Commit 451113b4 authored by Mark Andrews's avatar Mark Andrews
Browse files

Merge branch '964-use-referral-ds-record-when-validating' into 'master'

Resolve "Use referral DS record when validating"

Closes #964

See merge request isc-projects/bind9!1755
parents 954782d7 ac28cc14
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
validated and cached immediately, with no need to
re-query. [GL #964]
5274. [bug] Address potential use after free race when shutting
down rpz. [GL #1175]
......
......@@ -184,6 +184,15 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
ret=0
grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
if [ -x ${DELV} ] ; then
ret=0
echo_i "checking positive validation NSEC using dns_client ($n)"
......
......@@ -288,6 +288,13 @@
all output on standard output except for the name of the signed zone.
</para>
</listitem>
<listitem>
<para>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -8697,12 +8697,14 @@ rctx_answer_none(respctx_t *rctx) {
rctx->negative = true;
}
/*
* Process DNSSEC records in the authority section.
*/
result = rctx_authority_dnssec(rctx);
if (result == ISC_R_COMPLETE) {
return (rctx->result);
if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
/*
* Process DNSSEC records in the authority section.
*/
result = rctx_authority_dnssec(rctx);
if (result == ISC_R_COMPLETE) {
return (rctx->result);
}
}
/*
......@@ -8955,18 +8957,12 @@ static isc_result_t
rctx_authority_dnssec(respctx_t *rctx) {
isc_result_t result;
fetchctx_t *fctx = rctx->fctx;
dns_section_t section;
dns_rdataset_t *rdataset = NULL;
bool finished = false;
if (rctx->ns_in_answer) {
INSIST(fctx->type == dns_rdatatype_ns);
section = DNS_SECTION_ANSWER;
} else {
section = DNS_SECTION_AUTHORITY;
}
REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
result = dns_message_firstname(fctx->rmessage, section);
result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
if (result != ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
......@@ -8974,8 +8970,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
while (!finished) {
dns_name_t *name = NULL;
dns_message_currentname(fctx->rmessage, section, &name);
result = dns_message_nextname(fctx->rmessage, section);
dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
&name);
result = dns_message_nextname(fctx->rmessage,
DNS_SECTION_AUTHORITY);
if (result != ISC_R_SUCCESS) {
finished = true;
}
......@@ -8991,7 +8989,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
bool checknta = true;
bool secure_domain = false;
dns_rdatatype_t type = rdataset->type;
if (type == dns_rdatatype_rrsig) {
type = rdataset->covers;
}
......@@ -9051,7 +9052,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
name->attributes |= DNS_NAMEATTR_CACHE;
rdataset->attributes |= DNS_RDATASETATTR_CACHE;
if (rctx->aa) {
if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
checknta = false;
}
if (fctx->res->view->enablevalidation) {
result = issecuredomain(fctx->res->view,
name,
dns_rdatatype_ds,
fctx->now,
checknta, NULL,
&secure_domain);
if (result != ISC_R_SUCCESS) {
return (result);
}
}
if (secure_domain) {
rdataset->trust =
dns_trust_pending_answer;
} else if (rctx->aa) {
rdataset->trust =
dns_trust_authauthority;
} else if (ISFORWARDER(fctx->addrinfo)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment