Re-fetch pending records that failed validation

If a deferred validation on data that was originally queried with
CD=1 fails, we now repeat the query, since the zone data may have
changed in the meantime.

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 86cb7bfac6c3b4482c93e35fecbda182f62716b7..5c5651aac0993b0ff4dca5585b22696737ae0182 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -216,9 +216,6 @@ cp ns2/dnskey-rrsigs-stripped.db.next ns2/dnskey-rrsigs-stripped.db.signed
 nextpart ns2/named.run >/dev/null
 rndccmd 10.53.0.2 reload dnskey-rrsigs-stripped | sed 's/^/ns2 /' | cat_i
 wait_for_log 5 "zone dnskey-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1
-# make a query that flushes the unsigned DNSKEY RRset
-dig_with_opts +noauth a.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
-# make a second query that should now validate
 dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
 dig_with_opts +noauth b.dnskey-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
@@ -239,9 +236,6 @@ cp ns2/ds-rrsigs-stripped.db.next ns2/ds-rrsigs-stripped.db.signed
 nextpart ns2/named.run >/dev/null
 rndccmd 10.53.0.2 reload ds-rrsigs-stripped | sed 's/^/ns2 /' | cat_i
 wait_for_log 5 "zone ds-rrsigs-stripped/IN: loaded serial 2000042408" ns2/named.run || ret=1
-# make a query that flushes the unsigned DS RRset
-dig_with_opts +noauth a.child.ds-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
-# make a second query that should now validate
 dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.2 a >dig.out.ns2.test$n || ret=1
 dig_with_opts +noauth b.child.ds-rrsigs-stripped. @10.53.0.4 a >dig.out.ns4.test$n || ret=1
 digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 9661afd7c903814fb2058553b088b46ecd7a307e..b97210921e9aa04d1d48f41f38e70b9f221f684d 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -162,6 +162,10 @@ validator_logcreate(dns_validator_t *val, dns_name_t *name,
                    dns_rdatatype_t type, const char *caller,
                    const char *operation);
 
+static isc_result_t
+create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+            isc_job_cb callback, const char *caller);
+
 /*%
  * Ensure the validator's rdatasets are marked as expired.
  */
@@ -611,13 +615,19 @@ validator_callback_dnskey(void *arg) {
                        result = validate_async_run(val, resume_answer);
                }
        } else {
-               if (result != DNS_R_BROKENCHAIN) {
-                       expire_rdatasets(val);
-               }
                validator_log(val, ISC_LOG_DEBUG(3),
                              "validator_callback_dnskey: got %s",
                              isc_result_totext(result));
-               result = DNS_R_BROKENCHAIN;
+               if (result != DNS_R_BROKENCHAIN) {
+                       expire_rdatasets(val);
+                       result = create_fetch(val, &val->siginfo->signer,
+                                             dns_rdatatype_dnskey,
+                                             fetch_callback_dnskey,
+                                             "validator_callback_dnskey");
+                       if (result == ISC_R_SUCCESS) {
+                               result = DNS_R_WAIT;
+                       }
+               }
        }
 
 cleanup:
@@ -636,8 +646,7 @@ static void
 validator_callback_ds(void *arg) {
        dns_validator_t *subvalidator = (dns_validator_t *)arg;
        dns_validator_t *val = subvalidator->parent;
-       isc_result_t result;
-       isc_result_t eresult = subvalidator->result;
+       isc_result_t result = subvalidator->result;
 
        val->subvalidator = NULL;
 
@@ -647,7 +656,7 @@ validator_callback_ds(void *arg) {
        }
 
        validator_log(val, ISC_LOG_DEBUG(3), "in validator_callback_ds");
-       if (eresult == ISC_R_SUCCESS) {
+       if (result == ISC_R_SUCCESS) {
                bool have_dsset;
                dns_name_t *name;
                validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
@@ -669,13 +678,18 @@ validator_callback_ds(void *arg) {
                        result = validate_async_run(val, validate_dnskey);
                }
        } else {
-               if (eresult != DNS_R_BROKENCHAIN) {
-                       expire_rdatasets(val);
-               }
                validator_log(val, ISC_LOG_DEBUG(3),
                              "validator_callback_ds: got %s",
-                             isc_result_totext(eresult));
-               result = DNS_R_BROKENCHAIN;
+                             isc_result_totext(result));
+               if (result != DNS_R_BROKENCHAIN) {
+                       expire_rdatasets(val);
+                       result = create_fetch(val, val->name, dns_rdatatype_ds,
+                                             fetch_callback_ds,
+                                             "validator_callback_ds");
+                       if (result == ISC_R_SUCCESS) {
+                               result = DNS_R_WAIT;
+                       }
+               }
        }
 
 cleanup: