validate: fix bad usage of KR_RANK_INSECURE

It's supposed to mean that we have a proof from configured TAs that
the RR isn't secure (typically proof of missing DS at some point).
This case was just failure to find a fitting RRSIG; new KR_RANK_MISSING
is introduced for that purpose, for simplicity.

Also, make the validator more thorough about what ranks are safe to skip.

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 9ab00de6edf1c1ac4754a62347a84c59d095eba8..c4a54ce96615a6525695c13a542ab25249b73346 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -96,9 +96,9 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, knot_mm_t *pool)
                        continue;
                }
 
-               if (!kr_rank_test(entry->rank, KR_RANK_INITIAL)
-                   && !kr_rank_test(entry->rank, KR_RANK_MISMATCH)) {
-                       continue;
+               if (kr_rank_test(entry->rank, KR_RANK_OMIT)
+                   || kr_rank_test(entry->rank, KR_RANK_SECURE)) {
+                       continue; /* these are already OK */
                }
 
                if (rr->type == KNOT_RRTYPE_RRSIG) {
@@ -120,7 +120,7 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, knot_mm_t *pool)
                        kr_rank_set(&entry->rank, KR_RANK_SECURE);
                } else if (validation_result == kr_error(ENOENT)) {
                        /* no RRSIGs found */
-                       kr_rank_set(&entry->rank, KR_RANK_INSECURE);
+                       kr_rank_set(&entry->rank, KR_RANK_MISSING);
                        vctx->err_cnt += 1;
                } else {
                        kr_rank_set(&entry->rank, KR_RANK_BOGUS);
@@ -474,7 +474,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
                if (kr_rank_test(entry->rank, KR_RANK_MISMATCH)) {
                        invalid_entry = entry;
                        break;
-               } else if (kr_rank_test(entry->rank, KR_RANK_INSECURE) &&
+               } else if (kr_rank_test(entry->rank, KR_RANK_MISSING) &&
                           !invalid_entry) {
                        invalid_entry = entry;
                } else if (!kr_rank_test(entry->rank, KR_RANK_SECURE) &&
@@ -510,7 +510,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
                }
                VERBOSE_MSG(qry, ">< cut changed (new signer), needs revalidation\n");
                ret = KR_STATE_YIELD;
-       } else if (kr_rank_test(invalid_entry->rank, KR_RANK_INSECURE)) {
+       } else if (kr_rank_test(invalid_entry->rank, KR_RANK_MISSING)) {
                ret = rrsig_not_found(ctx, rr);
        } else if (!kr_rank_test(invalid_entry->rank, KR_RANK_SECURE)) {
                qry->flags |= QUERY_DNSSEC_BOGUS;

diff --git a/lib/resolve.c b/lib/resolve.c
index 7a40f11c94f9619be798d2e1dd7794aceb4b9c22..cf2048794c0ff8cb824d137572bb5bde65902656 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -45,6 +45,7 @@ bool kr_rank_check(uint8_t rank)
        case KR_RANK_INDET:
        case KR_RANK_BOGUS:
        case KR_RANK_MISMATCH:
+       case KR_RANK_MISSING:
        case KR_RANK_INSECURE:
        case KR_RANK_SECURE:
                return true;

diff --git a/lib/resolve.h b/lib/resolve.h
index bbc5ed3a5c2cecf6a5a450b6487080df6e87fdb3..8b6b9dfc44f19cf31f1b2b2dac320b1cc1dfe628 100644 (file)
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -92,10 +92,11 @@
  */
 enum kr_rank {
        KR_RANK_INITIAL = 0, /**< Did not attempt to validate. */
-       KR_RANK_OMIT = 1,    /**< Do not attempt to validate. */
+       KR_RANK_OMIT = 1,    /**< Do not attempt to validate. (And don't consider it a validation failure.) */
        KR_RANK_INDET,       /**< Unable to determine whether it should be secure. */
        KR_RANK_BOGUS,       /**< Ought to be secure but isn't. */
        KR_RANK_MISMATCH,
+       KR_RANK_MISSING,     /**< Unable to obtain a good signature. */
 
        KR_RANK_INSECURE = 8, /**< Proven to be insecure. */