/* AD flag. We can only change `secure` from true to false.
* Be conservative. Primary approach: check ranks of all RRs in wire.
* Only "negative answers" need special handling. */
- bool secure = (last != NULL); /* suspicious otherwise */
+ bool secure = last != NULL && state == KR_STATE_DONE /*< suspicious otherwise */
+ && knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG;
if (last && (last->flags.STUB)) {
secure = false; /* don't trust forwarding for now */
}
ret = edns_put(answer);
}
+ if (!last) secure = false; /*< should be no-op, mostly documentation */
/* AD: "negative answers" need more handling. */
- if (last && secure) {
- if (kr_response_classify(answer) != PKT_NOERROR
- /* Additionally check for CNAME chains that "end in NODATA",
- * as those would also be PKT_NOERROR. */
- || (answ_all_cnames && knot_pkt_qtype(answer) != KNOT_RRTYPE_CNAME))
- {
- secure = secure && last->flags.DNSSEC_WANT
- && !last->flags.DNSSEC_BOGUS && !last->flags.DNSSEC_INSECURE;
- }
- }
- /* Clear AD if not secure. ATM answer has AD=1 if requested secured answer. */
- if (!secure || state != KR_STATE_DONE
- || knot_pkt_qtype(answer) == KNOT_RRTYPE_RRSIG) {
- knot_wire_clear_ad(answer->wire);
+ if (kr_response_classify(answer) != PKT_NOERROR
+ /* Additionally check for CNAME chains that "end in NODATA",
+ * as those would also be PKT_NOERROR. */
+ || (answ_all_cnames && knot_pkt_qtype(answer) != KNOT_RRTYPE_CNAME)) {
+
+ secure = secure && last->flags.DNSSEC_WANT
+ && !last->flags.DNSSEC_BOGUS && !last->flags.DNSSEC_INSECURE;
}
- if (last) {
+ if (secure) {
struct kr_query *cname_parent = last->cname_parent;
while (cname_parent != NULL) {
if (cname_parent->flags.DNSSEC_OPTOUT) {
- knot_wire_clear_ad(answer->wire);
+ secure = false;
break;
}
cname_parent = cname_parent->cname_parent;
}
}
+ /* No detailed analysis ATM, just _SECURE or not.
+ * LATER: request->rank might better be computed in validator's finish phase. */
+ VERBOSE_MSG(NULL, " AD: request%s classified as SECURE\n", secure ? "" : " NOT");
+ request->rank = secure ? KR_RANK_SECURE : KR_RANK_INITIAL;
+
+ /* Clear AD if not secure. ATM answer has AD=1 if requested secured answer. */
+ if (!secure) {
+ knot_wire_clear_ad(answer->wire);
+ }
+
return ret;
}
array_init(request->add_selected);
request->answ_validated = false;
request->auth_validated = false;
+ request->rank = KR_RANK_INITIAL;
request->trace_log = NULL;
request->trace_finish = NULL;
rr_array_t additional;
bool answ_validated; /**< internal to validator; beware of caching, etc. */
bool auth_validated; /**< see answ_validated ^^ ; TODO */
+
+ /** Overall rank for the request.
+ *
+ * Values from kr_rank, currently just KR_RANK_SECURE and _INITIAL.
+ * Only read this in finish phase and after validator, please.
+ * Meaning of _SECURE: all RRs in answer+authority are _SECURE,
+ * including any negative results implied (NXDOMAIN, NODATA).
+ */
+ uint8_t rank;
+
struct kr_rplan rplan;
int has_tls;
trace_log_f trace_log; /**< Logging tracepoint */
projects / thirdparty / knot-resolver.git / commitdiff
