validator: improve NTA precision

diff --git a/NEWS b/NEWS
index 26fab1e827b96e7998b4870ac6d66b09cd84a3b0..bfe94176b00a185efc5960bacb4d1076701f1aea 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Knot Resolver 5.x.y (2021-0m-dd)
+================================
+
+Bugfixes
+--------
+- trust_anchors.set_insecure: improve precision (#673, !1177)
+
+
 Knot Resolver 5.3.2 (2021-05-05)
 ================================
 

diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h
index f8fc93a0a89e4caab42a2383a5dc9a2712c6fc30..40094a8b36fc2f8fdefc231ab2a641cacc331639 100644 (file)
--- a/lib/dnssec/ta.h
+++ b/lib/dnssec/ta.h
@@ -4,6 +4,7 @@
 
 #pragma once
 
+#include "lib/defines.h"
 #include "lib/generic/map.h"
 #include <libknot/rrset.h>
 

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index cf5c88a1e27264baebd208aa61de6d4b78cd2694..cdcf97f2343f70c19cb3934dd651eacf687785bc 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -16,6 +16,7 @@
 
 #include "lib/dnssec/nsec.h"
 #include "lib/dnssec/nsec3.h"
+#include "lib/dnssec/ta.h"
 #include "lib/dnssec.h"
 #include "lib/layer.h"
 #include "lib/resolve.h"
@@ -169,6 +170,13 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qr
                        continue; /* these are already OK */
                }
 
+               if (!knot_dname_is_equal(qry->zone_cut.name, rr->owner)/*optim.*/
+                   && !kr_ta_covers_qry(qry->request->ctx, rr->owner, rr->type)) {
+                       /* We have NTA "between" our (perceived) zone cut and the RR. */
+                       kr_rank_set(&entry->rank, KR_RANK_INSECURE);
+                       continue;
+               }
+
                if (rr->type == KNOT_RRTYPE_RRSIG) {
                        const knot_dname_t *signer_name = knot_rrsig_signer_name(rr->rrs.rdata);
                        if (!knot_dname_is_equal(vctx->zone_name, signer_name)) {