From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Mar 2026 10:43:23 +0000 (+0100)
Subject: Check RRset trust in validate_neg_rrset()
X-Git-Tag: v9.21.20~5^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ca67f65cd685cf8699540a852c1e3775bd48d64;p=thirdparty%2Fbind9.git

Check RRset trust in validate_neg_rrset()

In many places we only create a validator if the RRset has too low
trust (the RRset is pending validation, or could not be validated
before). This check was missing prior to validating negative response
data.
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 069942488ee..9367664de40 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2777,11 +2777,21 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
 		}
 	}
 
+	if (rdataset->type != dns_rdatatype_nsec &&
+	    DNS_TRUST_SECURE(rdataset->trust))
+	{
+		/*
+		 * The negative response data is already verified.
+		 * We skip NSEC records, because they require special
+		 * processing in validator_callback_nsec().
+		 */
+		return DNS_R_CONTINUE;
+	}
+
 	val->nxset = rdataset;
 	RETERR(create_validator(val, name, rdataset->type, rdataset,
 				sigrdataset, validator_callback_nsec,
 				"validate_neg_rrset"));
-
 	val->authcount++;
 	return DNS_R_WAIT;
 }
@@ -2884,11 +2894,9 @@ validate_ncache(dns_validator_t *val, bool resume) {
 		}
 
 		result = validate_neg_rrset(val, name, rdataset, sigrdataset);
-		if (result == DNS_R_CONTINUE) {
-			continue;
+		if (result != DNS_R_CONTINUE) {
+			return result;
 		}
-
-		return result;
 	}
 	if (result == ISC_R_NOMORE) {
 		result = ISC_R_SUCCESS;