Lines Matching defs:dnskey
1387 zoneverify_log_error(vctx, "DNSKEY is not signed "
1437 * verified zone based on the signatures made using 'dnskey' (prepared from
1439 * if 'dnskey' correctly signs the DNSKEY RRset at zone apex and either
1440 * 'vctx->secroots' is NULL or 'dnskey' is present in 'vctx->secroots'.
1443 * 'dnskey' is a KSK and false otherwise.
1446 check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
1460 * First, does this key sign the DNSKEY rrset?
1469 if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
1470 active_keys[dnskey->algorithm]++;
1473 if (standby_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
1474 standby_keys[dnskey->algorithm]++;
1480 if (active_keys[dnskey->algorithm] != DNS_KEYALG_MAX) {
1481 active_keys[dnskey->algorithm]++;
1486 * DNSKEY RRset is good enough.
1504 * is NULL, then we have neither a DNSKEY nor a DS format
1515 * it doesn't have any DNSKEY ones. So, we can check for a DS
1571 * Check that the DNSKEY RR has at least one self signing KSK and one ZSK per
1577 dns_rdata_dnskey_t dnskey;
1585 result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
1587 is_ksk = ((dnskey.flags & DNS_KEYFLAG_KSK) != 0);
1589 if ((dnskey.flags & DNS_KEYOWNER_ZONE) != 0 &&
1590 (dnskey.flags & DNS_KEYFLAG_REVOKE) != 0)
1592 if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
1614 "%s DNSKEY %.*s",
1620 if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
1621 vctx->revoked_ksk[dnskey.algorithm] !=
1624 vctx->revoked_ksk[dnskey.algorithm]++;
1625 } else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
1626 vctx->revoked_zsk[dnskey.algorithm] !=
1629 vctx->revoked_zsk[dnskey.algorithm]++;
1632 check_dnskey_sigs(vctx, &dnskey, &rdata, is_ksk);
1634 dns_rdata_freestruct(&dnskey);
1694 * present in the DNSKEY RRset.
1992 zoneverify_log_error(&vctx, "No %s DNSKEY found",
1998 zoneverify_log_error(&vctx, "No %s KSK DNSKEY found", keydesc);
Indexes created Sun Mar 01 05:31:48 UTC 2026