From: Vladimír Čunát Date: Fri, 7 Apr 2017 10:34:46 +0000 (+0200) Subject: kr_ta_covers_qry: add this wrapper function X-Git-Tag: v1.3.0~23^2~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3dbd1deb82c4bc5d463b7c18495ecfc26c242e2;p=thirdparty%2Fknot-resolver.git kr_ta_covers_qry: add this wrapper function --- diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c index 9f3476634..6743362b1 100644 --- a/lib/dnssec/ta.c +++ b/lib/dnssec/ta.c @@ -23,6 +23,7 @@ #include "lib/defines.h" #include "lib/dnssec/ta.h" +#include "lib/resolve.h" #include "lib/utils.h" knot_rrset_t *kr_ta_get(map_t *trust_anchors, const knot_dname_t *name) @@ -123,6 +124,22 @@ int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name) return false; } +bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name, + const uint16_t type) +{ + assert(ctx && name); + if (type == KNOT_RRTYPE_DS && name[0] != '\0') { + /* DS is parent-side record, so the parent name needs to be covered. */ + name = knot_wire_next_label(name, NULL); + if (!name) { + assert(false); + return kr_error(EINVAL); + } + } + return kr_ta_covers(&ctx->trust_anchors, name) + && !kr_ta_covers(&ctx->negative_anchors, name); +} + /* Delete record data */ static int del_record(const char *k, void *v, void *ext) { diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h index 260fdcdf8..9a8c498fb 100644 --- a/lib/dnssec/ta.h +++ b/lib/dnssec/ta.h @@ -52,6 +52,14 @@ int kr_ta_add(map_t *trust_anchors, const knot_dname_t *name, uint16_t type, KR_EXPORT KR_PURE int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name); +struct kr_context; +/** + * A wrapper around kr_ta_covers that is aware of negative TA and types. + */ +KR_EXPORT KR_PURE +bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name, + const uint16_t type); + /** * Remove TA from trust store. * @param trust_anchors trust store diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index 53329c39b..ef2ba8b5e 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -634,8 +634,7 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req) if (query->flags & QUERY_DNSSEC_INSECURE) { next->flags &= ~QUERY_DNSSEC_WANT; next->flags |= QUERY_DNSSEC_INSECURE; - } else if (kr_ta_covers(&req->ctx->trust_anchors, cname) && - !kr_ta_covers(&req->ctx->negative_anchors, cname)) { + } else if (kr_ta_covers_qry(req->ctx, cname, query->stype)) { /* Want DNSSEC if it's posible to secure * this name (e.g. is covered by any TA) */ next->flags |= QUERY_DNSSEC_WANT; diff --git a/lib/resolve.c b/lib/resolve.c index c2fc9a85f..0c35faac0 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -196,9 +196,6 @@ static void check_empty_nonterms(struct kr_query *qry, knot_pkt_t *pkt, struct k static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name, struct kr_request *req, knot_pkt_t *pkt) { - map_t *trust_anchors = &req->ctx->trust_anchors; - map_t *negative_anchors = &req->ctx->negative_anchors; - /* It can occur that here parent query already have * provably insecured zonecut which not in the cache yet. */ const uint32_t insec_flags = QUERY_DNSSEC_INSECURE | QUERY_DNSSEC_NODS; @@ -214,8 +211,7 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name * even if cut name is covered by TA. */ qry->flags &= ~QUERY_DNSSEC_WANT; qry->flags |= QUERY_DNSSEC_INSECURE; - } else if (!kr_ta_covers(negative_anchors, qry->zone_cut.name) && - kr_ta_covers(trust_anchors, qry->zone_cut.name)) { + } else if (kr_ta_covers_qry(req->ctx, qry->zone_cut.name, KNOT_RRTYPE_NS)) { qry->flags |= QUERY_DNSSEC_WANT; } else { qry->flags &= ~QUERY_DNSSEC_WANT; @@ -255,8 +251,7 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name /* Zonecut name can change, check it again * to prevent unnecessary DS & DNSKEY queries */ if (!(qry->flags & QUERY_DNSSEC_INSECURE) && - !kr_ta_covers(negative_anchors, cut_found.name) && - kr_ta_covers(trust_anchors, cut_found.name)) { + kr_ta_covers_qry(req->ctx, cut_found.name, KNOT_RRTYPE_NS)) { qry->flags |= QUERY_DNSSEC_WANT; } else { qry->flags &= ~QUERY_DNSSEC_WANT; @@ -699,10 +694,8 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet) /* Deferred zone cut lookup for this query. */ qry->flags |= QUERY_AWAIT_CUT; /* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */ - map_t *negative_anchors = &request->ctx->negative_anchors; - map_t *trust_anchors = &request->ctx->trust_anchors; if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) && - kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) { + kr_ta_covers_qry(request->ctx, qname, qtype)) { qry->flags |= QUERY_DNSSEC_WANT; }