add possible EDE spots

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 08a963058e056015fb7c77fc6fcd40c647bc8ada..c30b02282a2b798ab7e2354db06942f95460adc1 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -682,6 +682,9 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
        int buf_canon = 0;
        verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
        if(!dnskey_algo_id_is_supported(algo)) {
+               // @TODO do we do LDNS_EDE_UNSUPPORTED_DNSKEY_ALG here?
+               // if (reason_bogus)
+               //      *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
                verbose(VERB_QUERY, "verify sig: unknown algorithm");
                return sec_status_insecure;
        }
@@ -1421,6 +1424,7 @@ check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p,
                        "signature bad", expi, incep, now);
                *reason = "signature inception after expiration";
                /* @TODO Tom, wat hier te doen? */
+
                return 0;
        }
        if(compare_1982(incep, now) > 0) {

diff --git a/validator/val_utils.c b/validator/val_utils.c
index d0a59ef025a866cb413afcba138066e968bf21ae..e94a1bb9fb3d897c80bb9e5d93ffd3be1bc12842 100644 (file)
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -570,6 +570,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
        if(!has_useful_ds) {
                verbose(VERB_ALGO, "No usable DS records were found -- "
                        "treating as insecure.");
+               // @TODO add ede DNSSEC Indeterminate?
                return sec_status_insecure;
        }
        /* If any were understandable, then it is bad. */
@@ -786,6 +787,9 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
                if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
                else snprintf(aerr, sizeof(aerr), "%d",
                        (int)ds_get_key_algo(ds_rrset, i));
+
+               // @TODO do we want to add EDE Unsupported DS Digest Type here?
+
                verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
                        "key algorithm %s %s", herr,
                        (ds_digest_algo_is_supported(ds_rrset, 0)?

diff --git a/validator/validator.c b/validator/validator.c
index f71c2191a7cc632fa8bd0bedf6f95b4f4f21ef0a..51bdea77f3770de34ea4f53cf8973a809773dcb7 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2405,6 +2405,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
                verbose(VERB_DETAIL, "DS response was error, thus bogus");
                errinf(qstate, rc);
                errinf(qstate, "no DS");
+
                goto return_bogus;
        }
 
@@ -2587,6 +2588,9 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
                goto return_bogus;
        }
 return_bogus:
+
+       // @TODO add EDE NSEC MISSING
+
        *ke = key_entry_create_bad(qstate->region, qinfo->qname,
                qinfo->qname_len, qinfo->qclass, 
                BOGUS_KEY_TTL, *qstate->env->now);