mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 08:35:31 +00:00
Code Issues Releases Wiki Activity

Store the DS and RRSIG(DS) with trust dns_trust_pending_answer

Browse Source 
so that the validator can validate the records as part of validating
the current request.
This commit is contained in:
Mark Andrews
2019-03-28 00:48:03 +11:00
parent 954782d78a
commit 57a328d67e
1 changed files with 36 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
lib/dns/resolver.c
View File

@@ -8697,6 +8697,7 @@ rctx_answer_none(respctx_t *rctx) {
rctx->negative = true; rctx->negative = true;
} }
if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
/* /*
* Process DNSSEC records in the authority section. * Process DNSSEC records in the authority section.
*/ */
@@ -8704,6 +8705,7 @@ rctx_answer_none(respctx_t *rctx) {
if (result == ISC_R_COMPLETE) { if (result == ISC_R_COMPLETE) {
return (rctx->result); return (rctx->result);
} }
}
/* /*
* Trigger lookups for DNS nameservers. * Trigger lookups for DNS nameservers.
@@ -8955,18 +8957,12 @@ static isc_result_t
rctx_authority_dnssec(respctx_t *rctx) { rctx_authority_dnssec(respctx_t *rctx) {
isc_result_t result; isc_result_t result;
fetchctx_t *fctx = rctx->fctx; fetchctx_t *fctx = rctx->fctx;
dns_section_t section;
dns_rdataset_t *rdataset = NULL; dns_rdataset_t *rdataset = NULL;
bool finished = false; bool finished = false;
if (rctx->ns_in_answer) { REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
INSIST(fctx->type == dns_rdatatype_ns);
section = DNS_SECTION_ANSWER;
} else {
section = DNS_SECTION_AUTHORITY;
}
result = dns_message_firstname(fctx->rmessage, section); result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
@@ -8974,8 +8970,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
while (!finished) { while (!finished) {
dns_name_t *name = NULL; dns_name_t *name = NULL;
dns_message_currentname(fctx->rmessage, section, &name); dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
result = dns_message_nextname(fctx->rmessage, section); &name);
result = dns_message_nextname(fctx->rmessage,
DNS_SECTION_AUTHORITY);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
finished = true; finished = true;
} }
@@ -8991,7 +8989,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
rdataset != NULL; rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) rdataset = ISC_LIST_NEXT(rdataset, link))
{ {
bool checknta = true;
bool secure_domain = false;
dns_rdatatype_t type = rdataset->type; dns_rdatatype_t type = rdataset->type;
if (type == dns_rdatatype_rrsig) { if (type == dns_rdatatype_rrsig) {
type = rdataset->covers; type = rdataset->covers;
} }
@@ -9051,7 +9052,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
name->attributes |= DNS_NAMEATTR_CACHE; name->attributes |= DNS_NAMEATTR_CACHE;
rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE;
if (rctx->aa) {
if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
checknta = false;
}
if (fctx->res->view->enablevalidation) {
result = issecuredomain(fctx->res->view,
name,
dns_rdatatype_ds,
fctx->now,
checknta, NULL,
&secure_domain);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
if (secure_domain) {
rdataset->trust =
dns_trust_pending_answer;
} else if (rctx->aa) {
rdataset->trust = rdataset->trust =
dns_trust_authauthority; dns_trust_authauthority;
} else if (ISFORWARDER(fctx->addrinfo)) { } else if (ISFORWARDER(fctx->addrinfo)) {