Merge !240: trust anchors: support non-root TAs, one domain per file

author Vladimír Čunát <vladimir.cunat@nic.cz>

Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)
author Vladimír Čunát <vladimir.cunat@nic.cz>
Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)
diff --cc daemon/README.rst
Simple merge
diff --cc lib/resolve.c

index 0352179d9f4fcef342d67ce497db623e5b305243,e7f126d51a288995a907f6c597b502fb23f4722c..3f47a379124576c5445e731b8290638bfaf7537e
--- 1/lib/resolve.c
--- 2/lib/resolve.c
+++ b/lib/resolve.c
@@@ -842,33 -842,29 +842,37 @@@ static int trust_chain_check(struct kr_
         if (kr_ta_get(negative_anchors, qry->zone_cut.name)){
                 VERBOSE_MSG(qry, ">< negative TA, going insecure\n");
                 qry->flags &= ~QUERY_DNSSEC_WANT;
+ +              qry->flags |= QUERY_DNSSEC_INSECURE;
+ +      }
+ +      if (qry->flags & QUERY_DNSSEC_NODS) {
+ +              /* This is the next query iteration with minimized qname.
+ +               * At previous iteration DS non-existance has been proven */
+ +              qry->flags &= ~QUERY_DNSSEC_NODS;
+ +              qry->flags &= ~QUERY_DNSSEC_WANT;
+ +              qry->flags |= QUERY_DNSSEC_INSECURE;
         }
-       /* Enable DNSSEC if enters a new island of trust. */
+       /* Enable DNSSEC if entering a new (or different) island of trust,
+        * and update the TA RRset if required. */
         bool want_secured = (qry->flags & QUERY_DNSSEC_WANT) &&
                             !knot_wire_get_cd(request->answer->wire);
-       if (!(qry->flags & QUERY_DNSSEC_WANT) &&
-           !knot_wire_get_cd(request->answer->wire) &&
-           kr_ta_get(trust_anchors, qry->zone_cut.name)) {
+       knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
+       if (!knot_wire_get_cd(request->answer->wire) && ta_rr) {
                 qry->flags |= QUERY_DNSSEC_WANT;
                 want_secured = true;
-               WITH_VERBOSE {
-               char qname_str[KNOT_DNAME_MAXLEN];
-               knot_dname_to_str(qname_str, qry->zone_cut.name, sizeof(qname_str));
-               VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
+ 
+               if (qry->zone_cut.trust_anchor == NULL
+                   || !knot_dname_is_equal(qry->zone_cut.trust_anchor->owner, qry->zone_cut.name)) {
+                       mm_free(qry->zone_cut.pool, qry->zone_cut.trust_anchor);
+                       qry->zone_cut.trust_anchor = knot_rrset_copy(ta_rr, qry->zone_cut.pool);
+ 
+                       WITH_VERBOSE {
+                       char qname_str[KNOT_DNAME_MAXLEN];
+                       knot_dname_to_str(qname_str, ta_rr->owner, sizeof(qname_str));
+                       VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
+                       }
                 }
         }
-       if (want_secured && !qry->zone_cut.trust_anchor) {
-               knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
-               qry->zone_cut.trust_anchor = knot_rrset_copy(ta_rr, qry->zone_cut.pool);
-       }
+ 
         /* Try to fetch missing DS (from above the cut). */
         const bool has_ta = (qry->zone_cut.trust_anchor != NULL);
         const knot_dname_t *ta_name = (has_ta ? qry->zone_cut.trust_anchor->owner : NULL);
author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Wed, 29 Mar 2017 11:16:10 +0000 (13:16 +0200)
		1	2
daemon/README.rst	patch \|	diff1 \|	diff2 \|	blob \| history
lib/resolve.c	patch \|	diff1 \|	diff2 \|	blob \| history