mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

add support for EDE 7 and 8

Browse Source 
Extended DNS Error messages EDE 7 (expired key) and EDE 8 (validity
period of the key not yet started) are now sent in case of such DNSSEC
validation failures.

Refactor the existing validator extended error APIs in order to make it
easy to have a consisdent extra info (with domain/type) in the various
use case (i.e. when the EDE depends on validator state,
validate_extendederror or when the EDE doesn't depend of any state but
can be called directly in a specific flow).
This commit is contained in:
Colin Vidal 2025-03-12 10:53:11 +01:00
parent 3309863c97
commit 334ea1269f
1 changed files with 38 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
lib/dns/validator.c
View File

@ -182,6 +182,9 @@ expire_rdatasets(dns_validator_t *val) {
static void static void
validate_extendederror(dns_validator_t *val); validate_extendederror(dns_validator_t *val);
static void
validator_addede(dns_validator_t *val, uint16_t code, const char *extra);
/*% /*%
* Ensure the validator's rdatasets are disassociated. * Ensure the validator's rdatasets are disassociated.
*/ */
@ -1474,6 +1477,11 @@ again:
* Temporal errors don't count towards max validations nor max * Temporal errors don't count towards max validations nor max
* fails. * fails.
*/ */
validator_addede(val,
result == DNS_R_SIGEXPIRED
? DNS_EDE_SIGNATUREEXPIRED
: DNS_EDE_SIGNATURENOTYETVALID,
NULL);
break; break;
case ISC_R_SUCCESS: case ISC_R_SUCCESS:
consume_validation(val); consume_validation(val);
@ -3627,44 +3635,54 @@ validator_logcreate(dns_validator_t *val, dns_name_t *name,
} }
static void static void
validate_extendederror(dns_validator_t *val) { validator_addede(dns_validator_t *val, uint16_t code, const char *extra) {
REQUIRE(VALID_VALIDATOR(val)); REQUIRE(VALID_VALIDATOR(val));
char extra[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + char bdata[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE +
DNS_EDE_EXTRATEXT_LEN]; DNS_EDE_EXTRATEXT_LEN];
isc_buffer_t b; isc_buffer_t b;
isc_buffer_init(&b, bdata, sizeof(bdata));
if (extra != NULL) {
isc_buffer_putstr(&b, extra);
isc_buffer_putuint8(&b, ' ');
}
dns_name_totext(val->name, DNS_NAME_OMITFINALDOT, &b);
isc_buffer_putuint8(&b, '/');
dns_rdatatype_totext(val->type, &b);
isc_buffer_putuint8(&b, '\0');
dns_ede_add(val->edectx, code, bdata);
}
static void
validate_extendederror(dns_validator_t *val) {
dns_validator_t *edeval = val; dns_validator_t *edeval = val;
char bdata[DNS_EDE_EXTRATEXT_LEN];
isc_buffer_t b;
REQUIRE(VALID_VALIDATOR(edeval));
isc_buffer_init(&b, bdata, sizeof(bdata));
while (edeval->parent != NULL) { while (edeval->parent != NULL) {
edeval = edeval->parent; edeval = edeval->parent;
} }
if (val->unsupported_algorithm != 0) { if (val->unsupported_algorithm != 0) {
isc_buffer_init(&b, extra, sizeof(extra)); isc_buffer_clear(&b);
dns_secalg_totext(val->unsupported_algorithm, &b); dns_secalg_totext(val->unsupported_algorithm, &b);
isc_buffer_putuint8(&b, ' ');
dns_name_totext(val->name, DNS_NAME_OMITFINALDOT, &b);
isc_buffer_putuint8(&b, '/');
dns_rdatatype_totext(val->type, &b);
isc_buffer_putuint8(&b, '\0'); isc_buffer_putuint8(&b, '\0');
validator_addede(val, DNS_EDE_DNSKEYALG, bdata);
dns_ede_add(val->edectx, DNS_EDE_DNSKEYALG, extra);
} }
if (val->unsupported_digest != 0) { if (val->unsupported_digest != 0) {
isc_buffer_init(&b, extra, sizeof(extra)); isc_buffer_clear(&b);
dns_dsdigest_totext(val->unsupported_digest, &b); dns_dsdigest_totext(val->unsupported_digest, &b);
isc_buffer_putuint8(&b, ' ');
dns_name_totext(val->name, DNS_NAME_OMITFINALDOT, &b);
isc_buffer_putuint8(&b, '/');
dns_rdatatype_totext(val->type, &b);
isc_buffer_putuint8(&b, '\0'); isc_buffer_putuint8(&b, '\0');
validator_addede(val, DNS_EDE_DSDIGESTTYPE, bdata);
dns_ede_add(val->edectx, DNS_EDE_DSDIGESTTYPE, extra);
isc_buffer_invalidate(&b);
} }
} }