Don't verify already trusted rdatasets

If we already marked an rdataset as secure (or it has even stronger
trust), there is no need to cryptographically verify it again.

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index ef1a546154370c78acb05b763a63fe8b6e1d9191..f8d228c6d07346fd7da13cbb25f9f7cc6d8d0e4f 100644 (file)
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -384,6 +384,7 @@ enum {
        ((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
 #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
 
 /*%
  * Name checking severities.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a2da24e0128d0cb0a5630b0f17ae95cc5af700ed..fd3a530ad628ce73ab01e1642be02ddf23163570 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1470,11 +1470,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
        bool ignore = false;
        dns_name_t *wild;
 
+       if (DNS_TRUST_SECURE(val->rdataset->trust)) {
+               /*
+                * This RRset was already verified before.
+                */
+               return ISC_R_SUCCESS;
+       }
+
        val->attributes |= VALATTR_TRIEDVERIFY;
-       wild = dns_fixedname_initname(&fixed);
        if (over_max_validations(val)) {
                return ISC_R_QUOTA;
        }
+       wild = dns_fixedname_initname(&fixed);
+
 again:
        result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
                                   val->view->mctx, rdata, wild);