Store the DS and RRSIG(DS) with trust dns_trust_pending_answer

author Mark Andrews <marka@isc.org>

Wed, 27 Mar 2019 13:48:03 +0000 (00:48 +1100)

committer Mark Andrews <marka@isc.org>

Fri, 2 Aug 2019 05:09:42 +0000 (15:09 +1000)
author Mark Andrews <marka@isc.org>
Wed, 27 Mar 2019 13:48:03 +0000 (00:48 +1100)
committer Mark Andrews <marka@isc.org>
Fri, 2 Aug 2019 05:09:42 +0000 (15:09 +1000)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index b2265e97edb005e4b9b207dd4f389d510a06d6e9..6a38e277cf8d228e34392d0d2a30100dd478244f 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8697,12 +8697,14 @@ rctx_answer_none(respctx_t *rctx) {
                 rctx->negative = true;
         }
  
-       /*
-        * Process DNSSEC records in the authority section.
-        */
-       result = rctx_authority_dnssec(rctx);
-       if (result == ISC_R_COMPLETE) {
-               return (rctx->result);
+       if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
+               /*
+                * Process DNSSEC records in the authority section.
+                */
+               result = rctx_authority_dnssec(rctx);
+               if (result == ISC_R_COMPLETE) {
+                       return (rctx->result);
+               }
         }
  
         /*
@@ -8955,18 +8957,12 @@ static isc_result_t
  rctx_authority_dnssec(respctx_t *rctx) {
         isc_result_t result;
         fetchctx_t *fctx = rctx->fctx;
-       dns_section_t section;
         dns_rdataset_t *rdataset = NULL;
         bool finished = false;
  
-       if (rctx->ns_in_answer) {
-               INSIST(fctx->type == dns_rdatatype_ns);
-               section = DNS_SECTION_ANSWER;
-       } else {
-               section = DNS_SECTION_AUTHORITY;
-       }
+       REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
  
-       result = dns_message_firstname(fctx->rmessage, section);
+       result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
         if (result != ISC_R_SUCCESS) {
                 return (ISC_R_SUCCESS);
         }
@@ -8974,8 +8970,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
         while (!finished) {
                 dns_name_t *name = NULL;
  
-               dns_message_currentname(fctx->rmessage, section, &name);
-               result = dns_message_nextname(fctx->rmessage, section);
+               dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+                                       &name);
+               result = dns_message_nextname(fctx->rmessage,
+                                             DNS_SECTION_AUTHORITY);
                 if (result != ISC_R_SUCCESS) {
                         finished = true;
                 }
@@ -8991,7 +8989,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
                      rdataset != NULL;
                      rdataset = ISC_LIST_NEXT(rdataset, link))
                 {
+                       bool checknta = true;
+                       bool secure_domain = false;
                         dns_rdatatype_t type = rdataset->type;
+
                         if (type == dns_rdatatype_rrsig) {
                                 type = rdataset->covers;
                         }
@@ -9051,7 +9052,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
  
                                 name->attributes |= DNS_NAMEATTR_CACHE;
                                 rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-                               if (rctx->aa) {
+
+                               if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+                                       checknta = false;
+                               }
+                               if (fctx->res->view->enablevalidation) {
+                                       result = issecuredomain(fctx->res->view,
+                                                             name,
+                                                             dns_rdatatype_ds,
+                                                             fctx->now,
+                                                             checknta, NULL,
+                                                             &secure_domain);
+                                       if (result != ISC_R_SUCCESS) {
+                                               return (result);
+                                       }
+                               }
+                               if (secure_domain) {
+                                       rdataset->trust =
+                                                dns_trust_pending_answer;
+                               } else if (rctx->aa) {
                                         rdataset->trust =
                                             dns_trust_authauthority;
                                 } else if (ISFORWARDER(fctx->addrinfo)) {
author	Mark Andrews <marka@isc.org>
	Wed, 27 Mar 2019 13:48:03 +0000 (00:48 +1100)
committer	Mark Andrews <marka@isc.org>
	Fri, 2 Aug 2019 05:09:42 +0000 (15:09 +1000)