From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Mar 2026 10:17:25 +0000 (+0100)
Subject: Don't verify already trusted rdatasets
X-Git-Tag: v9.21.20~5^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce;p=thirdparty%2Fbind9.git

Don't verify already trusted rdatasets

If we already marked an rdataset as secure (or it has even stronger
trust), there is no need to cryptographically verify it again.
---

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index ef1a5461543..f8d228c6d07 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -384,6 +384,7 @@ enum {
 	((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
 #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
 
 /*%
  * Name checking severities.
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a2da24e0128..fd3a530ad62 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1470,11 +1470,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	bool ignore = false;
 	dns_name_t *wild;
 
+	if (DNS_TRUST_SECURE(val->rdataset->trust)) {
+		/*
+		 * This RRset was already verified before.
+		 */
+		return ISC_R_SUCCESS;
+	}
+
 	val->attributes |= VALATTR_TRIEDVERIFY;
-	wild = dns_fixedname_initname(&fixed);
 	if (over_max_validations(val)) {
 		return ISC_R_QUOTA;
 	}
+	wild = dns_fixedname_initname(&fixed);
+
 again:
 	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
 				   val->view->mctx, rdata, wild);