Check RRset trust in validate_neg_rrset()

In many places we only create a validator if the RRset has too low
trust (the RRset is pending validation, or could not be validated
before). This check was missing prior to validating negative response
data.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 069942488eebd8dd66e8ff6ed688dcc5eddf776c..9367664de40bd983eb18becedd24fe32a9d538e2 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2777,11 +2777,21 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
                }
        }
 
+       if (rdataset->type != dns_rdatatype_nsec &&
+           DNS_TRUST_SECURE(rdataset->trust))
+       {
+               /*
+                * The negative response data is already verified.
+                * We skip NSEC records, because they require special
+                * processing in validator_callback_nsec().
+                */
+               return DNS_R_CONTINUE;
+       }
+
        val->nxset = rdataset;
        RETERR(create_validator(val, name, rdataset->type, rdataset,
                                sigrdataset, validator_callback_nsec,
                                "validate_neg_rrset"));
-
        val->authcount++;
        return DNS_R_WAIT;
 }
@@ -2884,11 +2894,9 @@ validate_ncache(dns_validator_t *val, bool resume) {
                }
 
                result = validate_neg_rrset(val, name, rdataset, sigrdataset);
-               if (result == DNS_R_CONTINUE) {
-                       continue;
+               if (result != DNS_R_CONTINUE) {
+                       return result;
                }
-
-               return result;
        }
        if (result == ISC_R_NOMORE) {
                result = ISC_R_SUCCESS;