From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 3 Jul 2017 09:16:51 +0000 (+0200)
Subject: rec: Handle Secure to Insecure cut on the same auth servers
X-Git-Tag: rec-4.1.0-alpha1~39^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F5486%2Fhead;p=thirdparty%2Fpdns.git

rec: Handle Secure to Insecure cut on the same auth servers

Meaning the NS answer for the Insecure zone won't be signed and
won't have a DS denial. We will pick that up with the following
DS query, but we need to make sure the NS answer isn't considered
Bogus even though it's not signed.
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 8fa0f95769..10ebd47409 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1389,6 +1389,18 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
   return Bogus;
 }
 
+bool SyncRes::haveExactValidationStatus(const DNSName& domain)
+{
+  if (!validationEnabled()) {
+    return false;
+  }
+  const auto& it = d_cutStates.find(domain);
+  if (it != d_cutStates.cend()) {
+    return true;
+  }
+  return false;
+}
+
 vState SyncRes::getValidationStatus(const DNSName& subdomain)
 {
   vState result = Indeterminate;
@@ -1773,7 +1785,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       continue;
 
     vState recordState = getValidationStatus(auth);
-    LOG(d_prefix<<": got status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
+    LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
 
     if (validationEnabled() && recordState == Secure) {
       if (lwr.d_aabit) {
@@ -1789,6 +1801,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
           else {
             LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
             recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
+            /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
+            if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
+              recordState = Indeterminate;
+            }
           }
         }
       }
@@ -1799,6 +1815,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
           recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
         }
       }
+
       updateValidationState(state, recordState);
     }
     else {
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index e6a4e8d149..cfe4ccf574 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -750,6 +750,7 @@ private:
   vState getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth);
   void getDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState expectedState, bool allowOptOut);
   vState getTA(const DNSName& zone, dsmap_t& ds);
+  bool haveExactValidationStatus(const DNSName& domain);
   vState getValidationStatus(const DNSName& subdomain);
 
   void computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth);