git.ipfire.org Git - thirdparty/knot-resolver.git/commit

author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Thu, 2 Jul 2020 15:04:08 +0000 (17:04 +0200)
committer	Petr Špaček <petr.spacek@nic.cz>
	Fri, 7 Aug 2020 13:59:47 +0000 (15:59 +0200)
commit	703d918a27b08e88e2e995afebd6c7395311fd91
tree	4ef27b28bb44ff19237c1d526ea0cbdce7324917	tree \| snapshot
parent	4afb8985ad50405b26648e2100db47d7c9b51bfb	commit \| diff

validator: bottom->up chase DS if RRSIG(s) are missing

This is about situations when validator *thinks* it's in a signed zone
but an unsigned answer comes in. The assumption was that RRSIGs didn't
make it through some middle-boxes and it retried with explicit QTYPE=RRSIG.

There were two issues with that.
1. It seems that in most cases the cause of the situation is that
   we skipped over a zone cut that transitioned to insecure state,
   so the signatures correctly don't exist.
2. An explicit RRSIG query appears to be more trouble than worth;
   it seems reasonable for servers not to answer it (fully);
   see RFC 8482 sect. 7.

The new approach simply tries to find a proof that the name is insecure,
by spawning a QTYPE=DS sub-query on that name.  That fixes some
real-life cases; usually this happens in iteration mode where one IP
address serves zones on both sides of a cut that transitions to insecure.
For details see new comments in that rrsig_not_found() function.

The change resulted in the iterator fallback not making sense anymore
so it was removed.

NEWS		diff \| blob \| blame \| history
lib/layer/iterate.c		diff \| blob \| blame \| history
lib/layer/validate.c		diff \| blob \| blame \| history
lib/resolve.h		diff \| blob \| blame \| history
tests/integration/deckard		diff \| blob \| blame \| history