{daemon,lib}: sync EDE codes supported by libknot.

Adds the following extended error codes:
  * 25 (Signature Expired before Valid): KNOT_EDNS_EDE_EXPIRED_INV
  * 26 (Too Early): KNOT_EDNS_EDE_TOO_EARLY
  * 27 (Unsupported NSEC3 Iterations Value): KNOT_EDNS_EDE_NSEC3_ITERS
  * 28 (Unable to conform to policy): KNOT_EDNS_EDE_NONCONF_POLICY
  * 29 (Synthesized): KNOT_EDNS_EDE_SYNTHESIZED

diff --git a/daemon/lua/kres.lua b/daemon/lua/kres.lua
index 44434b4d2581d7b3f5a558956277f9fb09a66f29..473d0828a937fb6ebfb52db32aa55439054470b9 100644 (file)
--- a/daemon/lua/kres.lua
+++ b/daemon/lua/kres.lua
@@ -231,6 +231,11 @@ local const_extended_error = {
        NREACH_AUTH = 22,
        NETWORK = 23,
        INV_DATA = 24,
+       EXPIRED_INV = 25,
+       TOO_EARLY = 26,
+       NSEC3_ITERS = 27,
+       NONCONF_POLICY = 28,
+       SYNTHESIZED = 29,
 }
 
 -- Constant tables

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index af20b2e45871d51c613c17ab6d70a5ac7d9675bc..75d68eb36f15abe0acd0d9735982bfc961103e8e 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1137,7 +1137,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                        count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3);
                if (count > 8) {
                        VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count);
-                       kr_request_set_extended_error(req, 27/*KNOT_EDNS_EDE_NSEC3_ITERS*/,
+                       kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS,
                                /* It's not about iteration values per se, but close enough. */
                                "DYRH: too many NSEC3 records");
                        qry->flags.DNSSEC_BOGUS = true;

diff --git a/lib/resolve.c b/lib/resolve.c
index 4730f105c1bf4eb10f4a31dee21180a4bfddd65d..4b4827f285d7d6521c2f282684c2107bbc361766 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -972,12 +972,15 @@ knot_mm_t *kr_resolve_pool(struct kr_request *request)
 static int ede_priority(int info_code)
 {
        switch(info_code) {
+       case KNOT_EDNS_EDE_TOO_EARLY:
+               return 910;
        case KNOT_EDNS_EDE_DNSKEY_BIT:
        case KNOT_EDNS_EDE_DNSKEY_MISS:
        case KNOT_EDNS_EDE_SIG_EXPIRED:
        case KNOT_EDNS_EDE_SIG_NOTYET:
        case KNOT_EDNS_EDE_RRSIG_MISS:
        case KNOT_EDNS_EDE_NSEC_MISS:
+       case KNOT_EDNS_EDE_EXPIRED_INV:
                return 900;  /* Specific DNSSEC failures */
        case KNOT_EDNS_EDE_BOGUS:
                return 800;  /* Generic DNSSEC failure */
@@ -990,6 +993,7 @@ static int ede_priority(int info_code)
                return 600;  /* Policy related */
        case KNOT_EDNS_EDE_DNSKEY_ALG:
        case KNOT_EDNS_EDE_DS_DIGEST:
+       case KNOT_EDNS_EDE_NSEC3_ITERS:
                return 500;  /* Non-critical DNSSEC issues */
        case KNOT_EDNS_EDE_STALE:
        case KNOT_EDNS_EDE_STALE_NXD:
@@ -1002,10 +1006,12 @@ static int ede_priority(int info_code)
        case KNOT_EDNS_EDE_NREACH_AUTH:
        case KNOT_EDNS_EDE_NETWORK:
        case KNOT_EDNS_EDE_INV_DATA:
+       case KNOT_EDNS_EDE_SYNTHESIZED:
                return 200;  /* Assorted codes */
        case KNOT_EDNS_EDE_OTHER:
                return 100;  /* Most generic catch-all error */
        case KNOT_EDNS_EDE_NONE:
+       case KNOT_EDNS_EDE_NONCONF_POLICY:  /* Defined by an expired Internet Draft */
                return 0;  /* No error - allow overriding */
        default:
                kr_assert(false);  /* Unknown info_code */