Commit bfe0517f authored by Evan Hunt's avatar Evan Hunt
Browse files

Clarify logged message when an insecure DNSSEC response arrives from a zone

thought to be secure: "insecurity proof failed" instead of "not insecure".
[RT #19400]
parent 2cfac8b1
2566. [cleanup] Clarify logged message when an insecure DNSSEC
response arrives from a zone thought to be secure:
"insecurity proof failed" instead of "not
insecure". [RT #19400]
2565. [func] Add support for HIP record. Includes new functions
dns_rdata_hip_first(), dns_rdata_hip_next()
and dns_rdata_hip_current(). [RT #19384]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: builtin.c,v 1.14 2009/02/18 23:47:48 tbox Exp $ */
/* $Id: builtin.c,v 1.15 2009/03/01 02:45:38 each Exp $ */
/*! \file
* \brief
......@@ -132,6 +132,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
"Michael Graff",
"Andreas Gustafsson",
"Bob Halley",
"Evan Hunt",
"David Lawrence",
"Danny Mayer",
"Damien Neil",
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.393 2009/02/27 23:01:48 marka Exp $ */
/* $Id: resolver.c,v 1.394 2009/03/01 02:45:38 each Exp $ */
/*! \file */
......@@ -2126,7 +2126,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
char code[64];
isc_buffer_t b;
isc_sockaddr_t *sa;
const char *sep1, *sep2;
const char *spc = "";
isc_sockaddr_t *address = &addrinfo->sockaddr;
if (reason == DNS_R_LAME)
......@@ -2172,18 +2172,14 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
isc_buffer_init(&b, code, sizeof(code) - 1);
dns_rcode_totext(fctx->rmessage->rcode, &b);
code[isc_buffer_usedlength(&b)] = '\0';
sep1 = "(";
sep2 = ") ";
spc = " ";
} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
isc_buffer_init(&b, code, sizeof(code) - 1);
dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
code[isc_buffer_usedlength(&b)] = '\0';
sep1 = "(";
sep2 = ") ";
spc = " ";
} else {
code[0] = '\0';
sep1 = "";
sep2 = "";
}
dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
......@@ -2191,8 +2187,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
"%s %s%s%sresolving '%s/%s/%s': %s",
dns_result_totext(reason), sep1, code, sep2,
"error (%s%s%s) resolving '%s/%s/%s': %s",
dns_result_totext(reason), spc, code,
namebuf, typebuf, classbuf, addrbuf);
}
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */
/* $Id: result.c,v 1.126 2009/03/01 02:45:38 each Exp $ */
/*! \file */
......@@ -105,7 +105,7 @@ static const char *text[DNS_R_NRESULTS] = {
"no valid RRSIG", /*%< 59 DNS_R_NOVALIDSIG */
"no valid NSEC", /*%< 60 DNS_R_NOVALIDNSEC */
"not insecure", /*%< 61 DNS_R_NOTINSECURE */
"insecurity proof failed", /*%< 61 DNS_R_NOTINSECURE */
"unknown service", /*%< 62 DNS_R_UNKNOWNSERVICE */
"recoverable error occurred", /*%< 63 DNS_R_RECOVERABLE */
"unknown opt attribute record", /*%< 64 DNS_R_UNKNOWNOPT */
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.169 2009/02/15 23:46:23 marka Exp $ */
/* $Id: validator.c,v 1.170 2009/03/01 02:45:38 each Exp $ */
#include <config.h>
......@@ -3222,7 +3222,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
/*
* If we have a DS rdataset and it is secure then check if
* the DS rdataset has a supported algorithm combination.
* If not this is a insecure delegation as far as this
* If not this is an insecure delegation as far as this
* resolver is concerned. Fall back to DLV if available.
*/
if (have_ds && val->frdataset.trust >= dns_trust_secure &&
......@@ -3276,7 +3276,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
/*
* There is no DS. If this is a delegation,
* we maybe done.
* we may be done.
*/
if (val->frdataset.trust == dns_trust_pending) {
result = create_fetch(val, tname,
......@@ -3394,9 +3394,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
return (nsecvalidate(val, ISC_FALSE));
}
*/
/* Couldn't complete insecurity proof */
validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
return (DNS_R_NOTINSECURE);
out:
if (dns_rdataset_isassociated(&val->frdataset))
......@@ -3435,7 +3435,7 @@ dlv_validator_start(dns_validator_t *val) {
* \li 3. a negative answer (secure or unsecure).
*
* Note a answer that appears to be a secure positive answer may actually
* be a unsecure positive answer.
* be an unsecure positive answer.
*/
static void
validator_start(isc_task_t *task, isc_event_t *event) {
......@@ -3500,6 +3500,10 @@ validator_start(isc_task_t *task, isc_event_t *event) {
val->attributes |= VALATTR_INSECURITY;
result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
if (result != DNS_R_NOTINSECURE)
validator_log(val, ISC_LOG_INFO,
"got insecure response; "
"could not prove it was valid");
} else if (val->event->rdataset == NULL &&
val->event->sigrdataset == NULL)
{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment