From: Remi Gacogne Date: Mon, 12 Oct 2020 10:43:04 +0000 (+0200) Subject: rec: Move to several distinct Bogus states, for easier debugging X-Git-Tag: auth-4.4.0-alpha3~2^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd8709153d9318904ef2b1063bff10244d9724fd;p=thirdparty%2Fpdns.git rec: Move to several distinct Bogus states, for easier debugging This is especially useful after the fact, when the Bogus state is retrieved from a cache and we don't have any clue left as to how we ended up with that state. --- diff --git a/pdns/lua-recursor4.cc b/pdns/lua-recursor4.cc index 0fdf23772e..f240f0c550 100644 --- a/pdns/lua-recursor4.cc +++ b/pdns/lua-recursor4.cc @@ -347,7 +347,14 @@ void RecursorLua4::postPrepareContext() d_pd.push_back({"validationstates", in_t{ {"Indeterminate", static_cast(vState::Indeterminate) }, - {"Bogus", static_cast(vState::Bogus) }, + {"BogusNoValidDNSKEY", static_cast(vState::BogusNoValidDNSKEY) }, + {"BogusInvalidDenial", static_cast(vState::BogusInvalidDenial) }, + {"BogusUnableToGetDSs", static_cast(vState::BogusUnableToGetDSs) }, + {"BogusUnableToGetDNSKEYs", static_cast(vState::BogusUnableToGetDNSKEYs) }, + {"BogusSelfSignedDS", static_cast(vState::BogusSelfSignedDS) }, + {"BogusNoRRSIG", static_cast(vState::BogusNoRRSIG) }, + {"BogusNoValidRRSIG", static_cast(vState::BogusNoValidRRSIG) }, + {"BogusMissingNegativeIndication", static_cast(vState::BogusMissingNegativeIndication) }, {"Insecure", static_cast(vState::Insecure) }, {"Secure", static_cast(vState::Secure) }, }}); diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index dd886b048f..e3577d9982 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1576,7 +1576,7 @@ static void startDoResolve(void *p) } } - if (t_pdl || (g_dns64Prefix && dq.qtype == QType::AAAA && dq.validationState != vState::Bogus)) { + if (t_pdl || (g_dns64Prefix && dq.qtype == QType::AAAA && !vStateIsBogus(dq.validationState))) { if (res == RCode::NoError) { auto i = ret.cbegin(); for(; i!= ret.cend(); ++i) { @@ -1590,7 +1590,7 @@ static void startDoResolve(void *p) if (t_pdl && t_pdl->nodata(dq, res)) { shouldNotValidate = true; } - else if (g_dns64Prefix && dq.qtype == QType::AAAA && dq.validationState != vState::Bogus) { + else if (g_dns64Prefix && dq.qtype == QType::AAAA && !vStateIsBogus(dq.validationState)) { res = getFakeAAAARecords(dq.qname, *g_dns64Prefix, ret); shouldNotValidate = true; } @@ -1654,7 +1654,7 @@ static void startDoResolve(void *p) pw.getHeader()->ad=0; } - else if(state == vState::Bogus) { + else if (vStateIsBogus(state)) { if(t_bogusremotes) t_bogusremotes->push_back(dc->d_source); if(t_bogusqueryring) @@ -2619,7 +2619,7 @@ static string* doProcessUDPQuestion(const std::string& question, const ComboAddr } if (cacheHit) { - if(valState == vState::Bogus) { + if (vStateIsBogus(valState)) { if(t_bogusremotes) t_bogusremotes->push_back(source); if(t_bogusqueryring) diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index a192962a23..468f130999 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -1169,7 +1169,14 @@ void registerAllStats() addGetStat("dnssec-validations", &g_stats.dnssecValidations); addGetStat("dnssec-result-insecure", &g_stats.dnssecResults[vState::Insecure]); addGetStat("dnssec-result-secure", &g_stats.dnssecResults[vState::Secure]); - addGetStat("dnssec-result-bogus", &g_stats.dnssecResults[vState::Bogus]); + addGetStat("dnssec-result-bogus-no-valid-dnskey", &g_stats.dnssecResults[vState::BogusNoValidDNSKEY]); + addGetStat("dnssec-result-bogus-invalid-denial", &g_stats.dnssecResults[vState::BogusInvalidDenial]); + addGetStat("dnssec-result-bogus-unable-to-get-dss", &g_stats.dnssecResults[vState::BogusUnableToGetDSs]); + addGetStat("dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.dnssecResults[vState::BogusUnableToGetDNSKEYs]); + addGetStat("dnssec-result-bogus-self-signed-ds", &g_stats.dnssecResults[vState::BogusSelfSignedDS]); + addGetStat("dnssec-result-bogus-no-rrsig", &g_stats.dnssecResults[vState::BogusNoRRSIG]); + addGetStat("dnssec-result-bogus-no-valid-rrsig", &g_stats.dnssecResults[vState::BogusNoValidRRSIG]); + addGetStat("dnssec-result-bogus-missing-negative-indication", &g_stats.dnssecResults[vState::BogusMissingNegativeIndication]); addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[vState::Indeterminate]); addGetStat("dnssec-result-nta", &g_stats.dnssecResults[vState::NTA]); diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc index d819dac29b..8961eb8dbe 100644 --- a/pdns/recursor_cache.cc +++ b/pdns/recursor_cache.cc @@ -93,19 +93,19 @@ static void updateDNSSECValidationStateFromCache(boost::optional& state, else if (stateUpdate == vState::NTA) { state = vState::Insecure; } - else if (stateUpdate == vState::Bogus) { + else if (vStateIsBogus(stateUpdate)) { state = stateUpdate; } else if (stateUpdate == vState::Indeterminate) { state = stateUpdate; } else if (stateUpdate == vState::Insecure) { - if (*state != vState::Bogus && *state != vState::Indeterminate) { + if (!vStateIsBogus(*state) && *state != vState::Indeterminate) { state = stateUpdate; } } else if (stateUpdate == vState::Secure) { - if (*state != vState::Bogus && *state != vState::Indeterminate) { + if (!vStateIsBogus(*state) && *state != vState::Indeterminate) { state = stateUpdate; } } diff --git a/pdns/recursordist/test-syncres_cc3.cc b/pdns/recursordist/test-syncres_cc3.cc index 3299244d3d..0830d11fd6 100644 --- a/pdns/recursordist/test-syncres_cc3.cc +++ b/pdns/recursordist/test-syncres_cc3.cc @@ -1045,7 +1045,7 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_bogus) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 5U); @@ -1053,7 +1053,7 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_bogus) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 5U); } @@ -1108,7 +1108,7 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* com|NS, powerdns.com|NS, powerdns.com|A */ BOOST_CHECK_EQUAL(queriesCount, 3U); @@ -1117,7 +1117,7 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* we don't store empty results */ BOOST_CHECK_EQUAL(queriesCount, 4U); diff --git a/pdns/recursordist/test-syncres_cc4.cc b/pdns/recursordist/test-syncres_cc4.cc index 8199f318cc..761d84cc31 100644 --- a/pdns/recursordist/test-syncres_cc4.cc +++ b/pdns/recursordist/test-syncres_cc4.cc @@ -670,7 +670,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -679,7 +679,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -747,7 +747,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_without_zone_flag) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -756,7 +756,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_without_zone_flag) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -824,7 +824,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_revoked) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -833,7 +833,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_revoked) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -912,7 +912,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -921,7 +921,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -954,7 +954,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 4U); } @@ -1022,7 +1022,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -1031,7 +1031,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -1092,7 +1092,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); /* 13 NS + 0 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 13U); /* no RRSIG so no query for DNSKEYs */ @@ -1102,7 +1102,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 13U); /* check that we capped the TTL to max-cache-bogus-ttl */ for (const auto& record : ret) { @@ -1329,7 +1329,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -1338,7 +1338,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -1398,7 +1398,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) vector ret; int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); /* 13 NS + 1 RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); @@ -1407,7 +1407,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) ret.clear(); res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 14U); BOOST_CHECK_EQUAL(queriesCount, 2U); } @@ -1473,7 +1473,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 3U); @@ -1481,7 +1481,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 3U); @@ -1489,7 +1489,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) ret.clear(); res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK_EQUAL(queriesCount, 3U); } @@ -1547,7 +1547,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) vector ret; int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK_EQUAL(queriesCount, 1U); } diff --git a/pdns/recursordist/test-syncres_cc5.cc b/pdns/recursordist/test-syncres_cc5.cc index 29f94e23c2..76b7495ff5 100644 --- a/pdns/recursordist/test-syncres_cc5.cc +++ b/pdns/recursordist/test-syncres_cc5.cc @@ -1501,7 +1501,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 9U); @@ -1509,7 +1509,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 9U); } diff --git a/pdns/recursordist/test-syncres_cc6.cc b/pdns/recursordist/test-syncres_cc6.cc index 7c93429b8d..dc056974af 100644 --- a/pdns/recursordist/test-syncres_cc6.cc +++ b/pdns/recursordist/test-syncres_cc6.cc @@ -225,7 +225,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 8U); @@ -233,7 +233,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 8U); } @@ -385,7 +385,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 10U); @@ -393,7 +393,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 10U); } @@ -583,7 +583,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_CHECK_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 8U); @@ -591,7 +591,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 8U); } @@ -671,7 +671,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_CHECK_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 8U); @@ -679,7 +679,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 8U); } diff --git a/pdns/recursordist/test-syncres_cc7.cc b/pdns/recursordist/test-syncres_cc7.cc index 6fbcc2725e..583822a737 100644 --- a/pdns/recursordist/test-syncres_cc7.cc +++ b/pdns/recursordist/test-syncres_cc7.cc @@ -707,7 +707,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 11U); @@ -715,7 +715,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 11U); } @@ -803,7 +803,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 11U); @@ -811,7 +811,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 11U); } @@ -1020,7 +1020,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); /* no RRSIG to show */ BOOST_CHECK_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 10U); @@ -1029,7 +1029,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_CHECK_EQUAL(ret.size(), 2U); BOOST_CHECK_EQUAL(queriesCount, 10U); } @@ -1210,7 +1210,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); /* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */ - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); /* No RRSIG */ BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); @@ -1220,7 +1220,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); BOOST_CHECK_EQUAL(queriesCount, 4U); @@ -1388,7 +1388,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* com|NS, powerdns.com|NS, powerdns.com|A */ BOOST_CHECK_EQUAL(queriesCount, 3U); @@ -1397,7 +1397,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* we don't store empty results */ BOOST_CHECK_EQUAL(queriesCount, 4U); @@ -1441,7 +1441,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nxdomain) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NXDomain); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* com|NS, powerdns.com|NS, powerdns.com|A */ BOOST_CHECK_EQUAL(queriesCount, 3U); @@ -1450,7 +1450,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nxdomain) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NXDomain); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication); BOOST_REQUIRE_EQUAL(ret.size(), 0U); /* we don't store empty results */ BOOST_CHECK_EQUAL(queriesCount, 4U); diff --git a/pdns/recursordist/test-syncres_cc8.cc b/pdns/recursordist/test-syncres_cc8.cc index 5ad50834f3..d1f237a49a 100644 --- a/pdns/recursordist/test-syncres_cc8.cc +++ b/pdns/recursordist/test-syncres_cc8.cc @@ -747,7 +747,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) vector ret; int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 4U); @@ -756,7 +756,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) BOOST_CHECK_EQUAL(g_negCache->size(), 1U); BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true); BOOST_CHECK_EQUAL(ne.d_ttd, fixedNow + SyncRes::s_maxbogusttl); - BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus); + BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusNoRRSIG); BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U); BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U); BOOST_CHECK_EQUAL(ne.DNSSECRecords.records.size(), 1U); @@ -766,7 +766,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); BOOST_CHECK_EQUAL(queriesCount, 4U); } @@ -1030,7 +1030,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus) sr->setDNSSECValidationRequested(true); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); /* check that we correctly capped the TTD for a Bogus record after just-in-time validation */ BOOST_REQUIRE_EQUAL(ret.size(), 1U); @@ -1046,7 +1046,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus) sr->setDNSSECValidationRequested(true); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 1U); for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::A); diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc index 915451715d..9718a184ae 100644 --- a/pdns/recursordist/test-syncres_cc9.cc +++ b/pdns/recursordist/test-syncres_cc9.cc @@ -224,7 +224,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_bogus) sr->setDNSSECValidationRequested(true); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); /* check that we correctly capped the TTD for a Bogus record after just-in-time validation */ @@ -240,7 +240,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_bogus) sr->setDNSSECValidationRequested(true); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A); @@ -627,14 +627,14 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_bogus) sr->setDNSSECValidationRequested(true); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); for (const auto& record : ret) { BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl); } BOOST_CHECK_EQUAL(queriesCount, 4U); BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true); - BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus); + BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusInvalidDenial); BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U); BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U); BOOST_CHECK_EQUAL(ne.d_ttd, now + SyncRes::s_maxbogusttl); @@ -647,14 +647,14 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_bogus) sr->setDNSSECValidationRequested(false); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus); + BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); for (const auto& record : ret) { BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl); } BOOST_CHECK_EQUAL(queriesCount, 4U); BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true); - BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus); + BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusInvalidDenial); BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U); BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U); BOOST_CHECK_EQUAL(ne.d_ttd, now + SyncRes::s_maxbogusttl); diff --git a/pdns/secpoll-recursor.cc b/pdns/secpoll-recursor.cc index eacaef0928..f5971558f1 100644 --- a/pdns/secpoll-recursor.cc +++ b/pdns/secpoll-recursor.cc @@ -55,7 +55,7 @@ void doSecPoll(time_t* last_secpoll) state = sr.getValidationState(); } - if(state == vState::Bogus) { + if (vStateIsBogus(state)) { g_log<updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec); } else { @@ -1406,7 +1406,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector state = SyncRes::validateRecordsWithSigs(depth, foundName, foundQT, foundName, cset, signatures); if (state != vState::Indeterminate) { LOG(prefix< capTTD = boost::none; - if (state == vState::Bogus) { + if (vStateIsBogus(state)) { capTTD = d_now.tv_sec + s_maxbogusttl; } g_negCache->updateValidationStatus(ne.d_name, ne.d_qtype, state, capTTD); @@ -1692,7 +1692,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w // And get the updated ne struct //t_sstorage.negcache.get(negCacheName, QType(0), d_now, ne, true); } - if ((s_hardenNXD == HardenNXD::Yes && ne.d_validationState != vState::Bogus) || ne.d_validationState == vState::Secure) { + if ((s_hardenNXD == HardenNXD::Yes && !vStateIsBogus(ne.d_validationState)) || ne.d_validationState == vState::Secure) { res = RCode::NXDomain; sttl = ne.d_ttd - d_now.tv_sec; giveNegative = true; @@ -1714,7 +1714,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w LOG(prefix<& records, const std::vector >& signatures) @@ -2674,7 +2674,7 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname DS (or a denial of a DS) signed by the DS itself, since we should be requesting it from the parent zone. Something is very wrong */ LOG(d_prefix<<"The DS for "<& allowedAdditionals, const DNSRecord& rec) @@ -3116,7 +3116,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr LOG(d_prefix<<"Validating non-additional record for "<first.name<first.name, i->second.records, i->second.signatures); /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */ - if (qtype == QType::NS && i->second.signatures.empty() && recordState == vState::Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) { + if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) { recordState = vState::Indeterminate; } } @@ -3143,7 +3143,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr } } - if (recordState == vState::Bogus) { + if (vStateIsBogus(recordState)) { /* this is a TTD by now, be careful */ for(auto& record : i->second.records) { record.d_ttl = std::min(record.d_ttl, static_cast(s_maxbogusttl + d_now.tv_sec)); @@ -3224,7 +3224,7 @@ void SyncRes::updateDenialValidationState(vState& neValidationState, const DNSNa } else { LOG(d_prefix<<"Invalid denial found for "< >& signa const std::string& vStateToString(vState state) { - static const std::vector vStates = {"Indeterminate", "Bogus", "Insecure", "Secure", "NTA", "TA"}; + static const std::vector vStates = {"Indeterminate", "Insecure", "Secure", "NTA", "TA", "Bogus - No valid DNSKEY", "Bogus - Invalid denial", "Bogus - Unable to get DSs", "Bogus - Unable to get DNSKEYs", "Bogus - Self Signed DS", "Bogus - No RRSIG", "Bogus - No valid RRSIG", "Bogus - Missing negative indication" }; return vStates.at(static_cast(state)); } @@ -1161,14 +1161,14 @@ void updateDNSSECValidationState(vState& state, const vState stateUpdate) else if (stateUpdate == vState::NTA) { state = vState::Insecure; } - else if (stateUpdate == vState::Bogus) { - state = vState::Bogus; + else if (vStateIsBogus(stateUpdate)) { + state = stateUpdate; } else if (state == vState::Indeterminate) { state = stateUpdate; } else if (stateUpdate == vState::Insecure) { - if (state != vState::Bogus) { + if (!vStateIsBogus(state)) { state = vState::Insecure; } } diff --git a/pdns/validate.hh b/pdns/validate.hh index 6627bee1f1..99229d0e91 100644 --- a/pdns/validate.hh +++ b/pdns/validate.hh @@ -33,8 +33,12 @@ extern time_t g_signatureInceptionSkew; extern uint16_t g_maxNSEC3Iterations; // 4033 5 -enum class vState : uint8_t { Indeterminate, Bogus, Insecure, Secure, NTA, TA }; +enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication }; const std::string& vStateToString(vState state); +inline bool vStateIsBogus(vState state) +{ + return state >= vState::BogusNoValidDNSKEY; +} // NSEC(3) results enum class dState : uint8_t { NODENIAL, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};