entry_h_consistent: split for NSEC-chain entries

NSEC type can occur for normal (exact-hit) entries, e.g. as negative
packet from explicit NSEC query from user in unsigned zone.

diff --git a/lib/cache.c b/lib/cache.c
index 9a5ffa41889a02058f9be131208f416f2905b7ae..24211eddf4415696795ee779543c7e2f32b92d67 100644 (file)
--- a/lib/cache.c
+++ b/lib/cache.c
@@ -172,8 +172,10 @@ struct nsec_p {
        uint8_t *salt;
 };
 
+/* When going stricter, BEWARE of breaking entry_h_consistent_NSEC() */
 struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype)
 {
+       (void) ktype; /* unused, for now */
        /* Length checks. */
        if (data.len < offsetof(struct entry_h, data))
                return NULL;
@@ -194,18 +196,10 @@ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype)
        ok = ok && (!kr_rank_test(eh->rank, KR_RANK_BOGUS)
                    || eh->is_packet);
 
-       switch (ktype) {
-       case KNOT_RRTYPE_NSEC:
-               ok = ok && !(eh->is_packet || eh->has_ns || eh->has_cname
-                               || eh->has_dname);
-               break;
-       default:
-               /* doesn't hold, because of temporary NSEC3 packet caching
-               if (eh->is_packet)
-                       ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE);
-               */
-               break;
-       }
+       /* doesn't hold, because of temporary NSEC3 packet caching
+       if (eh->is_packet)
+               ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE);
+       */
 
        //LATER: rank sanity
        return ok ? /*const-cast*/(struct entry_h *)eh : NULL;

diff --git a/lib/cache/impl.h b/lib/cache/impl.h
index b7aff9f275aa31a96ca7e76df441bbf002d484e0..8c6eb42e67bf36451bbcf5ddee1fb0368a5b2b25 100644 (file)
--- a/lib/cache/impl.h
+++ b/lib/cache/impl.h
@@ -37,6 +37,9 @@
  *             TODO: NSEC3 chain descriptors (iff nsec3_cnt > 0)
  *     - is_packet: uint16_t length, otherwise opaque and handled by ./entry_pkt.c
  *     - otherwise RRset + its RRSIG set (possibly empty).
+ * '1' entry (NSEC1)
+ *     - contents is the same as for exact hit for NSEC
+ *     - flags don't make sense there
  * */
 struct entry_h {
        uint32_t time;  /**< The time of inception. */
@@ -56,9 +59,8 @@ struct entry_h {
 };
 
 
-/** Check basic consistency of entry_h, not looking into ->data.
+/** Check basic consistency of entry_h for 'E' entries, not looking into ->data.
  * (for is_packet the length of data is checked)
- * \note only exact hits and NSEC1 are really considered ATM.
  */
 struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype);
 

diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c
index 8b56b398e9a26202fb65e71f2ea991b6c9f23455..c5abae7d2c091c8eedd4fba93026c2a0f8530e0a 100644 (file)
--- a/lib/cache/nsec1.c
+++ b/lib/cache/nsec1.c
@@ -120,6 +120,14 @@ static int kwz_between(knot_db_val_t k1, knot_db_val_t k2, knot_db_val_t k3)
        }
 }
 
+static struct entry_h * entry_h_consistent_NSEC(knot_db_val_t data)
+{
+       /* ATM it's enough to just extend the checks for exact entries. */
+       const struct entry_h *eh = entry_h_consistent(data, KNOT_RRTYPE_NSEC);
+       bool ok = eh != NULL;
+       ok = ok && !(eh->is_packet || eh->has_ns || eh->has_cname || eh->has_dname);
+       return ok ? /*const-cast*/(struct entry_h *)eh : NULL;
+}
 
 /** NSEC1 range search.
  *
@@ -160,7 +168,7 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query
        if (exact_match) {
                *exact_match = is_exact;
        }
-       const struct entry_h *eh = entry_h_consistent(val, KNOT_RRTYPE_NSEC);
+       const struct entry_h *eh = entry_h_consistent_NSEC(val);
        if (!eh) {
                /* This might be just finding something else than NSEC1 entry,
                 * in case we searched before the very first one in the zone. */