a53321d9d6
Don't sign data we are not authoritative for. This adds an AuthWalk which skips names we should not authoritative for. Adds a few tests to check this is the case. Generates zones have been compared to dnssec-signzone. A number of changes have been made: * don't add DS records to the apex * NSEC TTL is the SOA's minttl value (copying bind9) * Various cleanups * signer struct was cleaned up: doesn't need ttl, nor expiration or inception. * plugin/sign: remove apex stuff from names() This is never used because we will always have other types in the apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and CDNSKEY). Signed-off-by: Miek Gieben <miek@miek.nl> Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
33 lines
779 B
Go
33 lines
779 B
Go
package tree
|
|
|
|
import "github.com/miekg/dns"
|
|
|
|
// Walk performs fn on all authoritative values stored in the tree in
|
|
// in-order depth first. If a non-nil error is returned the Walk was interrupted
|
|
// by an fn returning that error. If fn alters stored values' sort
|
|
// relationships, future tree operation behaviors are undefined.
|
|
func (t *Tree) Walk(fn func(*Elem, map[uint16][]dns.RR) error) error {
|
|
if t.Root == nil {
|
|
return nil
|
|
}
|
|
return t.Root.walk(fn)
|
|
}
|
|
|
|
func (n *Node) walk(fn func(*Elem, map[uint16][]dns.RR) error) error {
|
|
if n.Left != nil {
|
|
if err := n.Left.walk(fn); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err := fn(n.Elem, n.Elem.m); err != nil {
|
|
return err
|
|
}
|
|
|
|
if n.Right != nil {
|
|
if err := n.Right.walk(fn); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|