validate: improve precision of one "going insecure" log

The line was being logged a bit prematurely when the validator isn't
really going insecure yet.  This solves (some of?) those cases.

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 0c44f1bcc043739e8c826c3bfc91f25bd329d9bd..cbbc0738a8aaa2e2d8940632492740e4cd916c0e 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -481,7 +481,6 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
                        VERBOSE_MSG(qry, "<= bogus proof of DS non-existence\n");
                        qry->flags.DNSSEC_BOGUS = true;
                } else if (proved_name[0] != '\0') { /* don't go to insecure for . DS */
-                       VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
                        qry->flags.DNSSEC_NODS = true;
                        /* Rank the corresponding nonauth NS as insecure. */
                        for (int i = 0; i < req->auth_selected.len; ++i) {

diff --git a/lib/resolve.c b/lib/resolve.c
index 4f5ea0742c17bc8a82cd32c764fa43ad550fb9c2..7b2eceb9924987d3e32a27fc73aca9d7718ed25c 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -1200,6 +1200,7 @@ static int trust_chain_check(struct kr_request *request, struct kr_query *qry)
        if (qry->flags.DNSSEC_NODS) {
                /* This is the next query iteration with minimized qname.
                 * At previous iteration DS non-existance has been proven */
+               VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
                qry->flags.DNSSEC_NODS = false;
                qry->flags.DNSSEC_WANT = false;
                qry->flags.DNSSEC_INSECURE = true;