From: Remi Gacogne Date: Fri, 26 Mar 2021 08:48:09 +0000 (+0100) Subject: rec: Better handling of stranded DNSKeys X-Git-Tag: dnsdist-1.6.0-rc1~43^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf730c2e6f0b7cc63ab589038699987133eee94c;p=thirdparty%2Fpdns.git rec: Better handling of stranded DNSKeys --- diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 6170cdac1f..3f05c592f2 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -2546,6 +2546,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi return state; } + d_cutStates[zone] = state == vState::Secure ? vState::Insecure : state; /* delegation with no DS, might be Secure -> Insecure */ if (foundCut) { *foundCut = true; @@ -2558,6 +2559,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi return state == vState::Secure ? vState::Insecure : state; } else { /* we have a DS */ + d_cutStates[zone] = state; if (foundCut) { *foundCut = true; } @@ -2768,6 +2770,19 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname /* that actually does happen when a server returns NS records in authority along with the DNSKEY, leading us to trying to validate the RRSIGs for the NS with the DNSKEY that we are about to process. */ + if (name == signer && (type == QType::NSEC || type == QType::NSEC3)) { + /* if we are trying to validate the DNSKEY (should not happen here), + or more likely NSEC(3)s proving that it does not exist, we have a problem. + In that case let's see if the DS does exist, and if it does let's go Bogus + */ + dsmap_t results; + vState dsState = getDSRecords(signer, results, false, depth, true); + if (dsState == vState::Insecure) { + return dsState; + } + return vState::BogusUnableToGetDNSKEYs; + } + return vState::Indeterminate; } }