Handle DNS_R_NCACHENXRRSET in fetch_callback_{dnskey,validator}()

DNS_R_NCACHENXRRSET can be return when zones are in transition state
from being unsigned to signed and signed to unsigned.  The validation
should be resumed and should result in a insecure answer.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6a96ff9dfb56d38444763eeecf13c2d437307f5..27adb5a31f5a4fbdeecb84358da9e21e2906e7db 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -410,13 +410,20 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
        val->fetch = NULL;
        if (CANCELED(val)) {
                validator_done(val, ISC_R_CANCELED);
-       } else if (eresult == ISC_R_SUCCESS) {
-               validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
+       } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+               /*
+                * We have an answer to our DNSKEY query.  Either the DNSKEY
+                * RRset or a NODATA response.
+                */
+               validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+                             eresult == ISC_R_SUCCESS ? "keyset"
+                                                      : "NCACHENXRRSET",
                              dns_trust_totext(rdataset->trust));
                /*
-                * Only extract the dst key if the keyset is secure.
+                * Only extract the dst key if the keyset exists and is secure.
                 */
-               if (rdataset->trust >= dns_trust_secure) {
+               if (eresult == ISC_R_SUCCESS &&
+                   rdataset->trust >= dns_trust_secure) {
                        result = select_signing_key(val, rdataset);
                        if (result == ISC_R_SUCCESS) {
                                val->keyset = &val->frdataset;