fixup insecure glue on referrals.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)
diff --git a/daemon/worker.c b/daemon/worker.c

index 25091f8e5987733ddad2eb0936b9e01e31e85df1..ebde077bca5b317edddd8d095c60ed721ba82c8b 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -359,6 +359,7 @@ deleg_remove_nonsecure_additional(struct reply_info* rep)
                                 (rep->rrset_count - i - 1));
                         rep->ar_numrrsets--; 
                         rep->rrset_count--;
+                       i--;
                 }
         }
  }
diff --git a/doc/Changelog b/doc/Changelog

index 05d0cef7a991395177c7426f8654bb8b3276840a..ca537dbbf62c70ba4127cb22a0e3d23cbf9c00a1 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -13,6 +13,8 @@
         - removed some debug prints, only verb_algo (4) enables them.
         - fixup test; new random generator took new paths; such as one 
           where no scripted answer was available.
+       - mark insecure RRs as insecure.
+       - fixup removal of nonsecure items from the additional.
  
  16 October 2007: Wouter
         - no malloc in log_hex.
diff --git a/validator/val_utils.c b/validator/val_utils.c

index 40a470e1f48c2c0c5752825ecd9c19e57ec21691..c882ca8a9d9318b94b8c4805cda60362823e168c 100644 (file)
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -550,11 +550,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
  
  void 
  val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-       size_t skip, uint8_t* name, size_t len)
+       size_t skip, uint8_t* name, size_t len, uint8_t* signer)
  {
-       /* unsigned RRsets are never copied, but should not happen in 
-        * secure answers anyway. Except for the synthesized CNAME after 
-        * a DNAME. */
         size_t i;
         int seen_dname = 0;
         chase->rrset_count = 0;
@@ -563,7 +560,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
         chase->ar_numrrsets = 0;
         /* ANSWER section */
         for(i=skip; i<orig->an_numrrsets; i++) {
-               if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
+               if(!signer) {
+                       if(query_dname_compare(name, 
+                               orig->rrsets[i]->rk.dname) == 0)
+                               chase->rrsets[chase->an_numrrsets++] = 
+                                       orig->rrsets[i];
+               } else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == 
                         LDNS_RR_TYPE_CNAME) {
                         chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
                         seen_dname = 0;
@@ -579,7 +581,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
         for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
                 i<orig->an_numrrsets+orig->ns_numrrsets; 
                 i++) {
-               if(rrset_has_signer(orig->rrsets[i], name, len)) {
+               if(!signer) {
+                       if(query_dname_compare(name, 
+                               orig->rrsets[i]->rk.dname) == 0)
+                               chase->rrsets[chase->an_numrrsets+
+                                   chase->ns_numrrsets++] = orig->rrsets[i];
+               } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
                         chase->rrsets[chase->an_numrrsets+
                                 chase->ns_numrrsets++] = orig->rrsets[i];
                 }
@@ -588,7 +595,13 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
         for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
                 skip:orig->an_numrrsets+orig->ns_numrrsets; 
                 i<orig->rrset_count; i++) {
-               if(rrset_has_signer(orig->rrsets[i], name, len)) {
+               if(!signer) {
+                       if(query_dname_compare(name, 
+                               orig->rrsets[i]->rk.dname) == 0)
+                           chase->rrsets[chase->an_numrrsets
+                               +orig->ns_numrrsets+chase->ar_numrrsets++] 
+                               = orig->rrsets[i];
+               } else if(rrset_has_signer(orig->rrsets[i], name, len)) {
                         chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
                                 chase->ar_numrrsets++] = orig->rrsets[i];
                 }
@@ -643,6 +656,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
                                 (rep->rrset_count - i - 1));
                         rep->ar_numrrsets--;
                         rep->rrset_count--;
+                       i--;
                 }
         }
  }
diff --git a/validator/val_utils.h b/validator/val_utils.h

index c6fe5f7488898029ed58f34a9c766535a53983f3..cd4579ed0d0c141618718d7a9eec67db3449fb3f 100644 (file)
--- a/validator/val_utils.h
+++ b/validator/val_utils.h
@@ -206,9 +206,11 @@ int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
   *     The skipped part contains CNAME(and DNAME)s that have been chased.
   * @param name: the signer name to look for.
   * @param len: length of name.
+ * @param signer: signer name or NULL if an unsigned RRset is considered.
+ *     If NULL, rrsets with the lookup name are copied over.
   */
  void val_fill_reply(struct reply_info* chase, struct reply_info* orig, 
-       size_t cname_skip, uint8_t* name, size_t len);
+       size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
  
  /**
   * Remove all unsigned or non-secure status rrsets from NS and AR sections.
diff --git a/validator/validator.c b/validator/validator.c

index 55a69c5dcbfd20441546efc8a16c15829777654b..126b0918d553cf850877bde53b80e87e08982419 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -1164,7 +1164,8 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
                 /* extract this part of orig_msg into chase_reply for
                  * the eventual VALIDATE stage */
                 val_fill_reply(vq->chase_reply, vq->orig_msg->rep, 
-                       vq->rrset_skip, lookup_name, lookup_len);
+                       vq->rrset_skip, lookup_name, lookup_len, 
+                       vq->signer_name);
                 if(verbosity >= VERB_ALGO)
                         log_dns_msg("chased extract", &vq->qchase, 
                                 vq->chase_reply);
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Wed, 17 Oct 2007 15:48:54 +0000 (15:48 +0000)
daemon/worker.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
validator/val_utils.c		patch \| blob \| blame \| history
validator/val_utils.h		patch \| blob \| blame \| history
validator/validator.c		patch \| blob \| blame \| history