Commit 9840a076 authored by Mark Andrews's avatar Mark Andrews
Browse files

1853. [bug] Rework how DLV interacts with proveunsecure().

                        [RT #13605]
parent 6f92620e
1853. [bug] Rework how DLV interacts with proveunsecure().
[RT #13605]
1852. [cleanup] Remove last vestiges of dnssec-signkey and
dnssec-makekeyset (removed from Makefile years ago).
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.128 2005/04/27 04:56:52 sra Exp $ */
/* $Id: validator.c,v 1.129 2005/05/06 01:59:38 marka Exp $ */
/*! \file */
......@@ -2355,9 +2355,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
val->event->name,
dns_fixedname_name(&secroot));
/*
* If the name is not under a security root, it must be insecure.
* If the name is not under a security root look for a dlv record.
*/
if (val->view->dlv != NULL && !DLVSEPTRIED(val) &&
if (result == ISC_R_NOTFOUND &&
val->view->dlv != NULL && !DLVSEPTRIED(val) &&
!dns_name_issubdomain(val->event->name, val->view->dlv)) {
tresult = finddlvsep(val, ISC_FALSE);
if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) {
......@@ -2368,6 +2369,11 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
}
}
/*
* If there is no security root and a dlv record was not found we are
* done. If a dlv record was found use that as the secure entry point,
* if no security root was found.
*/
if (result == ISC_R_NOTFOUND) {
if (!val->havedlvsep) {
validator_log(val, ISC_LOG_DEBUG(3),
......@@ -2438,7 +2444,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
/*
* There is no DS. If this is a delegation,
* we're done.
* we maybe done.
*/
if (val->frdataset.trust < dns_trust_secure) {
/*
......@@ -2451,6 +2457,25 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
goto out;
}
if (isdelegation(tname, &val->frdataset, result)) {
/*
* If we havn't looked for a dlvsep look for
* one now. If found restart the proof.
*/
if (val->view->dlv != NULL &&
!DLVSEPTRIED(val) &&
!dns_name_issubdomain(val->event->name,
val->view->dlv)) {
tresult = finddlvsep(val, ISC_FALSE);
if (tresult != ISC_R_NOTFOUND &&
tresult != ISC_R_SUCCESS) {
validator_log(val,
ISC_LOG_DEBUG(3),
"finddlvsep returned: %s",
dns_result_totext(tresult));
return (tresult);
}
return (proveunsecure(val, ISC_FALSE));
}
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment