return map_get(trust_anchors, (const char *)name);
}
-const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dname_t *name)
-{
- while(name) {
- if (kr_ta_get(trust_anchors, name)) {
- return name;
- }
- if (name[0] == '\0') {
- break;
- }
- name = knot_wire_next_label(name, NULL);
- }
- return NULL;
-}
-
const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name,
const uint16_t type)
{
KR_EXPORT
void kr_ta_clear(map_t *trust_anchors);
-/**
- * Return TA with the longest name that covers given name.
- * @param trust_anchors trust store
- * @param name name of the TA
- * @return pointer to name or NULL.
- if not NULL, points inside the name parameter.
- */
-KR_EXPORT
-const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dname_t *name);
-
const knot_dname_t *start_name = qry->sname;
if ((qry->flags.AWAIT_CUT) && !resume) {
qry->flags.AWAIT_CUT = false;
- const knot_dname_t *longest_ta = kr_ta_get_longest_name(trust_anchors, qry->sname);
+ const knot_dname_t *longest_ta = kr_ta_closest(request->ctx, qry->sname, qry->stype);
if (longest_ta) {
start_name = longest_ta;
qry->zone_cut.name = knot_dname_copy(start_name, qry->zone_cut.pool);
}
/* Enable DNSSEC if entering a new (or different) island of trust,
* and update the TA RRset if required. */
- bool want_secured = (qry->flags.DNSSEC_WANT) &&
- !knot_wire_get_cd(request->qsource.packet->wire);
+ const bool has_cd = knot_wire_get_cd(request->qsource.packet->wire);
knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
- if (!knot_wire_get_cd(request->qsource.packet->wire) && ta_rr) {
+ if (!has_cd && ta_rr) {
qry->flags.DNSSEC_WANT = true;
- want_secured = true;
-
if (qry->zone_cut.trust_anchor == NULL
|| !knot_dname_is_equal(qry->zone_cut.trust_anchor->owner, qry->zone_cut.name)) {
mm_free(qry->zone_cut.pool, qry->zone_cut.trust_anchor);
const bool has_ta = (qry->zone_cut.trust_anchor != NULL);
const knot_dname_t *ta_name = (has_ta ? qry->zone_cut.trust_anchor->owner : NULL);
const bool refetch_ta = !has_ta || !knot_dname_is_equal(qry->zone_cut.name, ta_name);
+ const bool want_secured = qry->flags.DNSSEC_WANT && !has_cd;
if (want_secured && refetch_ta) {
/* @todo we could fetch the information from the parent cut, but we don't remember that now */
struct kr_query *next = kr_rplan_push(rplan, qry, qry->zone_cut.name, qry->sclass, KNOT_RRTYPE_DS);
/** Proven to be insecure, i.e. we have a chain of trust from TAs
* that cryptographically denies the possibility of existence
- * of a positive chain of trust from the TAs to the record. */
+ * of a positive chain of trust from the TAs to the record.
+ * Or it may be covered by a closer negative TA. */
KR_RANK_INSECURE = 8,
/** Authoritative data flag; the chain of authority was "verified".
projects / thirdparty / knot-resolver.git / commitdiff
