
  if (zone->stats != NULL) {
    isc_stats_increment(zone->stats, counter);
  }
}

/***
 ***  Public functions.
 ***/

void
dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
  isc_time_t now;
  dns_zone_t *zone = NULL;

  REQUIRE(zonep != NULL && *zonep == NULL);
  REQUIRE(mctx != NULL);

  now = isc_time_now();
  zone = isc_mem_get(mctx, sizeof(*zone));
  *zone = (dns_zone_t){
    .masterformat = dns_masterformat_none,
    .journalsize = -1,
    .rdclass = dns_rdataclass_none,
    .type = dns_zone_none,
    .refresh = DNS_ZONE_DEFAULTREFRESH,
    .retry = DNS_ZONE_DEFAULTRETRY,
    .maxrefresh = DNS_ZONE_MAXREFRESH,
    .minrefresh = DNS_ZONE_MINREFRESH,
    .maxretry = DNS_ZONE_MAXRETRY,
    .minretry = DNS_ZONE_MINRETRY,
    .checkdstype = dns_checkdstype_yes,
    .notifytype = dns_notifytype_yes,
    .zero_no_soa_ttl = true,
    .check_names = dns_severity_ignore,
    .idlein = DNS_DEFAULT_IDLEIN,
    .idleout = DNS_DEFAULT_IDLEOUT,
    .maxxfrin = MAX_XFER_TIME,
    .maxxfrout = MAX_XFER_TIME,
    .sigvalidityinterval = 30 * 24 * 3600,
    .sigresigninginterval = 7 * 24 * 3600,
    .statlevel = dns_zonestat_none,
    .notifydelay = 5,
    .signatures = 10,
    .nodes = 100,
    .privatetype = (dns_rdatatype_t)0xffffU,
    .rpz_num = DNS_RPZ_INVALID_NUM,
    .requestixfr = true,
    .ixfr_ratio = 100,
    .requestexpire = true,
    .updatemethod = dns_updatemethod_increment,
    .tid = tid,
    .notifytime = now,
    .newincludes = ISC_LIST_INITIALIZER,
    .notifies = ISC_LIST_INITIALIZER,
    .checkds_requests = ISC_LIST_INITIALIZER,
    .signing = ISC_LIST_INITIALIZER,
    .nsec3chain = ISC_LIST_INITIALIZER,
    .setnsec3param_queue = ISC_LIST_INITIALIZER,
    .forwards = ISC_LIST_INITIALIZER,
    .link = ISC_LINK_INITIALIZER,
    .statelink = ISC_LINK_INITIALIZER,
  };
  dns_remote_t r = {
    .magic = DNS_REMOTE_MAGIC,
  };

  isc_mem_attach(mctx, &zone->mctx);
  isc_mutex_init(&zone->lock);
  ZONEDB_INITLOCK(&zone->dblock);

  isc_refcount_init(&zone->references, 1);
  isc_refcount_init(&zone->irefs, 0);
  dns_name_init(&zone->origin, NULL);
  isc_sockaddr_any(&zone->notifysrc4);
  isc_sockaddr_any6(&zone->notifysrc6);
  isc_sockaddr_any(&zone->parentalsrc4);
  isc_sockaddr_any6(&zone->parentalsrc6);
  isc_sockaddr_any(&zone->xfrsource4);
  isc_sockaddr_any6(&zone->xfrsource6);

  zone->primaries = r;
  zone->parentals = r;
  zone->notify = r;
  zone->defaultkasp = NULL;

  isc_stats_create(mctx, &zone->gluecachestats,
       dns_gluecachestatscounter_max);

  zone->magic = ZONE_MAGIC;

  /* Must be after magic is set. */
  dns_zone_setdbtype(zone, dbargc_default, dbargv_default);

  *zonep = zone;
}

static void
clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
  dns_dnsseckey_t *key;
  while (!ISC_LIST_EMPTY(*list)) {
    key = ISC_LIST_HEAD(*list);
    ISC_LIST_UNLINK(*list, key, link);
    dns_dnsseckey_destroy(mctx, &key);
  }
}

/*
 * Free a zone.  Because we require that there be no more
 * outstanding events or references, no locking is necessary.
 */
static void
zone_free(dns_zone_t *zone) {
  dns_signing_t *signing = NULL;
  dns_nsec3chain_t *nsec3chain = NULL;
  dns_include_t *include = NULL;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(!LOCKED_ZONE(zone));
  REQUIRE(zone->timer == NULL);
  REQUIRE(zone->zmgr == NULL);

  isc_refcount_destroy(&zone->references);
  isc_refcount_destroy(&zone->irefs);

  /*
   * Managed objects.  Order is important.
   */
  if (zone->request != NULL) {
    dns_request_destroy(&zone->request); /* XXXMPA */
  }
  INSIST(zone->statelist == NULL);
  INSIST(zone->view == NULL);
  INSIST(zone->prev_view == NULL);

  /* Unmanaged objects */
  for (struct np3 *npe = ISC_LIST_HEAD(zone->setnsec3param_queue);
       npe != NULL; npe = ISC_LIST_HEAD(zone->setnsec3param_queue))
  {
    ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
    isc_mem_put(zone->mctx, npe, sizeof(*npe));
  }

  for (signing = ISC_LIST_HEAD(zone->signing); signing != NULL;
       signing = ISC_LIST_HEAD(zone->signing))
  {
    ISC_LIST_UNLINK(zone->signing, signing, link);
    dns_db_detach(&signing->db);
    dns_dbiterator_destroy(&signing->dbiterator);
    isc_mem_put(zone->mctx, signing, sizeof *signing);
  }
  for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain); nsec3chain != NULL;
       nsec3chain = ISC_LIST_HEAD(zone->nsec3chain))
  {
    ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
    dns_db_detach(&nsec3chain->db);
    dns_dbiterator_destroy(&nsec3chain->dbiterator);
    isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
  }
  for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
       include = ISC_LIST_HEAD(zone->includes))
  {
    ISC_LIST_UNLINK(zone->includes, include, link);
    isc_mem_free(zone->mctx, include->name);
    isc_mem_put(zone->mctx, include, sizeof *include);
  }
  for (include = ISC_LIST_HEAD(zone->newincludes); include != NULL;
       include = ISC_LIST_HEAD(zone->newincludes))
  {
    ISC_LIST_UNLINK(zone->newincludes, include, link);
    isc_mem_free(zone->mctx, include->name);
    isc_mem_put(zone->mctx, include, sizeof *include);
  }
  if (zone->masterfile != NULL) {
    isc_mem_free(zone->mctx, zone->masterfile);
  }
  zone->masterfile = NULL;
  if (zone->keydirectory != NULL) {
    isc_mem_free(zone->mctx, zone->keydirectory);
  }
  zone->keydirectory = NULL;
  if (zone->kasp != NULL) {
    dns_kasp_detach(&zone->kasp);
  }
  if (zone->defaultkasp != NULL) {
    dns_kasp_detach(&zone->defaultkasp);
  }
  if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
    clear_keylist(&zone->checkds_ok, zone->mctx);
  }

  zone->journalsize = -1;
  if (zone->journal != NULL) {
    isc_mem_free(zone->mctx, zone->journal);
  }
  zone->journal = NULL;
  if (zone->stats != NULL) {
    isc_stats_detach(&zone->stats);
  }
  if (zone->requeststats != NULL) {
    isc_stats_detach(&zone->requeststats);
  }
  if (zone->rcvquerystats != NULL) {
    dns_stats_detach(&zone->rcvquerystats);
  }
  if (zone->dnssecsignstats != NULL) {
    dns_stats_detach(&zone->dnssecsignstats);
  }
  if (zone->db != NULL) {
    zone_detachdb(zone);
  }
  if (zone->rpzs != NULL) {
    REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
    dns_rpz_zones_detach(&zone->rpzs);
    zone->rpz_num = DNS_RPZ_INVALID_NUM;
  }
  if (zone->catzs != NULL) {
    dns_catz_zones_detach(&zone->catzs);
  }
  zone_freedbargs(zone);

  dns_zone_setparentals(zone, NULL, NULL, NULL, NULL, 0);
  dns_zone_setprimaries(zone, NULL, NULL, NULL, NULL, 0);
  dns_zone_setalsonotify(zone, NULL, NULL, NULL, NULL, 0);

  zone->check_names = dns_severity_ignore;
  if (zone->update_acl != NULL) {
    dns_acl_detach(&zone->update_acl);
  }
  if (zone->forward_acl != NULL) {
    dns_acl_detach(&zone->forward_acl);
  }
  if (zone->notify_acl != NULL) {
    dns_acl_detach(&zone->notify_acl);
  }
  if (zone->query_acl != NULL) {
    dns_acl_detach(&zone->query_acl);
  }
  if (zone->queryon_acl != NULL) {
    dns_acl_detach(&zone->queryon_acl);
  }
  if (zone->xfr_acl != NULL) {
    dns_acl_detach(&zone->xfr_acl);
  }
  if (dns_name_dynamic(&zone->origin)) {
    dns_name_free(&zone->origin, zone->mctx);
  }
  if (zone->strnamerd != NULL) {
    isc_mem_free(zone->mctx, zone->strnamerd);
  }
  if (zone->strname != NULL) {
    isc_mem_free(zone->mctx, zone->strname);
  }
  if (zone->strrdclass != NULL) {
    isc_mem_free(zone->mctx, zone->strrdclass);
  }
  if (zone->strviewname != NULL) {
    isc_mem_free(zone->mctx, zone->strviewname);
  }
  if (zone->ssutable != NULL) {
    dns_ssutable_detach(&zone->ssutable);
  }
  if (zone->gluecachestats != NULL) {
    isc_stats_detach(&zone->gluecachestats);
  }

  /* last stuff */
  ZONEDB_DESTROYLOCK(&zone->dblock);
  isc_mutex_destroy(&zone->lock);
  zone->magic = 0;
  isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
}

/*
 * Returns true iff this the signed side of an inline-signing zone.
 * Caller should hold zone lock.
 */
static bool
inline_secure(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));
  if (zone->raw != NULL) {
    return (true);
  }
  return (false);
}

/*
 * Returns true iff this the unsigned side of an inline-signing zone
 * Caller should hold zone lock.
 */
static bool
inline_raw(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));
  if (zone->secure != NULL) {
    return (true);
  }
  return (false);
}

/*
 *  Single shot.
 */
void
dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
  char namebuf[1024];

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(rdclass != dns_rdataclass_none);

  /*
   * Test and set.
   */
  LOCK_ZONE(zone);
  INSIST(zone != zone->raw);
  REQUIRE(zone->rdclass == dns_rdataclass_none ||
    zone->rdclass == rdclass);
  zone->rdclass = rdclass;

  if (zone->strnamerd != NULL) {
    isc_mem_free(zone->mctx, zone->strnamerd);
  }
  if (zone->strrdclass != NULL) {
    isc_mem_free(zone->mctx, zone->strrdclass);
  }

  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
  zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
  zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);

  if (inline_secure(zone)) {
    dns_zone_setclass(zone->raw, rdclass);
  }
  UNLOCK_ZONE(zone);
}

dns_rdataclass_t
dns_zone_getclass(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->rdclass);
}

void
dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  zone->notifytype = notifytype;
  UNLOCK_ZONE(zone);
}

void
dns_zone_setcheckdstype(dns_zone_t *zone, dns_checkdstype_t checkdstype) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  zone->checkdstype = checkdstype;
  UNLOCK_ZONE(zone);
}

isc_result_t
dns_zone_getserial(dns_zone_t *zone, uint32_t *serialp) {
  isc_result_t result;
  unsigned int soacount;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(serialp != NULL);

  LOCK_ZONE(zone);
  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
  if (zone->db != NULL) {
    result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
            serialp, NULL, NULL, NULL, NULL,
            NULL);
    if (result == ISC_R_SUCCESS && soacount == 0) {
      result = ISC_R_FAILURE;
    }
  } else {
    result = DNS_R_NOTLOADED;
  }
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
  UNLOCK_ZONE(zone);

  return (result);
}

/*
 *  Single shot.
 */
void
dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
  char namebuf[1024];

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(type != dns_zone_none);

  /*
   * Test and set.
   */
  LOCK_ZONE(zone);
  REQUIRE(zone->type == dns_zone_none || zone->type == type);
  zone->type = type;

  if (zone->strnamerd != NULL) {
    isc_mem_free(zone->mctx, zone->strnamerd);
  }

  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
  UNLOCK_ZONE(zone);
}

static void
zone_freedbargs(dns_zone_t *zone) {
  unsigned int i;

  /* Free the old database argument list. */
  if (zone->db_argv != NULL) {
    for (i = 0; i < zone->db_argc; i++) {
      isc_mem_free(zone->mctx, zone->db_argv[i]);
    }
    isc_mem_cput(zone->mctx, zone->db_argv, zone->db_argc,
           sizeof(*zone->db_argv));
  }
  zone->db_argc = 0;
  zone->db_argv = NULL;
}

isc_result_t
dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
  size_t size = 0;
  unsigned int i;
  isc_result_t result = ISC_R_SUCCESS;
  void *mem;
  char **tmp, *tmp2, *base;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(argv != NULL && *argv == NULL);

  LOCK_ZONE(zone);
  size = ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
  for (i = 0; i < zone->db_argc; i++) {
    size += strlen(zone->db_argv[i]) + 1;
  }
  mem = isc_mem_allocate(mctx, size);
  {
    tmp = mem;
    tmp2 = mem;
    base = mem;
    tmp2 += ISC_CHECKED_MUL((zone->db_argc + 1), sizeof(char *));
    for (i = 0; i < zone->db_argc; i++) {
      *tmp++ = tmp2;
      strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
      tmp2 += strlen(tmp2) + 1;
    }
    *tmp = NULL;
  }
  UNLOCK_ZONE(zone);
  *argv = mem;
  return (result);
}

void
dns_zone_setdbtype(dns_zone_t *zone, unsigned int dbargc,
       const char *const *dbargv) {
  char **argv = NULL;
  unsigned int i;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(dbargc >= 1);
  REQUIRE(dbargv != NULL);

  LOCK_ZONE(zone);

  /* Set up a new database argument list. */
  argv = isc_mem_cget(zone->mctx, dbargc, sizeof(*argv));
  for (i = 0; i < dbargc; i++) {
    argv[i] = NULL;
  }
  for (i = 0; i < dbargc; i++) {
    argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
  }

  /* Free the old list. */
  zone_freedbargs(zone);

  zone->db_argc = dbargc;
  zone->db_argv = argv;

  UNLOCK_ZONE(zone);
}

static void
dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
  char namebuf[1024];

  if (zone->prev_view == NULL && zone->view != NULL) {
    dns_view_weakattach(zone->view, &zone->prev_view);
  }

  INSIST(zone != zone->raw);
  if (zone->view != NULL) {
    dns_view_sfd_del(zone->view, &zone->origin);
    dns_view_weakdetach(&zone->view);
  }
  dns_view_weakattach(view, &zone->view);
  dns_view_sfd_add(view, &zone->origin);

  if (zone->strviewname != NULL) {
    isc_mem_free(zone->mctx, zone->strviewname);
  }
  if (zone->strnamerd != NULL) {
    isc_mem_free(zone->mctx, zone->strnamerd);
  }

  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
  zone_viewname_tostr(zone, namebuf, sizeof namebuf);
  zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);

  if (inline_secure(zone)) {
    dns_zone_setview(zone->raw, view);
  }
}

void
dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  dns_zone_setview_helper(zone, view);
  UNLOCK_ZONE(zone);
}

dns_view_t *
dns_zone_getview(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->view);
}

void
dns_zone_setviewcommit(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  if (zone->prev_view != NULL) {
    dns_view_weakdetach(&zone->prev_view);
  }
  if (inline_secure(zone)) {
    dns_zone_setviewcommit(zone->raw);
  }
  UNLOCK_ZONE(zone);
}

void
dns_zone_setviewrevert(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  if (zone->prev_view != NULL) {
    dns_zone_setview_helper(zone, zone->prev_view);
    dns_view_weakdetach(&zone->prev_view);
  }
  if (zone->catzs != NULL) {
    zone_catz_enable(zone, zone->catzs);
  }
  if (inline_secure(zone)) {
    dns_zone_setviewrevert(zone->raw);
  }
  UNLOCK_ZONE(zone);
}

isc_result_t
dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
  isc_result_t result = ISC_R_SUCCESS;
  char namebuf[1024];

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(origin != NULL);

  LOCK_ZONE(zone);
  INSIST(zone != zone->raw);
  if (dns_name_dynamic(&zone->origin)) {
    dns_name_free(&zone->origin, zone->mctx);
    dns_name_init(&zone->origin, NULL);
  }
  dns_name_dup(origin, zone->mctx, &zone->origin);

  if (zone->strnamerd != NULL) {
    isc_mem_free(zone->mctx, zone->strnamerd);
  }
  if (zone->strname != NULL) {
    isc_mem_free(zone->mctx, zone->strname);
  }

  zone_namerd_tostr(zone, namebuf, sizeof namebuf);
  zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
  zone_name_tostr(zone, namebuf, sizeof namebuf);
  zone->strname = isc_mem_strdup(zone->mctx, namebuf);

  if (inline_secure(zone)) {
    result = dns_zone_setorigin(zone->raw, origin);
  }
  UNLOCK_ZONE(zone);
  return (result);
}

static isc_result_t
dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
  char *copy;

  if (value != NULL) {
    copy = isc_mem_strdup(zone->mctx, value);
  } else {
    copy = NULL;
  }

  if (*field != NULL) {
    isc_mem_free(zone->mctx, *field);
  }

  *field = copy;
  return (ISC_R_SUCCESS);
}

isc_result_t
dns_zone_setfile(dns_zone_t *zone, const char *file, dns_masterformat_t format,
     const dns_master_style_t *style) {
  isc_result_t result = ISC_R_SUCCESS;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(zone->stream == NULL);

  LOCK_ZONE(zone);
  result = dns_zone_setstring(zone, &zone->masterfile, file);
  if (result == ISC_R_SUCCESS) {
    zone->masterformat = format;
    if (format == dns_masterformat_text) {
      zone->masterstyle = style;
    }
    result = default_journal(zone);
  }
  UNLOCK_ZONE(zone);

  return (result);
}

const char *
dns_zone_getfile(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->masterfile);
}

isc_result_t
dns_zone_setstream(dns_zone_t *zone, const FILE *stream,
       dns_masterformat_t format, const dns_master_style_t *style) {
  isc_result_t result = ISC_R_SUCCESS;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(stream != NULL);
  REQUIRE(zone->masterfile == NULL);

  LOCK_ZONE(zone);
  zone->stream = stream;
  zone->masterformat = format;
  if (format == dns_masterformat_text) {
    zone->masterstyle = style;
  }
  result = default_journal(zone);
  UNLOCK_ZONE(zone);

  return (result);
}

dns_ttl_t
dns_zone_getmaxttl(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->maxttl);
}

void
dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  if (maxttl != 0) {
    DNS_ZONE_SETOPTION(zone, DNS_ZONEOPT_CHECKTTL);
  } else {
    DNS_ZONE_CLROPTION(zone, DNS_ZONEOPT_CHECKTTL);
  }
  zone->maxttl = maxttl;
  UNLOCK_ZONE(zone);

  return;
}

static isc_result_t
default_journal(dns_zone_t *zone) {
  isc_result_t result;
  char *journal;

  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(LOCKED_ZONE(zone));

  if (zone->masterfile != NULL) {
    /* Calculate string length including '\0'. */
    int len = strlen(zone->masterfile) + sizeof(".jnl");
    journal = isc_mem_allocate(zone->mctx, len);
    strlcpy(journal, zone->masterfile, len);
    strlcat(journal, ".jnl", len);
  } else {
    journal = NULL;
  }
  result = dns_zone_setstring(zone, &zone->journal, journal);
  if (journal != NULL) {
    isc_mem_free(zone->mctx, journal);
  }
  return (result);
}

isc_result_t
dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) {
  isc_result_t result = ISC_R_SUCCESS;

  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  result = dns_zone_setstring(zone, &zone->journal, myjournal);
  UNLOCK_ZONE(zone);

  return (result);
}

char *
dns_zone_getjournal(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->journal);
}

/*
 * Return true iff the zone is "dynamic", in the sense that the zone's
 * master file (if any) is written by the server, rather than being
 * updated manually and read by the server.
 *
 * This is true for secondary zones, mirror zones, stub zones, key zones,
 * and zones that allow dynamic updates either by having an update
 * policy ("ssutable") or an "allow-update" ACL with a value other than
 * exactly "{ none; }".
 */
bool
dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
  REQUIRE(DNS_ZONE_VALID(zone));

  if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
      zone->type == dns_zone_stub || zone->type == dns_zone_key ||
      (zone->type == dns_zone_redirect &&
       dns_remote_addresses(&zone->primaries) != NULL))
  {
    return (true);
  }

  /* Inline zones are always dynamic. */
  if (zone->type == dns_zone_primary && zone->raw != NULL) {
    return (true);
  }

  /* If !ignore_freeze, we need check whether updates are disabled.  */
  if (zone->type == dns_zone_primary &&
      (!zone->update_disabled || ignore_freeze) &&
      ((zone->ssutable != NULL) ||
       (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
  {
    return (true);
  }

  return (false);
}

/*
 * Set the response policy index and information for a zone.
 */
isc_result_t
dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
        dns_rpz_num_t rpz_num) {
  /*
   * Only RBTDB zones can be used for response policy zones,
   * because only they have the code to create the summary data.
   * Only zones that are loaded instead of mmap()ed create the
   * summary data and so can be policy zones.
   */
  if (strcmp(zone->db_argv[0], "rbt") != 0) {
    return (ISC_R_NOTIMPLEMENTED);
  }

  /*
   * This must happen only once or be redundant.
   */
  LOCK_ZONE(zone);
  if (zone->rpzs != NULL) {
    REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num);
  } else {
    REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM);
    dns_rpz_zones_attach(rpzs, &zone->rpzs);
    zone->rpz_num = rpz_num;
  }
  rpzs->defined |= DNS_RPZ_ZBIT(rpz_num);
  UNLOCK_ZONE(zone);

  return (ISC_R_SUCCESS);
}

dns_rpz_num_t
dns_zone_get_rpz_num(dns_zone_t *zone) {
  return (zone->rpz_num);
}

/*
 * If a zone is a response policy zone, mark its new database.
 */
void
dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
  if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
    return;
  }
  REQUIRE(zone->rpzs != NULL);
  dns_rpz_dbupdate_register(db, zone->rpzs->zones[zone->rpz_num]);
}

static void
dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
  if (zone->rpz_num == DNS_RPZ_INVALID_NUM) {
    return;
  }
  REQUIRE(zone->rpzs != NULL);
  dns_rpz_dbupdate_unregister(db, zone->rpzs->zones[zone->rpz_num]);
}

/*
 * If a zone is a catalog zone, attach it to update notification in database.
 */
void
dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(db != NULL);

  if (zone->catzs != NULL) {
    dns_catz_dbupdate_register(db, zone->catzs);
  }
}

static void
dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(db != NULL);

  if (zone->catzs != NULL) {
    dns_catz_dbupdate_unregister(db, zone->catzs);
  }
}

static void
zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(catzs != NULL);

  INSIST(zone->catzs == NULL || zone->catzs == catzs);
  dns_catz_catzs_set_view(catzs, zone->view);
  if (zone->catzs == NULL) {
    dns_catz_zones_attach(catzs, &zone->catzs);
  }
}

void
dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  zone_catz_enable(zone, catzs);
  UNLOCK_ZONE(zone);
}

static void
zone_catz_disable(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  if (zone->catzs != NULL) {
    if (zone->db != NULL) {
      dns_zone_catz_disable_db(zone, zone->db);
    }
    dns_catz_zones_detach(&zone->catzs);
  }
}

void
dns_zone_catz_disable(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  zone_catz_disable(zone);
  UNLOCK_ZONE(zone);
}

bool
dns_zone_catz_is_enabled(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (zone->catzs != NULL);
}

/*
 * Set catalog zone ownership of the zone
 */
void
dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) {
  REQUIRE(DNS_ZONE_VALID(zone));
  REQUIRE(catz != NULL);
  LOCK_ZONE(zone);
  INSIST(zone->parentcatz == NULL || zone->parentcatz == catz);
  zone->parentcatz = catz;
  UNLOCK_ZONE(zone);
}

dns_catz_zone_t *
dns_zone_get_parentcatz(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  dns_catz_zone_t *parentcatz = NULL;

  LOCK_ZONE(zone);
  parentcatz = zone->parentcatz;
  UNLOCK_ZONE(zone);

  return (parentcatz);
}

static bool
zone_touched(dns_zone_t *zone) {
  isc_result_t result;
  isc_time_t modtime;
  dns_include_t *include;

  REQUIRE(DNS_ZONE_VALID(zone));

  result = isc_file_getmodtime(zone->masterfile, &modtime);
  if (result != ISC_R_SUCCESS ||
      isc_time_compare(&modtime, &zone->loadtime) > 0)
  {
    return (true);
  }

  for (include = ISC_LIST_HEAD(zone->includes); include != NULL;
       include = ISC_LIST_NEXT(include, link))
  {
    result = isc_file_getmodtime(include->name, &modtime);
    if (result != ISC_R_SUCCESS ||
        isc_time_compare(&modtime, &include->filetime) > 0)
    {
      return (true);
    }
  }

  return (false);
}

/*
 * Note: when dealing with inline-signed zones, external callers will always
 * call zone_load() for the secure zone; zone_load() calls itself recursively
 * in order to load the raw zone.
 */
static isc_result_t
zone_load(dns_zone_t *zone, unsigned int flags, bool locked) {
  isc_result_t result;
  isc_time_t now;
  isc_time_t loadtime;
  dns_db_t *db = NULL;
  bool rbt, hasraw, is_dynamic;

  REQUIRE(DNS_ZONE_VALID(zone));

  if (!locked) {
    LOCK_ZONE(zone);
  }

  INSIST(zone != zone->raw);
  hasraw = inline_secure(zone);
  if (hasraw) {
    /*
     * We are trying to load an inline-signed zone.  First call
     * self recursively to try loading the raw version of the zone.
     * Assuming the raw zone file is readable, there are two
     * possibilities:
     *
     *  a) the raw zone was not yet loaded and thus it will be
     *     loaded now, synchronously; if this succeeds, a
     *     subsequent attempt to load the signed zone file will
     *     take place and thus zone_postload() will be called
     *     twice: first for the raw zone and then for the secure
     *     zone; the latter call will take care of syncing the raw
     *     version with the secure version,
     *
     *  b) the raw zone was already loaded and we are trying to
     *     reload it, which will happen asynchronously; this means
     *     zone_postload() will only be called for the raw zone
     *     because "result" returned by the zone_load() call below
     *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
     *     zone_postload() called for the raw zone will take care
     *     of syncing the raw version with the secure version.
     */
    result = zone_load(zone->raw, flags, false);
    if (result != ISC_R_SUCCESS) {
      if (!locked) {
        UNLOCK_ZONE(zone);
      }
      return (result);
    }
    LOCK_ZONE(zone->raw);
  }

  now = isc_time_now();

  INSIST(zone->type != dns_zone_none);

  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
    if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
    }
    result = DNS_R_CONTINUE;
    goto cleanup;
  }

  INSIST(zone->db_argc >= 1);

  rbt = strcmp(zone->db_argv[0], "rbt") == 0;

  if (zone->db != NULL && zone->masterfile == NULL && rbt) {
    /*
     * The zone has no master file configured.
     */
    result = ISC_R_SUCCESS;
    goto cleanup;
  }

  is_dynamic = dns_zone_isdynamic(zone, false);
  if (zone->db != NULL && is_dynamic) {
    /*
     * This is a secondary, stub, or dynamically updated zone
     * being reloaded.  Do nothing - the database we already
     * have is guaranteed to be up-to-date.
     */
    if (zone->type == dns_zone_primary && !hasraw) {
      result = DNS_R_DYNAMIC;
    } else {
      result = ISC_R_SUCCESS;
    }
    goto cleanup;
  }

  /*
   * Store the current time before the zone is loaded, so that if the
   * file changes between the time of the load and the time that
   * zone->loadtime is set, then the file will still be reloaded
   * the next time dns_zone_load is called.
   */
  loadtime = isc_time_now();

  /*
   * Don't do the load if the file that stores the zone is older
   * than the last time the zone was loaded.  If the zone has not
   * been loaded yet, zone->loadtime will be the epoch.
   */
  if (zone->masterfile != NULL) {
    isc_time_t filetime;

    /*
     * The file is already loaded.  If we are just doing a
     * "rndc reconfig", we are done.
     */
    if (!isc_time_isepoch(&zone->loadtime) &&
        (flags & DNS_ZONELOADFLAG_NOSTAT) != 0)
    {
      result = ISC_R_SUCCESS;
      goto cleanup;
    }

    if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
        !zone_touched(zone))
    {
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_DEBUG(1),
              "skipping load: master file "
              "older than last load");
      result = DNS_R_UPTODATE;
      goto cleanup;
    }

    /*
     * If the file modification time is in the past
     * set loadtime to that value.
     */
    result = isc_file_getmodtime(zone->masterfile, &filetime);
    if (result == ISC_R_SUCCESS &&
        isc_time_compare(&loadtime, &filetime) > 0)
    {
      loadtime = filetime;
    }
  }

  /*
   * Built in zones (with the exception of empty zones) don't need
   * to be reloaded.
   */
  if (zone->type == dns_zone_primary &&
      strcmp(zone->db_argv[0], "_builtin") == 0 &&
      (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
  {
    result = ISC_R_SUCCESS;
    goto cleanup;
  }

  /*
   * Zones associated with a DLZ don't need to be loaded either,
   * but we need to associate the database with the zone object.
   */
  if (strcmp(zone->db_argv[0], "dlz") == 0) {
    dns_dlzdb_t *dlzdb;
    dns_dlzfindzone_t findzone;

    for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched);
         dlzdb != NULL; dlzdb = ISC_LIST_NEXT(dlzdb, link))
    {
      INSIST(DNS_DLZ_VALID(dlzdb));
      if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0) {
        break;
      }
    }

    if (dlzdb == NULL) {
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_ERROR,
              "DLZ %s does not exist or is set "
              "to 'search yes;'",
              zone->db_argv[1]);
      result = ISC_R_NOTFOUND;
      goto cleanup;
    }

    ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
    /* ask SDLZ driver if the zone is supported */
    findzone = dlzdb->implementation->methods->findzone;
    result = (*findzone)(dlzdb->implementation->driverarg,
             dlzdb->dbdata, dlzdb->mctx,
             zone->view->rdclass, &zone->origin, NULL,
             NULL, &db);
    if (result != ISC_R_NOTFOUND) {
      if (zone->db != NULL) {
        zone_detachdb(zone);
      }
      zone_attachdb(zone, db);
      dns_db_detach(&db);
      result = ISC_R_SUCCESS;
    }
    ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);

    if (result == ISC_R_SUCCESS) {
      if (dlzdb->configure_callback == NULL) {
        goto cleanup;
      }

      result = (*dlzdb->configure_callback)(zone->view, dlzdb,
                    zone);
      if (result != ISC_R_SUCCESS) {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_ERROR,
                "DLZ configuration callback: %s",
                isc_result_totext(result));
      }
    }
    goto cleanup;
  }

  if ((zone->type == dns_zone_secondary ||
       zone->type == dns_zone_mirror || zone->type == dns_zone_stub ||
       (zone->type == dns_zone_redirect &&
        dns_remote_addresses(&zone->primaries) != NULL)) &&
      rbt)
  {
    if (zone->stream == NULL &&
        (zone->masterfile == NULL ||
         !isc_file_exists(zone->masterfile)))
    {
      if (zone->masterfile != NULL) {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_DEBUG(1),
                "no master file");
      }
      zone->refreshtime = now;
      if (zone->loop != NULL) {
        zone_settimer(zone, &now);
      }
      result = ISC_R_SUCCESS;
      goto cleanup;
    }
  }

  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
          "starting load");

  result = dns_db_create(zone->mctx, zone->db_argv[0], &zone->origin,
             (zone->type == dns_zone_stub) ? dns_dbtype_stub
                   : dns_dbtype_zone,
             zone->rdclass, zone->db_argc - 1,
             zone->db_argv + 1, &db);

  if (result != ISC_R_SUCCESS) {
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
            "loading zone: creating database: %s",
            isc_result_totext(result));
    goto cleanup;
  }
  dns_db_setloop(db, zone->loop);

  if (zone->type == dns_zone_primary ||
      zone->type == dns_zone_secondary || zone->type == dns_zone_mirror)
  {
    result = dns_db_setgluecachestats(db, zone->gluecachestats);
    if (result == ISC_R_NOTIMPLEMENTED) {
      result = ISC_R_SUCCESS;
    }
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }
  }

  if (!dns_db_ispersistent(db)) {
    if (zone->masterfile != NULL || zone->stream != NULL) {
      result = zone_startload(db, zone, loadtime);
    } else {
      result = DNS_R_NOMASTERFILE;
      if (zone->type == dns_zone_primary ||
          (zone->type == dns_zone_redirect &&
           dns_remote_addresses(&zone->primaries) == NULL))
      {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_ERROR,
                "loading zone: "
                "no master file configured");
        goto cleanup;
      }
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_INFO,
              "loading zone: "
              "no master file configured: continuing");
    }
  }

  if (result == DNS_R_CONTINUE) {
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
    if ((flags & DNS_ZONELOADFLAG_THAW) != 0) {
      DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
    }
    goto cleanup;
  }

  result = zone_postload(zone, db, loadtime, result);

cleanup:
  if (hasraw) {
    UNLOCK_ZONE(zone->raw);
  }
  if (!locked) {
    UNLOCK_ZONE(zone);
  }
  if (db != NULL) {
    dns_db_detach(&db);
  }
  return (result);
}

isc_result_t
dns_zone_load(dns_zone_t *zone, bool newonly) {
  return (zone_load(zone, newonly ? DNS_ZONELOADFLAG_NOSTAT : 0, false));
}

static void
zone_asyncload(void *arg) {
  dns_asyncload_t *asl = arg;
  dns_zone_t *zone = asl->zone;
  isc_result_t result;

  REQUIRE(DNS_ZONE_VALID(zone));

  LOCK_ZONE(zone);
  result = zone_load(zone, asl->flags, true);
  if (result != DNS_R_CONTINUE) {
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
  }
  UNLOCK_ZONE(zone);

  /* Inform the zone table we've finished loading */
  if (asl->loaded != NULL) {
    asl->loaded(asl->loaded_arg);
  }

  isc_mem_put(zone->mctx, asl, sizeof(*asl));
  dns_zone_idetach(&zone);
}

isc_result_t
dns_zone_asyncload(dns_zone_t *zone, bool newonly, dns_zt_callback_t *done,
       void *arg) {
  dns_asyncload_t *asl = NULL;

  REQUIRE(DNS_ZONE_VALID(zone));

  if (zone->zmgr == NULL) {
    return (ISC_R_FAILURE);
  }

  /* If we already have a load pending, stop now */
  LOCK_ZONE(zone);
  if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
    UNLOCK_ZONE(zone);
    return (ISC_R_ALREADYRUNNING);
  }

  asl = isc_mem_get(zone->mctx, sizeof(*asl));

  asl->zone = NULL;
  asl->flags = newonly ? DNS_ZONELOADFLAG_NOSTAT : 0;
  asl->loaded = done;
  asl->loaded_arg = arg;

  zone_iattach(zone, &asl->zone);
  DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
  isc_async_run(zone->loop, zone_asyncload, asl);
  UNLOCK_ZONE(zone);

  return (ISC_R_SUCCESS);
}

bool
dns__zone_loadpending(dns_zone_t *zone) {
  REQUIRE(DNS_ZONE_VALID(zone));

  return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
}

isc_result_t
dns_zone_loadandthaw(dns_zone_t *zone) {
  isc_result_t result;

  if (inline_raw(zone)) {
    result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW, false);
  } else {
    /*
     * When thawing a zone, we don't know what changes
     * have been made. If we do DNSSEC maintenance on this
     * zone, schedule a full sign for this zone.
     */
    if (zone->type == dns_zone_primary &&
        DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
    {
      DNS_ZONEKEY_SETOPTION(zone, DNS_ZONEKEY_FULLSIGN);
    }
    result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
  }

  switch (result) {
  case DNS_R_CONTINUE:
    /* Deferred thaw. */
    break;
  case DNS_R_UPTODATE:
  case ISC_R_SUCCESS:
  case DNS_R_SEENINCLUDE:
    zone->update_disabled = false;
    break;
  case DNS_R_NOMASTERFILE:
    zone->update_disabled = false;
    break;
  default:
    /* Error, remain in disabled state. */
    break;
  }
  return (result);
}

static unsigned int
get_primary_options(dns_zone_t *zone) {
  unsigned int options;

  options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN;
  if (zone->type == dns_zone_secondary || zone->type == dns_zone_mirror ||
      (zone->type == dns_zone_redirect &&
       dns_remote_addresses(&zone->primaries) == NULL))
  {
    options |= DNS_MASTER_SECONDARY;
  }
  if (zone->type == dns_zone_key) {
    options |= DNS_MASTER_KEY;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS)) {
    options |= DNS_MASTER_CHECKNS;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS)) {
    options |= DNS_MASTER_FATALNS;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES)) {
    options |= DNS_MASTER_CHECKNAMES;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
    options |= DNS_MASTER_CHECKNAMESFAIL;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX)) {
    options |= DNS_MASTER_CHECKMX;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
    options |= DNS_MASTER_CHECKMXFAIL;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD)) {
    options |= DNS_MASTER_CHECKWILDCARD;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKTTL)) {
    options |= DNS_MASTER_CHECKTTL;
  }
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSVCB)) {
    options |= DNS_MASTER_CHECKSVCB;
  }

  return (options);
}

static void
zone_registerinclude(const char *filename, void *arg) {
  isc_result_t result;
  dns_zone_t *zone = (dns_zone_t *)arg;
  dns_include_t *inc = NULL;

  REQUIRE(DNS_ZONE_VALID(zone));

  if (filename == NULL) {
    return;
  }

  /*
   * Suppress duplicates.
   */
  for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
       inc = ISC_LIST_NEXT(inc, link))
  {
    if (strcmp(filename, inc->name) == 0) {
      return;
    }
  }

  inc = isc_mem_get(zone->mctx, sizeof(dns_include_t));
  inc->name = isc_mem_strdup(zone->mctx, filename);
  ISC_LINK_INIT(inc, link);

  result = isc_file_getmodtime(filename, &inc->filetime);
  if (result != ISC_R_SUCCESS) {
    isc_time_settoepoch(&inc->filetime);
  }

  ISC_LIST_APPEND(zone->newincludes, inc, link);
}

static void
get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) {
  isc_result_t result;
  unsigned int soacount;

  LOCK(&raw->lock);
  if (raw->db != NULL) {
    result = zone_get_from_db(raw, raw->db, NULL, &soacount, NULL,
            &rawdata->sourceserial, NULL, NULL,
            NULL, NULL, NULL);
    if (result == ISC_R_SUCCESS && soacount > 0U) {
      rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET;
    }
  }
  UNLOCK(&raw->lock);
}

/*
 * Save the raw serial number for inline-signing zones.
 * (XXX: Other information from the header will be used
 * for other purposes in the future, but for now this is
 * all we're interested in.)
 */
static void
zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
  if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0) {
    return;
  }

  zone->sourceserial = header->sourceserial;
  zone->sourceserialset = true;
}

void
dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
  if (zone == NULL) {
    return;
  }

  LOCK_ZONE(zone);
  zone_setrawdata(zone, header);
  UNLOCK_ZONE(zone);
}

static isc_result_t
zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
  isc_result_t result;
  isc_result_t tresult;
  unsigned int options;
  dns_load_t *load = isc_mem_get(zone->mctx, sizeof(*load));

  ENTER;

  *load = (dns_load_t){
    .loadtime = loadtime,
  };

  dns_zone_rpz_enable_db(zone, db);
  dns_zone_catz_enable_db(zone, db);

  options = get_primary_options(zone);
  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) {
    options |= DNS_MASTER_MANYERRORS;
  }

  zone_iattach(zone, &load->zone);
  dns_db_attach(db, &load->db);

  dns_rdatacallbacks_init(&load->callbacks);
  load->callbacks.rawdata = zone_setrawdata;
  zone_iattach(zone, &load->callbacks.zone);

  result = dns_db_beginload(db, &load->callbacks);
  if (result != ISC_R_SUCCESS) {
    goto cleanup;
  }

  if (zone->zmgr != NULL && zone->db != NULL) {
    result = dns_master_loadfileasync(
      zone->masterfile, dns_db_origin(db), dns_db_origin(db),
      zone->rdclass, options, 0, &load->callbacks, zone->loop,
      zone_loaddone, load, &zone->loadctx,
      zone_registerinclude, zone, zone->mctx,
      zone->masterformat, zone->maxttl);
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }

    return (DNS_R_CONTINUE);
  } else if (zone->stream != NULL) {
    FILE *stream = UNCONST(zone->stream);
    result = dns_master_loadstream(
      stream, &zone->origin, &zone->origin, zone->rdclass,
      options, &load->callbacks, zone->mctx);
  } else {
    result = dns_master_loadfile(
      zone->masterfile, &zone->origin, &zone->origin,
      zone->rdclass, options, 0, &load->callbacks,
      zone_registerinclude, zone, zone->mctx,
      zone->masterformat, zone->maxttl);
  }

cleanup:
  if (result != ISC_R_SUCCESS) {
    dns_zone_rpz_disable_db(zone, load->db);
    dns_zone_catz_disable_db(zone, load->db);
  }

  tresult = dns_db_endload(db, &load->callbacks);
  if (result == ISC_R_SUCCESS) {
    result = tresult;
  }

  zone_idetach(&load->callbacks.zone);
  dns_db_detach(&load->db);
  zone_idetach(&load->zone);

  isc_mem_put(zone->mctx, load, sizeof(*load));
  return (result);
}

static bool
zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
        dns_name_t *owner) {
  isc_result_t result;
  char ownerbuf[DNS_NAME_FORMATSIZE];
  char namebuf[DNS_NAME_FORMATSIZE];
  char altbuf[DNS_NAME_FORMATSIZE];
  dns_fixedname_t fixed;
  dns_name_t *foundname;
  int level;

  /*
   * "." means the services does not exist.
   */
  if (dns_name_equal(name, dns_rootname)) {
    return (true);
  }

  /*
   * Outside of zone.
   */
  if (!dns_name_issubdomain(name, &zone->origin)) {
    if (zone->checkmx != NULL) {
      return ((zone->checkmx)(zone, name, owner));
    }
    return (true);
  }

  if (zone->type == dns_zone_primary) {
    level = ISC_LOG_ERROR;
  } else {
    level = ISC_LOG_WARNING;
  }

  foundname = dns_fixedname_initname(&fixed);

  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
           foundname, NULL, NULL);
  if (result == ISC_R_SUCCESS) {
    return (true);
  }

  if (result == DNS_R_NXRRSET) {
    result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
             NULL, foundname, NULL, NULL);
    if (result == ISC_R_SUCCESS) {
      return (true);
    }
  }

  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
  dns_name_format(name, namebuf, sizeof namebuf);
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
      result == DNS_R_EMPTYNAME)
  {
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL)) {
      level = ISC_LOG_WARNING;
    }
    dns_zone_log(zone, level,
           "%s/MX '%s' has no address records (A or AAAA)",
           ownerbuf, namebuf);
    return ((level == ISC_LOG_WARNING) ? true : false);
  }

  if (result == DNS_R_CNAME) {
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
    {
      level = ISC_LOG_WARNING;
    }
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
      dns_zone_log(zone, level,
             "%s/MX '%s' is a CNAME (illegal)",
             ownerbuf, namebuf);
    }
    return ((level == ISC_LOG_WARNING) ? true : false);
  }

  if (result == DNS_R_DNAME) {
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
    {
      level = ISC_LOG_WARNING;
    }
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
      dns_name_format(foundname, altbuf, sizeof altbuf);
      dns_zone_log(zone, level,
             "%s/MX '%s' is below a DNAME"
             " '%s' (illegal)",
             ownerbuf, namebuf, altbuf);
    }
    return ((level == ISC_LOG_WARNING) ? true : false);
  }

  if (zone->checkmx != NULL && result == DNS_R_DELEGATION) {
    return ((zone->checkmx)(zone, name, owner));
  }

  return (true);
}

static bool
zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
         dns_name_t *owner) {
  isc_result_t result;
  char ownerbuf[DNS_NAME_FORMATSIZE];
  char namebuf[DNS_NAME_FORMATSIZE];
  char altbuf[DNS_NAME_FORMATSIZE];
  dns_fixedname_t fixed;
  dns_name_t *foundname;
  int level;

  /*
   * "." means the services does not exist.
   */
  if (dns_name_equal(name, dns_rootname)) {
    return (true);
  }

  /*
   * Outside of zone.
   */
  if (!dns_name_issubdomain(name, &zone->origin)) {
    if (zone->checksrv != NULL) {
      return ((zone->checksrv)(zone, name, owner));
    }
    return (true);
  }

  if (zone->type == dns_zone_primary) {
    level = ISC_LOG_ERROR;
  } else {
    level = ISC_LOG_WARNING;
  }

  foundname = dns_fixedname_initname(&fixed);

  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
           foundname, NULL, NULL);
  if (result == ISC_R_SUCCESS) {
    return (true);
  }

  if (result == DNS_R_NXRRSET) {
    result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa, 0, 0,
             NULL, foundname, NULL, NULL);
    if (result == ISC_R_SUCCESS) {
      return (true);
    }
  }

  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
  dns_name_format(name, namebuf, sizeof namebuf);
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
      result == DNS_R_EMPTYNAME)
  {
    dns_zone_log(zone, level,
           "%s/SRV '%s' has no address records (A or AAAA)",
           ownerbuf, namebuf);
    /* XXX950 make fatal for 9.5.0. */
    return (true);
  }

  if (result == DNS_R_CNAME) {
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
    {
      level = ISC_LOG_WARNING;
    }
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
      dns_zone_log(zone, level,
             "%s/SRV '%s' is a CNAME (illegal)",
             ownerbuf, namebuf);
    }
    return ((level == ISC_LOG_WARNING) ? true : false);
  }

  if (result == DNS_R_DNAME) {
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
    {
      level = ISC_LOG_WARNING;
    }
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
      dns_name_format(foundname, altbuf, sizeof altbuf);
      dns_zone_log(zone, level,
             "%s/SRV '%s' is below a "
             "DNAME '%s' (illegal)",
             ownerbuf, namebuf, altbuf);
    }
    return ((level == ISC_LOG_WARNING) ? true : false);
  }

  if (zone->checksrv != NULL && result == DNS_R_DELEGATION) {
    return ((zone->checksrv)(zone, name, owner));
  }

  return (true);
}

static bool
zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
    dns_name_t *owner) {
  bool answer = true;
  isc_result_t result, tresult;
  char ownerbuf[DNS_NAME_FORMATSIZE];
  char namebuf[DNS_NAME_FORMATSIZE];
  char altbuf[DNS_NAME_FORMATSIZE];
  dns_fixedname_t fixed;
  dns_name_t *foundname;
  dns_rdataset_t a;
  dns_rdataset_t aaaa;
  int level;

  /*
   * Outside of zone.
   */
  if (!dns_name_issubdomain(name, &zone->origin)) {
    if (zone->checkns != NULL) {
      return ((zone->checkns)(zone, name, owner, NULL, NULL));
    }
    return (true);
  }

  if (zone->type == dns_zone_primary) {
    level = ISC_LOG_ERROR;
  } else {
    level = ISC_LOG_WARNING;
  }

  foundname = dns_fixedname_initname(&fixed);
  dns_rdataset_init(&a);
  dns_rdataset_init(&aaaa);

  /*
   * Perform a regular lookup to catch DNAME records then look
   * for glue.
   */
  result = dns_db_find(db, name, NULL, dns_rdatatype_a, 0, 0, NULL,
           foundname, &a, NULL);
  switch (result) {
  case ISC_R_SUCCESS:
  case DNS_R_DNAME:
  case DNS_R_CNAME:
    break;
  default:
    if (dns_rdataset_isassociated(&a)) {
      dns_rdataset_disassociate(&a);
    }
    result = dns_db_find(db, name, NULL, dns_rdatatype_a,
             DNS_DBFIND_GLUEOK, 0, NULL, foundname, &a,
             NULL);
  }
  if (result == ISC_R_SUCCESS) {
    dns_rdataset_disassociate(&a);
    return (true);
  } else if (result == DNS_R_DELEGATION) {
    dns_rdataset_disassociate(&a);
  }

  if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
      result == DNS_R_GLUE)
  {
    tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
              DNS_DBFIND_GLUEOK, 0, NULL, foundname,
              &aaaa, NULL);
    if (tresult == ISC_R_SUCCESS) {
      if (dns_rdataset_isassociated(&a)) {
        dns_rdataset_disassociate(&a);
      }
      dns_rdataset_disassociate(&aaaa);
      return (true);
    }
    if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME) {
      dns_rdataset_disassociate(&aaaa);
    }
    if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
      /*
       * Check glue against child zone.
       */
      if (zone->checkns != NULL) {
        answer = (zone->checkns)(zone, name, owner, &a,
               &aaaa);
      }
      if (dns_rdataset_isassociated(&a)) {
        dns_rdataset_disassociate(&a);
      }
      if (dns_rdataset_isassociated(&aaaa)) {
        dns_rdataset_disassociate(&aaaa);
      }
      return (answer);
    }
  }

  dns_name_format(owner, ownerbuf, sizeof ownerbuf);
  dns_name_format(name, namebuf, sizeof namebuf);
  if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
      result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION)
  {
    const char *what;
    bool required = false;
    if (dns_name_issubdomain(name, owner)) {
      what = "REQUIRED GLUE ";
      required = true;
    } else if (result == DNS_R_DELEGATION) {
      what = "SIBLING GLUE ";
    } else {
      what = "";
    }

    if (result != DNS_R_DELEGATION || required ||
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING))
    {
      dns_zone_log(zone, level,
             "%s/NS '%s' has no %s"
             "address records (A or AAAA)",
             ownerbuf, namebuf, what);
      /*
       * Log missing address record.
       */
      if (result == DNS_R_DELEGATION && zone->checkns != NULL)
      {
        (void)(zone->checkns)(zone, name, owner, &a,
                  &aaaa);
      }
      /* XXX950 make fatal for 9.5.0. */
      /* answer = false; */
    }
  } else if (result == DNS_R_CNAME) {
    dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
           ownerbuf, namebuf);
    /* XXX950 make fatal for 9.5.0. */
    /* answer = false; */
  } else if (result == DNS_R_DNAME) {
    dns_name_format(foundname, altbuf, sizeof altbuf);
    dns_zone_log(zone, level,
           "%s/NS '%s' is below a DNAME '%s' (illegal)",
           ownerbuf, namebuf, altbuf);
    /* XXX950 make fatal for 9.5.0. */
    /* answer = false; */
  }

  if (dns_rdataset_isassociated(&a)) {
    dns_rdataset_disassociate(&a);
  }
  if (dns_rdataset_isassociated(&aaaa)) {
    dns_rdataset_disassociate(&aaaa);
  }
  return (answer);
}

static bool
zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
         dns_rdataset_t *rdataset) {
  dns_rdataset_t tmprdataset;
  isc_result_t result;
  bool answer = true;
  bool format = true;
  int level = ISC_LOG_WARNING;
  char ownerbuf[DNS_NAME_FORMATSIZE];
  char typebuf[DNS_RDATATYPE_FORMATSIZE];
  unsigned int count1 = 0;

  if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL)) {
    level = ISC_LOG_ERROR;
  }

  dns_rdataset_init(&tmprdataset);
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(rdataset))
  {
    dns_rdata_t rdata1 = DNS_RDATA_INIT;
    unsigned int count2 = 0;

    count1++;
    dns_rdataset_current(rdataset, &rdata1);
    dns_rdataset_clone(rdataset, &tmprdataset);
    for (result = dns_rdataset_first(&tmprdataset);
         result == ISC_R_SUCCESS;
         result = dns_rdataset_next(&tmprdataset))
    {
      dns_rdata_t rdata2 = DNS_RDATA_INIT;
      count2++;
      if (count1 >= count2) {
        continue;
      }
      dns_rdataset_current(&tmprdataset, &rdata2);
      if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
        if (format) {
          dns_name_format(owner, ownerbuf,
              sizeof ownerbuf);
          dns_rdatatype_format(rdata1.type,
                   typebuf,
                   sizeof(typebuf));
          format = false;
        }
        dns_zone_log(zone, level,
               "%s/%s has "
               "semantically identical records",
               ownerbuf, typebuf);
        if (level == ISC_LOG_ERROR) {
          answer = false;
        }
        break;
      }
    }
    dns_rdataset_disassociate(&tmprdataset);
    if (!format) {
      break;
    }
  }
  return (answer);
}

static bool
zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
  dns_dbiterator_t *dbiterator = NULL;
  dns_dbnode_t *node = NULL;
  dns_fixedname_t fixed;
  dns_name_t *name;
  dns_rdataset_t rdataset;
  dns_rdatasetiter_t *rdsit = NULL;
  bool ok = true;
  isc_result_t result;

  name = dns_fixedname_initname(&fixed);
  dns_rdataset_init(&rdataset);

  result = dns_db_createiterator(db, 0, &dbiterator);
  if (result != ISC_R_SUCCESS) {
    return (true);
  }

  for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
       result = dns_dbiterator_next(dbiterator))
  {
    result = dns_dbiterator_current(dbiterator, &node, name);
    if (result != ISC_R_SUCCESS) {
      continue;
    }

    result = dns_db_allrdatasets(db, node, NULL, 0, 0, &rdsit);
    if (result != ISC_R_SUCCESS) {
      continue;
    }

    for (result = dns_rdatasetiter_first(rdsit);
         result == ISC_R_SUCCESS;
         result = dns_rdatasetiter_next(rdsit))
    {
      dns_rdatasetiter_current(rdsit, &rdataset);
      if (!zone_rrset_check_dup(zone, name, &rdataset)) {
        ok = false;
      }
      dns_rdataset_disassociate(&rdataset);
    }
    dns_rdatasetiter_destroy(&rdsit);
    dns_db_detachnode(db, &node);
  }

  if (node != NULL) {
    dns_db_detachnode(db, &node);
  }
  dns_dbiterator_destroy(&dbiterator);

  return (ok);
}

static bool
isspf(const dns_rdata_t *rdata) {
  char buf[1024];
  const unsigned char *data = rdata->data;
  unsigned int rdl = rdata->length, i = 0, tl, len;

  while (rdl > 0U) {
    len = tl = *data;
    ++data;
    --rdl;
    INSIST(tl <= rdl);
    if (len > sizeof(buf) - i - 1) {
      len = sizeof(buf) - i - 1;
    }
    memmove(buf + i, data, len);
    i += len;
    data += tl;
    rdl -= tl;
  }

  if (i < 6U) {
    return (false);
  }

  buf[i] = 0;
  if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' ')) {
    return (true);
  }
  return (false);
}

static bool
integrity_checks(dns_zone_t *zone, dns_db_t *db) {
  dns_dbiterator_t *dbiterator = NULL;
  dns_dbnode_t *node = NULL;
  dns_rdataset_t rdataset;
  dns_fixedname_t fixed;
  dns_fixedname_t fixedbottom;
  dns_rdata_mx_t mx;
  dns_rdata_ns_t ns;
  dns_rdata_in_srv_t srv;
  dns_rdata_t rdata;
  dns_name_t *name;
  dns_name_t *bottom;
  isc_result_t result;
  bool ok = true, have_spf, have_txt;
  int level;
  char namebuf[DNS_NAME_FORMATSIZE];

  name = dns_fixedname_initname(&fixed);
  bottom = dns_fixedname_initname(&fixedbottom);
  dns_rdataset_init(&rdataset);
  dns_rdata_init(&rdata);

  result = dns_db_createiterator(db, 0, &dbiterator);
  if (result != ISC_R_SUCCESS) {
    return (true);
  }

  result = dns_dbiterator_first(dbiterator);
  while (result == ISC_R_SUCCESS) {
    result = dns_dbiterator_current(dbiterator, &node, name);
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }

    /*
     * Is this name visible in the zone?
     */
    if (!dns_name_issubdomain(name, &zone->origin) ||
        (dns_name_countlabels(bottom) > 0 &&
         dns_name_issubdomain(name, bottom)))
    {
      goto next;
    }

    dns_dbiterator_pause(dbiterator);

    /*
     * Don't check the NS records at the origin.
     */
    if (dns_name_equal(name, &zone->origin)) {
      goto checkfords;
    }

    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
               0, 0, &rdataset, NULL);
    if (result != ISC_R_SUCCESS) {
      goto checkfords;
    }
    /*
     * Remember bottom of zone due to NS.
     */
    dns_name_copy(name, bottom);

    result = dns_rdataset_first(&rdataset);
    while (result == ISC_R_SUCCESS) {
      dns_rdataset_current(&rdataset, &rdata);
      result = dns_rdata_tostruct(&rdata, &ns, NULL);
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
      if (!zone_check_glue(zone, db, &ns.name, name)) {
        ok = false;
      }
      dns_rdata_reset(&rdata);
      result = dns_rdataset_next(&rdataset);
    }
    dns_rdataset_disassociate(&rdataset);
    goto next;

  checkfords:
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
               0, 0, &rdataset, NULL);
    if (result != ISC_R_SUCCESS) {
      goto checkfordname;
    }
    dns_rdataset_disassociate(&rdataset);

    if (zone->type == dns_zone_primary) {
      level = ISC_LOG_ERROR;
      ok = false;
    } else {
      level = ISC_LOG_WARNING;
    }
    dns_name_format(name, namebuf, sizeof(namebuf));
    dns_zone_log(zone, level, "DS not at delegation point (%s)",
           namebuf);

  checkfordname:
    result = dns_db_findrdataset(db, node, NULL,
               dns_rdatatype_dname, 0, 0,
               &rdataset, NULL);
    if (result == ISC_R_SUCCESS) {
      /*
       * Remember bottom of zone due to DNAME.
       */
      dns_name_copy(name, bottom);
      dns_rdataset_disassociate(&rdataset);
    }

    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
               0, 0, &rdataset, NULL);
    if (result != ISC_R_SUCCESS) {
      goto checksrv;
    }
    result = dns_rdataset_first(&rdataset);
    while (result == ISC_R_SUCCESS) {
      dns_rdataset_current(&rdataset, &rdata);
      result = dns_rdata_tostruct(&rdata, &mx, NULL);
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
      if (!zone_check_mx(zone, db, &mx.mx, name)) {
        ok = false;
      }
      dns_rdata_reset(&rdata);
      result = dns_rdataset_next(&rdataset);
    }
    dns_rdataset_disassociate(&rdataset);

  checksrv:
    if (zone->rdclass != dns_rdataclass_in) {
      goto next;
    }
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
               0, 0, &rdataset, NULL);
    if (result != ISC_R_SUCCESS) {
      goto checkspf;
    }
    result = dns_rdataset_first(&rdataset);
    while (result == ISC_R_SUCCESS) {
      dns_rdataset_current(&rdataset, &rdata);
      result = dns_rdata_tostruct(&rdata, &srv, NULL);
      RUNTIME_CHECK(result == ISC_R_SUCCESS);
      if (!zone_check_srv(zone, db, &srv.target, name)) {
        ok = false;
      }
      dns_rdata_reset(&rdata);
      result = dns_rdataset_next(&rdataset);
    }
    dns_rdataset_disassociate(&rdataset);

  checkspf:
    /*
     * Check if there is a type SPF record without an
     * SPF-formatted type TXT record also being present.
     */
    if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) {
      goto next;
    }
    if (zone->rdclass != dns_rdataclass_in) {
      goto next;
    }
    have_spf = have_txt = false;
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf,
               0, 0, &rdataset, NULL);
    if (result == ISC_R_SUCCESS) {
      dns_rdataset_disassociate(&rdataset);
      have_spf = true;
    }
    result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt,
               0, 0, &rdataset, NULL);
    if (result != ISC_R_SUCCESS) {
      goto notxt;
    }
    result = dns_rdataset_first(&rdataset);
    while (result == ISC_R_SUCCESS) {
      dns_rdataset_current(&rdataset, &rdata);
      have_txt = isspf(&rdata);
      dns_rdata_reset(&rdata);
      if (have_txt) {
        break;
      }
      result = dns_rdataset_next(&rdataset);
    }
    dns_rdataset_disassociate(&rdataset);

  notxt:
    if (have_spf && !have_txt) {
      dns_name_format(name, namebuf, sizeof(namebuf));
      dns_zone_log(zone, ISC_LOG_WARNING,
             "'%s' found type "
             "SPF record but no SPF TXT record found, "
             "add matching type TXT record",
             namebuf);
    }

  next:
    dns_db_detachnode(db, &node);
    result = dns_dbiterator_next(dbiterator);
  }

cleanup:
  if (node != NULL) {
    dns_db_detachnode(db, &node);
  }
  dns_dbiterator_destroy(&dbiterator);

  return (ok);
}

/*
 * OpenSSL verification of RSA keys with exponent 3 is known to be
 * broken prior OpenSSL 0.9.8c/0.9.7k.  Look for such keys and warn
 * if they are in use.
 */
static void
zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
  dns_dbnode_t *node = NULL;
  dns_dbversion_t *version = NULL;
  dns_rdata_dnskey_t dnskey;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  dns_rdataset_t rdataset;
  isc_result_t result;

  result = dns_db_findnode(db, &zone->origin, false, &node);
  if (result != ISC_R_SUCCESS) {
    goto cleanup;
  }

  dns_db_currentversion(db, &version);
  dns_rdataset_init(&rdataset);
  result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
             dns_rdatatype_none, 0, &rdataset, NULL);
  if (result != ISC_R_SUCCESS) {
    goto cleanup;
  }

  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(&rdataset))
  {
    dns_rdataset_current(&rdataset, &rdata);
    result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
    INSIST(result == ISC_R_SUCCESS);

    /*
     * RFC 3110, section 4: Performance Considerations:
     *
     * A public exponent of 3 minimizes the effort needed to verify
     * a signature.  Use of 3 as the public exponent is weak for
     * confidentiality uses since, if the same data can be collected
     * encrypted under three different keys with an exponent of 3
     * then, using the Chinese Remainder Theorem [NETSEC], the
     * original plain text can be easily recovered.  If a key is
     * known to be used only for authentication, as is the case with
     * DNSSEC, then an exponent of 3 is acceptable.  However other
     * applications in the future may wish to leverage DNS
     * distributed keys for applications that do require
     * confidentiality.  For keys which might have such other uses,
     * a more conservative choice would be 65537 (F4, the fourth
     * fermat number).
     */
    if (dnskey.datalen > 1 && dnskey.data[0] == 1 &&
        dnskey.data[1] == 3 &&
        (dnskey.algorithm == DNS_KEYALG_RSAMD5 ||
         dnskey.algorithm == DNS_KEYALG_RSASHA1 ||
         dnskey.algorithm == DNS_KEYALG_NSEC3RSASHA1 ||
         dnskey.algorithm == DNS_KEYALG_RSASHA256 ||
         dnskey.algorithm == DNS_KEYALG_RSASHA512))
    {
      char algorithm[DNS_SECALG_FORMATSIZE];
      isc_region_t r;

      dns_rdata_toregion(&rdata, &r);
      dns_secalg_format(dnskey.algorithm, algorithm,
            sizeof(algorithm));

      dnssec_log(zone, ISC_LOG_WARNING,
           "weak %s (%u) key found (exponent=3, id=%u)",
           algorithm, dnskey.algorithm,
           dst_region_computeid(&r));
    }
    dns_rdata_reset(&rdata);
  }
  dns_rdataset_disassociate(&rdataset);

cleanup:
  if (node != NULL) {
    dns_db_detachnode(db, &node);
  }
  if (version != NULL) {
    dns_db_closeversion(db, &version, false);
  }
}

static void
resume_signingwithkey(dns_zone_t *zone) {
  dns_dbnode_t *node = NULL;
  dns_dbversion_t *version = NULL;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  dns_rdataset_t rdataset;
  isc_result_t result;
  dns_db_t *db = NULL;

  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
  if (zone->db != NULL) {
    dns_db_attach(zone->db, &db);
  }
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
  if (db == NULL) {
    goto cleanup;
  }

  result = dns_db_findnode(db, &zone->origin, false, &node);
  if (result != ISC_R_SUCCESS) {
    goto cleanup;
  }

  dns_db_currentversion(db, &version);
  dns_rdataset_init(&rdataset);
  result = dns_db_findrdataset(db, node, version, zone->privatetype,
             dns_rdatatype_none, 0, &rdataset, NULL);
  if (result != ISC_R_SUCCESS) {
    INSIST(!dns_rdataset_isassociated(&rdataset));
    goto cleanup;
  }

  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(&rdataset))
  {
    dns_rdataset_current(&rdataset, &rdata);
    if (rdata.length != 5 || rdata.data[0] == 0 ||
        rdata.data[4] != 0)
    {
      dns_rdata_reset(&rdata);
      continue;
    }

    result = zone_signwithkey(zone, rdata.data[0],
            (rdata.data[1] << 8) | rdata.data[2],
            rdata.data[3]);
    if (result != ISC_R_SUCCESS) {
      dnssec_log(zone, ISC_LOG_ERROR,
           "zone_signwithkey failed: %s",
           isc_result_totext(result));
    }
    dns_rdata_reset(&rdata);
  }
  dns_rdataset_disassociate(&rdataset);

cleanup:
  if (db != NULL) {
    if (node != NULL) {
      dns_db_detachnode(db, &node);
    }
    if (version != NULL) {
      dns_db_closeversion(db, &version, false);
    }
    dns_db_detach(&db);
  }
}

/*
 * Initiate adding/removing NSEC3 records belonging to the chain defined by the
 * supplied NSEC3PARAM RDATA.
 *
 * Zone must be locked by caller.
 */
static isc_result_t
zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
  dns_nsec3chain_t *nsec3chain, *current;
  dns_dbversion_t *version = NULL;
  bool nseconly = false, nsec3ok = false;
  isc_result_t result;
  isc_time_t now;
  unsigned int options = 0;
  char saltbuf[255 * 2 + 1];
  char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
  dns_db_t *db = NULL;

  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
  if (zone->db != NULL) {
    dns_db_attach(zone->db, &db);
  }
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);

  if (db == NULL) {
    result = ISC_R_SUCCESS;
    goto cleanup;
  }

  /*
   * If this zone is not NSEC3-capable, attempting to remove any NSEC3
   * chain from it is pointless as it would not be possible for the
   * latter to exist in the first place.
   */
  dns_db_currentversion(db, &version);
  result = dns_nsec_nseconly(db, version, NULL, &nseconly);
  nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
  dns_db_closeversion(db, &version, false);
  if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0) {
    result = ISC_R_SUCCESS;
    goto cleanup;
  }

  /*
   * Allocate and initialize structure preserving state of
   * adding/removing records belonging to this NSEC3 chain between
   * separate zone_nsec3chain() calls.
   */
  nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);

  nsec3chain->magic = 0;
  nsec3chain->done = false;
  nsec3chain->db = NULL;
  nsec3chain->dbiterator = NULL;
  nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
  nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
  nsec3chain->nsec3param.hash = nsec3param->hash;
  nsec3chain->nsec3param.iterations = nsec3param->iterations;
  nsec3chain->nsec3param.flags = nsec3param->flags;
  nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
  memmove(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
  nsec3chain->nsec3param.salt = nsec3chain->salt;
  nsec3chain->seen_nsec = false;
  nsec3chain->delete_nsec = false;
  nsec3chain->save_delete_nsec = false;

  /*
   * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
   */
  if (nsec3param->flags == 0) {
    strlcpy(flags, "NONE", sizeof(flags));
  } else {
    flags[0] = '\0';
    if ((nsec3param->flags & DNS_NSEC3FLAG_REMOVE) != 0) {
      strlcat(flags, "REMOVE", sizeof(flags));
    }
    if ((nsec3param->flags & DNS_NSEC3FLAG_INITIAL) != 0) {
      if (flags[0] == '\0') {
        strlcpy(flags, "INITIAL", sizeof(flags));
      } else {
        strlcat(flags, "|INITIAL", sizeof(flags));
      }
    }
    if ((nsec3param->flags & DNS_NSEC3FLAG_CREATE) != 0) {
      if (flags[0] == '\0') {
        strlcpy(flags, "CREATE", sizeof(flags));
      } else {
        strlcat(flags, "|CREATE", sizeof(flags));
      }
    }
    if ((nsec3param->flags & DNS_NSEC3FLAG_NONSEC) != 0) {
      if (flags[0] == '\0') {
        strlcpy(flags, "NONSEC", sizeof(flags));
      } else {
        strlcat(flags, "|NONSEC", sizeof(flags));
      }
    }
    if ((nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) != 0) {
      if (flags[0] == '\0') {
        strlcpy(flags, "OPTOUT", sizeof(flags));
      } else {
        strlcat(flags, "|OPTOUT", sizeof(flags));
      }
    }
  }
  result = dns_nsec3param_salttotext(nsec3param, saltbuf,
             sizeof(saltbuf));
  RUNTIME_CHECK(result == ISC_R_SUCCESS);
  dnssec_log(zone, ISC_LOG_INFO, "zone_addnsec3chain(%u,%s,%u,%s)",
       nsec3param->hash, flags, nsec3param->iterations, saltbuf);

  /*
   * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
   * currently being processed, interrupt its processing to avoid
   * simultaneously adding and removing records for the same NSEC3 chain.
   */
  for (current = ISC_LIST_HEAD(zone->nsec3chain); current != NULL;
       current = ISC_LIST_NEXT(current, link))
  {
    if ((current->db == db) &&
        (current->nsec3param.hash == nsec3param->hash) &&
        (current->nsec3param.iterations ==
         nsec3param->iterations) &&
        (current->nsec3param.salt_length ==
         nsec3param->salt_length) &&
        memcmp(current->nsec3param.salt, nsec3param->salt,
         nsec3param->salt_length) == 0)
    {
      current->done = true;
    }
  }

  /*
   * Attach zone database to the structure initialized above and create
   * an iterator for it with appropriate options in order to avoid
   * creating NSEC3 records for NSEC3 records.
   */
  dns_db_attach(db, &nsec3chain->db);
  if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0) {
    options = DNS_DB_NONSEC3;
  }
  result = dns_db_createiterator(nsec3chain->db, options,
               &nsec3chain->dbiterator);
  if (result == ISC_R_SUCCESS) {
    result = dns_dbiterator_first(nsec3chain->dbiterator);
  }
  if (result == ISC_R_SUCCESS) {
    /*
     * Database iterator initialization succeeded.  We are now
     * ready to kick off adding/removing records belonging to this
     * NSEC3 chain.  Append the structure initialized above to the
     * "nsec3chain" list for the zone and set the appropriate zone
     * timer so that zone_nsec3chain() is called as soon as
     * possible.
     */
    dns_dbiterator_pause(nsec3chain->dbiterator);
    ISC_LIST_INITANDAPPEND(zone->nsec3chain, nsec3chain, link);
    nsec3chain = NULL;
    if (isc_time_isepoch(&zone->nsec3chaintime)) {
      now = isc_time_now();
      zone->nsec3chaintime = now;
      if (zone->loop != NULL) {
        zone_settimer(zone, &now);
      }
    }
  }

  if (nsec3chain != NULL) {
    if (nsec3chain->db != NULL) {
      dns_db_detach(&nsec3chain->db);
    }
    if (nsec3chain->dbiterator != NULL) {
      dns_dbiterator_destroy(&nsec3chain->dbiterator);
    }
    isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
  }

cleanup:
  if (db != NULL) {
    dns_db_detach(&db);
  }
  return (result);
}

/*
 * Find private-type records at the zone apex which signal that an NSEC3 chain
 * should be added or removed.  For each such record, extract NSEC3PARAM RDATA
 * and pass it to zone_addnsec3chain().
 *
 * Zone must be locked by caller.
 */
static void
resume_addnsec3chain(dns_zone_t *zone) {
  dns_dbnode_t *node = NULL;
  dns_dbversion_t *version = NULL;
  dns_rdataset_t rdataset;
  isc_result_t result;
  dns_rdata_nsec3param_t nsec3param;
  bool nseconly = false, nsec3ok = false;
  dns_db_t *db = NULL;

  INSIST(LOCKED_ZONE(zone));

  if (zone->privatetype == 0) {
    return;
  }

  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
  if (zone->db != NULL) {
    dns_db_attach(zone->db, &db);
  }
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
  if (db == NULL) {
    goto cleanup;
  }

  result = dns_db_findnode(db, &zone->origin, false, &node);
  if (result != ISC_R_SUCCESS) {
    goto cleanup;
  }

  dns_db_currentversion(db, &version);

  /*
   * In order to create NSEC3 chains we need the DNSKEY RRset at zone
   * apex to exist and contain no keys using NSEC-only algorithms.
   */
  result = dns_nsec_nseconly(db, version, NULL, &nseconly);
  nsec3ok = (result == ISC_R_SUCCESS && !nseconly);

  /*
   * Get the RRset containing all private-type records at the zone apex.
   */
  dns_rdataset_init(&rdataset);
  result = dns_db_findrdataset(db, node, version, zone->privatetype,
             dns_rdatatype_none, 0, &rdataset, NULL);
  if (result != ISC_R_SUCCESS) {
    INSIST(!dns_rdataset_isassociated(&rdataset));
    goto cleanup;
  }

  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(&rdataset))
  {
    unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
    dns_rdata_t rdata = DNS_RDATA_INIT;
    dns_rdata_t private = DNS_RDATA_INIT;

    dns_rdataset_current(&rdataset, &private);
    /*
     * Try extracting NSEC3PARAM RDATA from this private-type
     * record.  Failure means this private-type record does not
     * represent an NSEC3PARAM record, so skip it.
     */
    if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
            sizeof(buf)))
    {
      continue;
    }
    result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
    RUNTIME_CHECK(result == ISC_R_SUCCESS);
    if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
        ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
    {
      /*
       * Pass the NSEC3PARAM RDATA contained in this
       * private-type record to zone_addnsec3chain() so that
       * it can kick off adding or removing NSEC3 records.
       */
      result = zone_addnsec3chain(zone, &nsec3param);
      if (result != ISC_R_SUCCESS) {
        dnssec_log(zone, ISC_LOG_ERROR,
             "zone_addnsec3chain failed: %s",
             isc_result_totext(result));
      }
    }
  }
  dns_rdataset_disassociate(&rdataset);

cleanup:
  if (db != NULL) {
    if (node != NULL) {
      dns_db_detachnode(db, &node);
    }
    if (version != NULL) {
      dns_db_closeversion(db, &version, false);
    }
    dns_db_detach(&db);
  }
}

static void
set_resigntime(dns_zone_t *zone) {
  dns_rdataset_t rdataset;
  dns_fixedname_t fixed;
  unsigned int resign;
  isc_result_t result;
  uint32_t nanosecs;
  dns_db_t *db = NULL;

  INSIST(LOCKED_ZONE(zone));

  /* We only re-sign zones that can be dynamically updated */
  if (!dns_zone_isdynamic(zone, false)) {
    return;
  }

  if (inline_raw(zone)) {
    return;
  }

  dns_rdataset_init(&rdataset);
  dns_fixedname_init(&fixed);

  ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
  if (zone->db != NULL) {
    dns_db_attach(zone->db, &db);
  }
  ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
  if (db == NULL) {
    isc_time_settoepoch(&zone->resigntime);
    return;
  }

  result = dns_db_getsigningtime(db, &rdataset,
               dns_fixedname_name(&fixed));
  if (result != ISC_R_SUCCESS) {
    isc_time_settoepoch(&zone->resigntime);
    goto cleanup;
  }

  resign = rdataset.resign - dns_zone_getsigresigninginterval(zone);
  dns_rdataset_disassociate(&rdataset);
  nanosecs = isc_random_uniform(1000000000);
  isc_time_set(&zone->resigntime, resign, nanosecs);

cleanup:
  dns_db_detach(&db);
  return;
}

static isc_result_t
check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
  bool ok = false;
  dns_dbnode_t *node = NULL;
  dns_dbversion_t *version = NULL;
  dns_rdata_nsec3param_t nsec3param;
  dns_rdataset_t rdataset;
  isc_result_t result;
  bool dynamic = (zone->type == dns_zone_primary)
             ? dns_zone_isdynamic(zone, false)
             : false;

  dns_rdataset_init(&rdataset);
  result = dns_db_findnode(db, &zone->origin, false, &node);
  if (result != ISC_R_SUCCESS) {
    dns_zone_log(zone, ISC_LOG_ERROR,
           "nsec3param lookup failure: %s",
           isc_result_totext(result));
    return (result);
  }
  dns_db_currentversion(db, &version);

  result = dns_db_findrdataset(db, node, version,
             dns_rdatatype_nsec3param,
             dns_rdatatype_none, 0, &rdataset, NULL);
  if (result == ISC_R_NOTFOUND) {
    INSIST(!dns_rdataset_isassociated(&rdataset));
    result = ISC_R_SUCCESS;
    goto cleanup;
  }
  if (result != ISC_R_SUCCESS) {
    INSIST(!dns_rdataset_isassociated(&rdataset));
    dns_zone_log(zone, ISC_LOG_ERROR,
           "nsec3param lookup failure: %s",
           isc_result_totext(result));
    goto cleanup;
  }

  for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(&rdataset))
  {
    dns_rdata_t rdata = DNS_RDATA_INIT;

    dns_rdataset_current(&rdataset, &rdata);
    result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
    RUNTIME_CHECK(result == ISC_R_SUCCESS);

    /*
     * For dynamic zones we must support every algorithm so we
     * can regenerate all the NSEC3 chains.
     * For non-dynamic zones we only need to find a supported
     * algorithm.
     */
    if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
        nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
    {
      dns_zone_log(zone, ISC_LOG_WARNING,
             "nsec3 test \"unknown\" hash algorithm "
             "found: %u",
             nsec3param.hash);
      ok = true;
    } else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
      if (dynamic) {
        dns_zone_log(zone, ISC_LOG_ERROR,
               "unsupported nsec3 hash algorithm"
               " in dynamic zone: %u",
               nsec3param.hash);
        result = DNS_R_BADZONE;
        /* Stop second error message. */
        ok = true;
        break;
      } else {
        dns_zone_log(zone, ISC_LOG_WARNING,
               "unsupported nsec3 hash "
               "algorithm: %u",
               nsec3param.hash);
      }
    } else {
      ok = true;
    }

    /*
     * Warn if the zone has excessive NSEC3 iterations.
     */
    if (nsec3param.iterations > dns_nsec3_maxiterations()) {
      dnssec_log(zone, ISC_LOG_WARNING,
           "excessive NSEC3PARAM iterations %u > %u",
           nsec3param.iterations,
           dns_nsec3_maxiterations());
    }
  }
  if (result == ISC_R_NOMORE) {
    result = ISC_R_SUCCESS;
  }

  if (!ok) {
    result = DNS_R_BADZONE;
    dns_zone_log(zone, ISC_LOG_ERROR,
           "no supported nsec3 hash algorithm");
  }

cleanup:
  if (dns_rdataset_isassociated(&rdataset)) {
    dns_rdataset_disassociate(&rdataset);
  }
  dns_db_closeversion(db, &version, false);
  dns_db_detachnode(db, &node);
  return (result);
}

/*
 * Set the timer for refreshing the key zone to the soonest future time
 * of the set (current timer, keydata->refresh, keydata->addhd,
 * keydata->removehd).
 */
static void
set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
        isc_stdtime_t now, bool force) {
  isc_stdtime_t then;
  isc_time_t timenow, timethen;
  char timebuf[80];

  ENTER;
  then = key->refresh;
  if (force) {
    then = now;
  }
  if (key->addhd > now && key->addhd < then) {
    then = key->addhd;
  }
  if (key->removehd > now && key->removehd < then) {
    then = key->removehd;
  }

  timenow = isc_time_now();
  if (then > now) {
    DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
  } else {
    timethen = timenow;
  }
  if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
      isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
  {
    zone->refreshkeytime = timethen;
  }

  isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
  dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
  zone_settimer(zone, &timenow);
}

/*
 * If keynode references a key or a DS rdataset, and if the key
 * zone does not contain a KEYDATA record for the corresponding name,
 * then create an empty KEYDATA and push it into the zone as a placeholder,
 * then schedule a key refresh immediately. This new KEYDATA record will be
 * updated during the refresh.
 *
 * If the key zone is changed, set '*changed' to true.
 */
static isc_result_t
create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
         dns_diff_t *diff, dns_keynode_t *keynode, dns_name_t *keyname,
         bool *changed) {
  isc_result_t result = ISC_R_SUCCESS;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  dns_rdata_keydata_t kd;
  unsigned char rrdata[4096];
  isc_buffer_t rrdatabuf;
  isc_stdtime_t now = isc_stdtime_now();

  REQUIRE(keynode != NULL);

  ENTER;

  /*
   * If the keynode has no trust anchor set, we shouldn't be here.
   */
  if (!dns_keynode_dsset(keynode, NULL)) {
    return (ISC_R_FAILURE);
  }

  memset(&kd, 0, sizeof(kd));
  kd.common.rdclass = zone->rdclass;
  kd.common.rdtype = dns_rdatatype_keydata;
  ISC_LINK_INIT(&kd.common, link);

  isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));

  CHECK(dns_rdata_fromstruct(&rdata, zone->rdclass, dns_rdatatype_keydata,
           &kd, &rrdatabuf));
  /* Add rdata to zone. */
  CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, keyname, 0, &rdata));
  *changed = true;

  /* Refresh new keys from the zone apex as soon as possible. */
  set_refreshkeytimer(zone, &kd, now, true);
  return (ISC_R_SUCCESS);

failure:
  return (result);
}

/*
 * Remove from the key zone all the KEYDATA records found in rdataset.
 */
static isc_result_t
delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
         dns_name_t *name, dns_rdataset_t *rdataset) {
  dns_rdata_t rdata = DNS_RDATA_INIT;
  isc_result_t result, uresult;

  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(rdataset))
  {
    dns_rdata_reset(&rdata);
    dns_rdataset_current(rdataset, &rdata);
    uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name, 0,
          &rdata);
    if (uresult != ISC_R_SUCCESS) {
      return (uresult);
    }
  }
  if (result == ISC_R_NOMORE) {
    result = ISC_R_SUCCESS;
  }
  return (result);
}

/*
 * Compute the DNSSEC key ID for a DNSKEY record.
 */
static isc_result_t
compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
      dns_keytag_t *tag) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  unsigned char data[4096];
  isc_buffer_t buffer;
  dst_key_t *dstkey = NULL;

  isc_buffer_init(&buffer, data, sizeof(data));
  dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
           dns_rdatatype_dnskey, dnskey, &buffer);

  result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
  if (result == ISC_R_SUCCESS) {
    *tag = dst_key_id(dstkey);
    dst_key_free(&dstkey);
  }

  return (result);
}

/*
 * Synth-from-dnssec callbacks to add/delete names from namespace tree.
 */
static void
sfd_add(const dns_name_t *name, void *arg) {
  if (arg != NULL) {
    dns_view_sfd_add(arg, name);
  }
}

static void
sfd_del(const dns_name_t *name, void *arg) {
  if (arg != NULL) {
    dns_view_sfd_del(arg, name);
  }
}

/*
 * Add key to the security roots.
 */
static void
trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey,
    bool initial) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  unsigned char data[4096], digest[ISC_MAX_MD_SIZE];
  isc_buffer_t buffer;
  dns_keytable_t *sr = NULL;
  dns_rdata_ds_t ds;

  result = dns_view_getsecroots(zone->view, &sr);
  if (result != ISC_R_SUCCESS) {
    return;
  }

  /* Build DS record for key. */
  isc_buffer_init(&buffer, data, sizeof(data));
  dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
           dns_rdatatype_dnskey, dnskey, &buffer);
  CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest,
          &ds));
  CHECK(dns_keytable_add(sr, true, initial, keyname, &ds, sfd_add,
             zone->view));

  dns_keytable_detach(&sr);

failure:
  if (sr != NULL) {
    dns_keytable_detach(&sr);
  }
  return;
}

/*
 * Add a null key to the security roots for so that all queries
 * to the zone will fail.
 */
static void
fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
  isc_result_t result;
  dns_keytable_t *sr = NULL;

  result = dns_view_getsecroots(zone->view, &sr);
  if (result == ISC_R_SUCCESS) {
    dns_keytable_marksecure(sr, keyname);
    dns_keytable_detach(&sr);
  }
}

/*
 * Scan a set of KEYDATA records from the key zone.  The ones that are
 * valid (i.e., the add holddown timer has expired) become trusted keys.
 */
static void
load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  dns_rdata_keydata_t keydata;
  dns_rdata_dnskey_t dnskey;
  int trusted = 0, revoked = 0, pending = 0;
  isc_stdtime_t now = isc_stdtime_now();
  dns_keytable_t *sr = NULL;

  result = dns_view_getsecroots(zone->view, &sr);
  if (result == ISC_R_SUCCESS) {
    dns_keytable_delete(sr, name, sfd_del, zone->view);
    dns_keytable_detach(&sr);
  }

  /* Now insert all the accepted trust anchors from this keydata set. */
  for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
       result = dns_rdataset_next(rdataset))
  {
    dns_rdata_reset(&rdata);
    dns_rdataset_current(rdataset, &rdata);

    /* Convert rdata to keydata. */
    result = dns_rdata_tostruct(&rdata, &keydata, NULL);
    if (result == ISC_R_NOTIMPLEMENTED) {
      continue;
    }
    RUNTIME_CHECK(result == ISC_R_SUCCESS);

    /* Set the key refresh timer to force a fast refresh. */
    set_refreshkeytimer(zone, &keydata, now, true);

    /* If the removal timer is nonzero, this key was revoked. */
    if (keydata.removehd != 0) {
      revoked++;
      continue;
    }

    /*
     * If the add timer is still pending, this key is not
     * trusted yet.
     */
    if (now < keydata.addhd) {
      pending++;
      continue;
    }

    /* Convert keydata to dnskey. */
    dns_keydata_todnskey(&keydata, &dnskey, NULL);

    /* Add to keytables. */
    trusted++;
    trust_key(zone, name, &dnskey, (keydata.addhd == 0));
  }

  if (trusted == 0 && pending != 0) {
    char namebuf[DNS_NAME_FORMATSIZE];
    dns_name_format(name, namebuf, sizeof namebuf);
    dnssec_log(zone, ISC_LOG_ERROR,
         "No valid trust anchors for '%s'!", namebuf);
    dnssec_log(zone, ISC_LOG_ERROR,
         "%d key(s) revoked, %d still pending", revoked,
         pending);
    dnssec_log(zone, ISC_LOG_ERROR, "All queries to '%s' will fail",
         namebuf);
    fail_secure(zone, name);
  }
}

static isc_result_t
do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
       dns_diff_t *diff) {
  dns_diff_t temp_diff;
  isc_result_t result;

  /*
   * Create a singleton diff.
   */
  dns_diff_init(diff->mctx, &temp_diff);
  ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);

  /*
   * Apply it to the database.
   */
  result = dns_diff_apply(&temp_diff, db, ver);
  ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
  if (result != ISC_R_SUCCESS) {
    dns_difftuple_free(tuple);
    return (result);
  }

  /*
   * Merge it into the current pending journal entry.
   */
  dns_diff_appendminimal(diff, tuple);

  /*
   * Do not clear temp_diff.
   */
  return (ISC_R_SUCCESS);
}

static isc_result_t
update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
        dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
        dns_rdata_t *rdata) {
  dns_difftuple_t *tuple = NULL;
  isc_result_t result;
  result = dns_difftuple_create(diff->mctx, op, name, ttl, rdata, &tuple);
  if (result != ISC_R_SUCCESS) {
    return (result);
  }
  return (do_one_tuple(&tuple, db, ver, diff));
}

static isc_result_t
update_soa_serial(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
      dns_diff_t *diff, isc_mem_t *mctx,
      dns_updatemethod_t method) {
  dns_difftuple_t *deltuple = NULL;
  dns_difftuple_t *addtuple = NULL;
  uint32_t serial;
  isc_result_t result;
  dns_updatemethod_t used = dns_updatemethod_none;

  INSIST(method != dns_updatemethod_none);

  CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
  CHECK(dns_difftuple_copy(deltuple, &addtuple));
  addtuple->op = DNS_DIFFOP_ADD;

  serial = dns_soa_getserial(&addtuple->rdata);
  serial = dns_update_soaserial(serial, method, &used);
  if (method != used) {
    dns_zone_log(zone, ISC_LOG_WARNING,
           "update_soa_serial:new serial would be lower than "
           "old serial, using increment method instead");
  }
  dns_soa_setserial(serial, &addtuple->rdata);
  CHECK(do_one_tuple(&deltuple, db, ver, diff));
  CHECK(do_one_tuple(&addtuple, db, ver, diff));
  result = ISC_R_SUCCESS;

failure:
  if (addtuple != NULL) {
    dns_difftuple_free(&addtuple);
  }
  if (deltuple != NULL) {
    dns_difftuple_free(&deltuple);
  }
  return (result);
}

/*
 * Write all transactions in 'diff' to the zone journal file.
 */
static isc_result_t
zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial,
       const char *caller) {
  const char *journalfile;
  isc_result_t result = ISC_R_SUCCESS;
  dns_journal_t *journal = NULL;
  unsigned int mode = DNS_JOURNAL_CREATE | DNS_JOURNAL_WRITE;

  ENTER;
  journalfile = dns_zone_getjournal(zone);
  if (journalfile != NULL) {
    result = dns_journal_open(zone->mctx, journalfile, mode,
            &journal);
    if (result != ISC_R_SUCCESS) {
      dns_zone_log(zone, ISC_LOG_ERROR,
             "%s:dns_journal_open -> %s", caller,
             isc_result_totext(result));
      return (result);
    }

    if (sourceserial != NULL) {
      dns_journal_set_sourceserial(journal, *sourceserial);
    }

    result = dns_journal_write_transaction(journal, diff);
    if (result != ISC_R_SUCCESS) {
      dns_zone_log(zone, ISC_LOG_ERROR,
             "%s:dns_journal_write_transaction -> %s",
             caller, isc_result_totext(result));
    }
    dns_journal_destroy(&journal);
  }

  return (result);
}

/*
 * Create an SOA record for a newly-created zone
 */
static isc_result_t
add_soa(dns_zone_t *zone, dns_db_t *db) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  unsigned char buf[DNS_SOA_BUFFERSIZE];
  dns_dbversion_t *ver = NULL;
  dns_diff_t diff;

  dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");

  dns_diff_init(zone->mctx, &diff);
  result = dns_db_newversion(db, &ver);
  if (result != ISC_R_SUCCESS) {
    dns_zone_log(zone, ISC_LOG_ERROR,
           "add_soa:dns_db_newversion -> %s",
           isc_result_totext(result));
    goto failure;
  }

  /* Build SOA record */
  result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
            0, 0, 0, 0, 0, buf, &rdata);
  if (result != ISC_R_SUCCESS) {
    dns_zone_log(zone, ISC_LOG_ERROR,
           "add_soa:dns_soa_buildrdata -> %s",
           isc_result_totext(result));
    goto failure;
  }

  result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD, &zone->origin, 0,
             &rdata);

failure:
  dns_diff_clear(&diff);
  if (ver != NULL) {
    dns_db_closeversion(db, &ver, (result == ISC_R_SUCCESS));
  }

  INSIST(ver == NULL);

  return (result);
}

struct addifmissing_arg {
  dns_db_t *db;
  dns_dbversion_t *ver;
  dns_diff_t *diff;
  dns_zone_t *zone;
  bool *changed;
  isc_result_t result;
};

static void
addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
       dns_name_t *keyname, void *arg) {
  dns_db_t *db = ((struct addifmissing_arg *)arg)->db;
  dns_dbversion_t *ver = ((struct addifmissing_arg *)arg)->ver;
  dns_diff_t *diff = ((struct addifmissing_arg *)arg)->diff;
  dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone;
  bool *changed = ((struct addifmissing_arg *)arg)->changed;
  isc_result_t result;
  dns_fixedname_t fname;

  UNUSED(keytable);

  if (((struct addifmissing_arg *)arg)->result != ISC_R_SUCCESS) {
    return;
  }

  if (!dns_keynode_managed(keynode)) {
    return;
  }

  /*
   * If the keynode has no trust anchor set, return.
   */
  if (!dns_keynode_dsset(keynode, NULL)) {
    return;
  }

  /*
   * Check whether there's already a KEYDATA entry for this name;
   * if so, we don't need to add another.
   */
  dns_fixedname_init(&fname);
  result = dns_db_find(db, keyname, ver, dns_rdatatype_keydata,
           DNS_DBFIND_NOWILD, 0, NULL,
           dns_fixedname_name(&fname), NULL, NULL);
  if (result == ISC_R_SUCCESS) {
    return;
  }

  /*
   * Create the keydata.
   */
  result = create_keydata(zone, db, ver, diff, keynode, keyname, changed);
  if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE) {
    ((struct addifmissing_arg *)arg)->result = result;
  }
}

/*
 * Synchronize the set of initializing keys found in managed-keys {}
 * statements with the set of trust anchors found in the managed-keys.bind
 * zone.  If a domain is no longer named in managed-keys, delete all keys
 * from that domain from the key zone.  If a domain is configured as an
 * initial-key in trust-anchors, but there are no references to it in the
 * key zone, load the key zone with the initializing key(s) for that
 * domain and schedule a key refresh. If a domain is configured as
 * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key
 * zone with the matching key, and schedule a key refresh.
 */
static isc_result_t
sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
  isc_result_t result = ISC_R_SUCCESS;
  bool changed = false;
  bool commit = false;
  dns_keynode_t *keynode = NULL;
  dns_view_t *view = zone->view;
  dns_keytable_t *sr = NULL;
  dns_dbversion_t *ver = NULL;
  dns_diff_t diff;
  dns_rriterator_t rrit;
  struct addifmissing_arg arg;

  dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");

  dns_diff_init(zone->mctx, &diff);

  CHECK(dns_view_getsecroots(view, &sr));

  result = dns_db_newversion(db, &ver);
  if (result != ISC_R_SUCCESS) {
    dnssec_log(zone, ISC_LOG_ERROR,
         "sync_keyzone:dns_db_newversion -> %s",
         isc_result_totext(result));
    goto failure;
  }

  /*
   * Walk the zone DB.  If we find any keys whose names are no longer
   * in trust-anchors, or which have been changed from initial to static,
   * (meaning they are permanent and not RFC5011-maintained), delete
   * them from the zone.  Otherwise call load_secroots(), which
   * loads keys into secroots as appropriate.
   */
  dns_rriterator_init(&rrit, db, ver, 0);
  for (result = dns_rriterator_first(&rrit); result == ISC_R_SUCCESS;
       result = dns_rriterator_nextrrset(&rrit))
  {
    dns_rdataset_t *rdataset = NULL;
    dns_rdata_t rdata = DNS_RDATA_INIT;
    dns_rdata_keydata_t keydata;
    isc_stdtime_t now = isc_stdtime_now();
    bool load = true;
    dns_name_t *rrname = NULL;
    uint32_t ttl;

    dns_rriterator_current(&rrit, &rrname, &ttl, &rdataset, NULL);
    if (!dns_rdataset_isassociated(rdataset)) {
      dns_rriterator_destroy(&rrit);
      goto failure;
    }

    if (rdataset->type != dns_rdatatype_keydata) {
      continue;
    }

    /*
     * The managed-keys zone can contain a placeholder instead of
     * legitimate data, in which case we will not use it, and we
     * will try to refresh it.
     */
    for (result = dns_rdataset_first(rdataset);
         result == ISC_R_SUCCESS;
         result = dns_rdataset_next(rdataset))
    {
      isc_result_t iresult;

      dns_rdata_reset(&rdata);
      dns_rdataset_current(rdataset, &rdata);

      iresult = dns_rdata_tostruct(&rdata, &keydata, NULL);
      /* Do we have a valid placeholder KEYDATA record? */
      if (iresult == ISC_R_SUCCESS && keydata.flags == 0 &&
          keydata.protocol == 0 && keydata.algorithm == 0)
      {
        set_refreshkeytimer(zone, &keydata, now, true);
        load = false;
      }
    }

    /*
     * Release db wrlock to prevent LOR reports against
     * dns_keytable_forall() call below.
     */
    dns_rriterator_pause(&rrit);
    result = dns_keytable_find(sr, rrname, &keynode);
    if (result != ISC_R_SUCCESS || !dns_keynode_managed(keynode)) {
      CHECK(delete_keydata(db, ver, &diff, rrname, rdataset));
      changed = true;
    } else if (load) {
      load_secroots(zone, rrname, rdataset);
    }

    if (keynode != NULL) {
      dns_keynode_detach(&keynode);
    }
  }
  dns_rriterator_destroy(&rrit);

  /*
   * Walk secroots to find any initial keys that aren't in
   * the zone.  If we find any, add them to the zone directly.
   * If any DS-style initial keys are found, refresh the key
   * zone so that they'll be looked up.
   */
  arg.db = db;
  arg.ver = ver;
  arg.result = ISC_R_SUCCESS;
  arg.diff = &diff;
  arg.zone = zone;
  arg.changed = &changed;
  dns_keytable_forall(sr, addifmissing, &arg);
  result = arg.result;
  if (changed) {
    /* Write changes to journal file. */
    CHECK(update_soa_serial(zone, db, ver, &diff, zone->mctx,
          zone->updatemethod));
    CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));

    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
    zone_needdump(zone, 30);
    commit = true;
  }

failure:
  if (result != ISC_R_SUCCESS) {
    dnssec_log(zone, ISC_LOG_ERROR,
         "unable to synchronize managed keys: %s",
         isc_result_totext(result));
    isc_time_settoepoch(&zone->refreshkeytime);
  }
  if (keynode != NULL) {
    dns_keynode_detach(&keynode);
  }
  if (sr != NULL) {
    dns_keytable_detach(&sr);
  }
  if (ver != NULL) {
    dns_db_closeversion(db, &ver, commit);
  }
  dns_diff_clear(&diff);

  INSIST(ver == NULL);

  return (result);
}

isc_result_t
dns_zone_synckeyzone(dns_zone_t *zone) {
  isc_result_t result;
  dns_db_t *db = NULL;

  if (zone->type != dns_zone_key) {
    return (DNS_R_BADZONE);
  }

  CHECK(dns_zone_getdb(zone, &db));

  LOCK_ZONE(zone);
  result = sync_keyzone(zone, db);
  UNLOCK_ZONE(zone);

failure:
  if (db != NULL) {
    dns_db_detach(&db);
  }
  return (result);
}

static void
maybe_send_secure(dns_zone_t *zone) {
  isc_result_t result;

  /*
   * We've finished loading, or else failed to load, an inline-signing
   * 'secure' zone.  We now need information about the status of the
   * 'raw' zone.  If we failed to load, then we need it to send a
   * copy of its database; if we succeeded, we need it to send its
   * serial number so that we can sync with it.  If it has not yet
   * loaded, we set a flag so that it will send the necessary
   * information when it has finished loading.
   */
  if (zone->raw->db != NULL) {
    if (zone->db != NULL) {
      uint32_t serial;
      unsigned int soacount;

      result = zone_get_from_db(
        zone->raw, zone->raw->db, NULL, &soacount, NULL,
        &serial, NULL, NULL, NULL, NULL, NULL);
      if (result == ISC_R_SUCCESS && soacount > 0U) {
        zone_send_secureserial(zone->raw, serial);
      }
    } else {
      zone_send_securedb(zone->raw, zone->raw->db);
    }
  } else {
    DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
  }
}

static bool
zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) {
  isc_result_t result;
  bool answer = false;
  dns_diff_t diff;

  dns_diff_init(mctx, &diff);
  result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL);
  if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples)) {
    answer = true;
  }
  dns_diff_clear(&diff);
  return (answer);
}

static void
process_zone_setnsec3param(dns_zone_t *zone) {
  struct np3 *npe = NULL;
  while ((npe = ISC_LIST_HEAD(zone->setnsec3param_queue)) != NULL) {
    ISC_LIST_UNLINK(zone->setnsec3param_queue, npe, link);
    zone_iattach(zone, &npe->zone);
    isc_async_run(zone->loop, setnsec3param, npe);
  }
}

/*
 * The zone is presumed to be locked.
 * If this is a inline_raw zone the secure version is also locked.
 */
static isc_result_t
zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
        isc_result_t result) {
  unsigned int soacount = 0;
  unsigned int nscount = 0;
  unsigned int errors = 0;
  uint32_t serial, oldserial, refresh, retry, expire, minimum, soattl;
  isc_time_t now;
  bool needdump = false;
  bool fixjournal = false;
  bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
  bool noprimary = false;
  bool had_db = false;
  dns_include_t *inc;
  bool is_dynamic = false;

  INSIST(LOCKED_ZONE(zone));
  if (inline_raw(zone)) {
    INSIST(LOCKED_ZONE(zone->secure));
  }

  now = isc_time_now();

  /*
   * Initiate zone transfer?  We may need a error code that
   * indicates that the "permanent" form does not exist.
   * XXX better error feedback to log.
   */
  if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
    if (zone->type == dns_zone_secondary ||
        zone->type == dns_zone_mirror ||
        zone->type == dns_zone_stub ||
        (zone->type == dns_zone_redirect &&
         dns_remote_addresses(&zone->primaries) == NULL))
    {
      if (result == ISC_R_FILENOTFOUND) {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_DEBUG(1),
                "no master file");
      } else if (result != DNS_R_NOMASTERFILE) {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_ERROR,
                "loading from master file %s "
                "failed: %s",
                zone->masterfile,
                isc_result_totext(result));
      }
    } else if (zone->type == dns_zone_primary &&
         inline_secure(zone) && result == ISC_R_FILENOTFOUND)
    {
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_DEBUG(1),
              "no master file, requesting db");
      maybe_send_secure(zone);
    } else {
      int level = ISC_LOG_ERROR;
      if (zone->type == dns_zone_key &&
          result == ISC_R_FILENOTFOUND)
      {
        level = ISC_LOG_DEBUG(1);
      }
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, level,
              "loading from master file %s failed: %s",
              zone->masterfile,
              isc_result_totext(result));
      noprimary = true;
    }

    if (zone->type != dns_zone_key) {
      goto cleanup;
    }
  }

  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(2),
          "number of nodes in database: %u",
          dns_db_nodecount(db, dns_dbtree_main));

  if (result == DNS_R_SEENINCLUDE) {
    DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
  } else {
    DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
  }

  /*
   * If there's no master file for a key zone, then the zone is new:
   * create an SOA record.  (We do this now, instead of later, so that
   * if there happens to be a journal file, we can roll forward from
   * a sane starting point.)
   */
  if (noprimary && zone->type == dns_zone_key) {
    result = add_soa(zone, db);
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }
  }

  /*
   * Apply update log, if any, on initial load.
   */
  if (zone->journal != NULL &&
      !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
      !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
  {
    result = zone_journal_rollforward(zone, db, &needdump,
              &fixjournal);
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }
  }

  /*
   * Obtain ns, soa and cname counts for top of zone.
   */
  INSIST(db != NULL);
  result = zone_get_from_db(zone, db, &nscount, &soacount, &soattl,
          &serial, &refresh, &retry, &expire, &minimum,
          &errors);
  if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
    dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_ERROR,
            "could not find NS and/or SOA records");
  }

  /*
   * Process any queued NSEC3PARAM change requests. Only for dynamic
   * zones, an inline-signing zone will perform this action when
   * receiving the secure db (receive_secure_db).
   */
  is_dynamic = dns_zone_isdynamic(zone, true);
  if (is_dynamic) {
    process_zone_setnsec3param(zone);
  }

  /*
   * Check to make sure the journal is up to date, and remove the
   * journal file if it isn't, as we wouldn't be able to apply
   * updates otherwise.
   */
  if (zone->journal != NULL && is_dynamic &&
      !DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS))
  {
    uint32_t jserial;
    dns_journal_t *journal = NULL;
    bool empty = false;

    result = dns_journal_open(zone->mctx, zone->journal,
            DNS_JOURNAL_READ, &journal);
    if (result == ISC_R_SUCCESS) {
      jserial = dns_journal_last_serial(journal);
      empty = dns_journal_empty(journal);
      dns_journal_destroy(&journal);
    } else {
      jserial = serial;
      result = ISC_R_SUCCESS;
    }

    if (jserial != serial) {
      if (!empty) {
        dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
                ISC_LOG_INFO,
                "journal file is out of date: "
                "removing journal file");
      }
      if (remove(zone->journal) < 0 && errno != ENOENT) {
        char strbuf[ISC_STRERRORSIZE];
        strerror_r(errno, strbuf, sizeof(strbuf));
        isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
                DNS_LOGMODULE_ZONE,
                ISC_LOG_WARNING,
                "unable to remove journal "
                "'%s': '%s'",
                zone->journal, strbuf);
      }
    }
  }

  dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD, ISC_LOG_DEBUG(1),
          "loaded; checking validity");

  /*
   * Primary / Secondary / Mirror / Stub zones require both NS and SOA
   * records at the top of the zone.
   */

  switch (zone->type) {
  case dns_zone_dlz:
  case dns_zone_primary:
  case dns_zone_secondary:
  case dns_zone_mirror:
  case dns_zone_stub:
  case dns_zone_redirect:
    if (soacount != 1) {
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_ERROR, "has %d SOA records",
              soacount);
      result = DNS_R_BADZONE;
    }
    if (nscount == 0) {
      dns_zone_logc(zone, DNS_LOGCATEGORY_ZONELOAD,
              ISC_LOG_ERROR, "has no NS records");
      result = DNS_R_BADZONE;
    }
    if (result != ISC_R_SUCCESS) {
      goto cleanup;
    }
    if (zone->type == dns_zone_primary && errors != 0) {
      result = DNS_R_BADZONE;
      goto cleanup;
    }
    if (zone->type != dns_zone_stub &&
        zone->type != dns_zone_redirect)
    {
      result = check_nsec3param(zone, db);
      if (result != ISC_R_SUCCESS) {
        goto cleanup;
      }
    }
    if (zone->type == dns_zone_primary &&
        DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
        !integrity_checks(zone, db))
    {
      result = DNS_R_BADZONE;
      goto cleanup;
    }
    if (zone->type == dns_zone_primary &&


Coverage Report

Created: 2023-11-19 06:22