This commits removes the early zone cut computation using DS queries.
It instead determines the status of a record when it is either received
from an authoritative server or retrieved from a cache, detecting missed
zone cuts when the expected signatures are not present.
This results in roughly 8% less outgoing queries in quick testing.
One remaining issue is that we do not detect a missing zone cut when
we get signatures but the DS record has not been pusblished. We should
likely try to find a DS denial when the signer is not expected, or
perhaps always?
We also need some optimizations, like perhaps caching the (N)TA,
and updating the zone cuts when we see a DS or denial of a DS in
an answer.
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata_wildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wildcard_synthesis)
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(ret.at(0).d_name, target);
BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode());
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(DNSName("b.powerdns.com."), QType(QType::A), QClass::IN, ret);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(ret.at(0).d_name, DNSName("b.powerdns.com."));
BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode());
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nxdomain)
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata_wildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_wildcard_synthesis)
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(ret.at(0).d_name, target);
BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode());
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
ret.clear();
res = sr->beginResolve(DNSName("b.powerdns.com."), QType(QType::A), QClass::IN, ret);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
BOOST_CHECK_EQUAL(ret.at(0).d_name, DNSName("b.powerdns.com."));
BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode());
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wiping)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 5U); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
- BOOST_CHECK_EQUAL(queries, 11U);
+ BOOST_CHECK_EQUAL(queries, 7U);
BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
BOOST_CHECK(ret[0].d_name == dnameOwner);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 5U); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
- BOOST_CHECK_EQUAL(queries, 11U);
+ BOOST_CHECK_EQUAL(queries, 7U);
BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
BOOST_CHECK(ret[0].d_name == dnameOwner);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U); /* DNAME + RRSIG(DNAME) + CNAME + A */
- BOOST_CHECK_EQUAL(queries, 9U);
+ BOOST_CHECK_EQUAL(queries, 7U);
BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
BOOST_CHECK(ret[0].d_name == dnameOwner);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U); /* DNAME + RRSIG(DNAME) + CNAME + A */
- BOOST_CHECK_EQUAL(queries, 9U);
+ BOOST_CHECK_EQUAL(queries, 7U);
BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
BOOST_CHECK(ret[0].d_name == dnameOwner);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
// Now test without RFC 8020 to see the cache and query count grow
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
// New query
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
BOOST_CHECK_EQUAL(g_negCache->size(), 2U);
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 13U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
BOOST_CHECK_EQUAL(g_negCache->size(), 3U);
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_CHECK_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 15U);
+ BOOST_CHECK_EQUAL(queriesCount, 9U);
BOOST_CHECK_EQUAL(g_negCache->size(), 4U);
// reset
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 5U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
BOOST_CHECK_EQUAL(DSforParentCount, 1U);
/* again, to test the cache */
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 5U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
BOOST_CHECK_EQUAL(DSforParentCount, 1U);
- /* new target should no cause a DS query for tets. */
+ /* new target should not cause a DS query for test. */
ret.clear();
res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
BOOST_CHECK_EQUAL(DSforParentCount, 1U);
}
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 3U);
+ BOOST_CHECK_EQUAL(queriesCount, 1U);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Indeterminate);
}
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
static void testFixedPointInTime(time_t fixedNow)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos1970)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* this time we ask for the NS that should be in the cache, to check
the validation status */
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* this time we ask for the NS that should be in the cache, to check
the validation status */
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta)
/* Should be insecure because of the NTA */
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 4U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 4U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec)
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
/* check that we applied the lowest TTL, here this is from the NSEC proving that the exact name did not exist */
BOOST_CHECK_LE(rec.d_ttl, 60U);
}
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_proof_before_rrsig)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
/* check that we applied the lowest TTL, here this is from the NSEC proving that the exact name did not exist */
BOOST_CHECK_LE(rec.d_ttl, 60U);
}
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_nsec3)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
/* because we pass along the duplicated NSEC3 */
BOOST_REQUIRE_EQUAL(ret.size(), 9U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
/* because we pass along the duplicated NSEC3 */
BOOST_REQUIRE_EQUAL(ret.size(), 9U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 8U);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
/* check that we applied the lowest TTL, here this is from the NSEC3 proving that the exact name did not exist (next closer) */
BOOST_CHECK_LE(rec.d_ttl, 60U);
}
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 12U);
+ BOOST_CHECK_EQUAL(queriesCount, 10U);
ret.clear();
res = sr->beginResolve(DNSName("dns1.p03.nsone.net."), QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 16U);
+ BOOST_CHECK_EQUAL(queriesCount, 14U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_servfail_ds)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
- BOOST_CHECK_EQUAL(dsQueriesCount, 3U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(dsQueriesCount, 2U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
- BOOST_CHECK_EQUAL(dsQueriesCount, 3U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(dsQueriesCount, 2U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_ds_root)
addRRSIG(keys, res->d_records, DNSName("."), 300);
return LWResult::Result::Success;
}
+ else if (type == QType::DNSKEY) {
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return LWResult::Result::Success;
+ }
return LWResult::Result::Timeout;
});
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 1U);
+ BOOST_CHECK_EQUAL(queriesCount, 2U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 1U);
+ BOOST_CHECK_EQUAL(queriesCount, 2U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_CHECK_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_CHECK_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
- /* 4 NS: com at ., com at com, powerdns.com at com, powerdns.com at powerdns.com
- 4 DNSKEY: ., com (not for powerdns.com because DS denial in referral)
+ /* 2 NS: com at ., powerdns.com at com
+ 2 DNSKEY: ., com (not for powerdns.com because DS denial in referral)
1 query for A */
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_optout)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
BOOST_CHECK(ret[0].d_type == QType::SOA);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 6U);
BOOST_CHECK(ret[0].d_type == QType::SOA);
- BOOST_CHECK_EQUAL(queriesCount, 6U);
+ BOOST_CHECK_EQUAL(queriesCount, 4U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_direct_ds)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 9U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
}
BOOST_AUTO_TEST_SUITE_END()
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK(ret[0].d_type == QType::A);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata)
2 DNSKEY (. and com., none for powerdns.com because no DS)
1 query for A
*/
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 7U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 9U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 9U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 12U);
+ BOOST_CHECK_EQUAL(queriesCount, 9U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 12U);
+ BOOST_CHECK_EQUAL(queriesCount, 9U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname)
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
/* no RRSIG to show */
BOOST_CHECK_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_CHECK_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
/* this time we ask for www.powerdns.com, let's make sure the CNAME does not get in the way */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 11U);
+ BOOST_CHECK_EQUAL(queriesCount, 8U);
/* now we remove the denial of powerdns.com DS from the cache and ask www2 */
BOOST_REQUIRE_EQUAL(g_negCache->wipe(target, false), 1U);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
- BOOST_CHECK_EQUAL(queriesCount, 13U);
+ BOOST_CHECK_EQUAL(queriesCount, 10U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_cname_inside_secure_zone)
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* again, to test the cache */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 4U);
- BOOST_CHECK_EQUAL(queriesCount, 8U);
+ BOOST_CHECK_EQUAL(queriesCount, 5U);
/* this time we ask for www.powerdns.com, let's make sure the CNAME does not get in the way */
ret.clear();
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 10U);
+ BOOST_CHECK_EQUAL(queriesCount, 6U);
/* now we remove the denial of powerdns.com DS from the cache and ask www2 */
- BOOST_REQUIRE_EQUAL(g_negCache->wipe(target, false), 1U);
+ g_negCache->wipe(target, false);
ret.clear();
res = sr->beginResolve(DNSName("www2.powerdns.com."), QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
- BOOST_CHECK_EQUAL(queriesCount, 12U);
+ BOOST_CHECK_EQUAL(queriesCount, 7U);
}
BOOST_AUTO_TEST_SUITE_END()
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG);
}
- BOOST_CHECK_EQUAL(queriesCount, 3U);
+ BOOST_CHECK_EQUAL(queriesCount, 2U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure)
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::AAAA || record.d_type == QType::RRSIG);
}
- BOOST_CHECK_EQUAL(queriesCount, 4U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
/* last one also requires validation */
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::AAAA || record.d_type == QType::RRSIG);
}
- BOOST_CHECK_EQUAL(queriesCount, 4U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
}
BOOST_AUTO_TEST_SUITE_END()
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG);
}
- BOOST_CHECK_EQUAL(queriesCount, 4U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_insecure)
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
}
- BOOST_CHECK_EQUAL(queriesCount, 5U);
+ BOOST_CHECK_EQUAL(queriesCount, 3U);
}
BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure)
LOG(prefix<<qname<<": Wants "<< (d_doDNSSEC ? "" : "NO ") << "DNSSEC processing, "<<(d_requireAuthData ? "" : "NO ")<<"auth data in query for "<<qtype.getName()<<endl);
state = vState::Indeterminate;
+ initZoneCutsFromTA(qname);
if (s_maxdepth && depth > s_maxdepth) {
string msg = "More than " + std::to_string(s_maxdepth) + " (max-recursion-depth) levels of recursion needed while resolving " + qname.toLogString();
LOG(prefix<<qname<<": No cache hit for '"<<qname<<"|"<<qtype.getName()<<"', trying to find an appropriate NS record"<<endl);
DNSName subdomain(qname);
- if(qtype == QType::DS) subdomain.chopOff();
+ if (qtype == QType::DS) subdomain.chopOff();
NsSet nsset;
bool flawedNSSet=false;
- /* we use subdomain here instead of qname because for DS queries we only care about the state of the parent zone */
- computeZoneCuts(subdomain, g_rootdnsname, depth);
-
// the two retries allow getBestNSNamesFromCache&co to reprime the root
// hints, in case they ever go missing
for(int tries=0;tries<2 && nsset.empty();++tries) {
subdomain=getBestNSNamesFromCache(subdomain, qtype, nsset, &flawedNSSet, depth, beenthere); // pass beenthere to both occasions
}
- state = getValidationStatus(qname, false);
-
- LOG(prefix<<qname<<": initial validation status for "<<qname<<" is "<<state<<endl);
-
res = doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state, stopAtDelegation);
/* Apply Post filtering policies */
if(record.d_ttl > (unsigned int) d_now.tv_sec) {
if (!wasAuthZone && shouldValidate() && (wasAuth || wasForwardRecurse) && state == vState::Indeterminate && d_requireAuthData) {
- /* This means we couldn't figure out the state when this entry was cached,
- most likely because we hadn't computed the zone cuts yet. */
- /* make sure they are computed before validating */
- DNSName subdomain(foundName);
- /* if we are retrieving a DS, we only care about the state of the parent zone */
- if(qtype == QType::DS)
- subdomain.chopOff();
+ /* This means we couldn't figure out the state when this entry was cached */
- computeZoneCuts(subdomain, g_rootdnsname, depth);
-
- vState recordState = getValidationStatus(foundName, false);
+ vState recordState = getValidationStatus(foundName, signatures, qtype == QType::DS, depth);
if (recordState == vState::Secure) {
LOG(prefix<<qname<<": got vState::Indeterminate state from the "<<foundQT.getName()<<" cache, validating.."<<endl);
state = SyncRes::validateRecordsWithSigs(depth, qname, qtype, foundName, foundQT, cset, signatures);
void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType qtype, const int res, vState& state, unsigned int depth)
{
- DNSName subdomain(qname);
- /* if we are retrieving a DS, we only care about the state of the parent zone */
- if(qtype == QType::DS)
- subdomain.chopOff();
-
- computeZoneCuts(subdomain, g_rootdnsname, depth);
-
tcache_t tcache;
reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.records);
reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.signatures);
const DNSName& owner = entry.first.name;
- vState recordState = getValidationStatus(owner, false);
+ vState recordState = getValidationStatus(owner, entry.second.signatures, qtype == QType::DS, depth);
if (state == vState::Indeterminate) {
state = recordState;
}
if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == vState::Indeterminate && d_requireAuthData) {
- /* This means we couldn't figure out the state when this entry was cached,
- most likely because we hadn't computed the zone cuts yet. */
- /* make sure they are computed before validating */
- DNSName subdomain(sqname);
- /* if we are retrieving a DS, we only care about the state of the parent zone */
- if(qtype == QType::DS)
- subdomain.chopOff();
-
- computeZoneCuts(subdomain, g_rootdnsname, depth);
+ /* This means we couldn't figure out the state when this entry was cached */
+ vState recordState = getValidationStatus(qname, signatures, qtype == QType::DS, depth);
- vState recordState = getValidationStatus(qname, false);
if (recordState == vState::Secure) {
LOG(prefix<<sqname<<": got vState::Indeterminate state from the cache, validating.."<<endl);
if (sqt == QType::DNSKEY) {
return count;
}
+void SyncRes::initZoneCutsFromTA(const DNSName& from)
+{
+ DNSName zone(from);
+ do {
+ dsmap_t ds;
+ vState result = getTA(zone, ds);
+ if (result != vState::Indeterminate) {
+ if (result == vState::TA) {
+ if (countSupportedDS(ds) == 0) {
+ ds.clear();
+ result = vState::Insecure;
+ }
+ else {
+ result = vState::Secure;
+ }
+ }
+ else if (result == vState::NTA) {
+ result = vState::Insecure;
+ }
+
+ d_cutStates[zone] = result;
+ }
+ }
+ while (zone.chopOff());
+}
+
vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth, bool bogusOnNXD, bool* foundCut)
{
vState result = getTA(zone, ds);
return false;
}
-vState SyncRes::getValidationStatus(const DNSName& subdomain, bool allowIndeterminate)
+vState SyncRes::getValidationStatus(const DNSName& name, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool typeIsDS, unsigned int depth)
{
vState result = vState::Indeterminate;
if (!shouldValidate()) {
return result;
}
- DNSName name(subdomain);
- do {
- const auto& it = d_cutStates.find(name);
- if (it != d_cutStates.cend()) {
- if (allowIndeterminate || it->second != vState::Indeterminate) {
- LOG(d_prefix<<": got status "<<it->second<<" for name "<<subdomain<<" (from "<<name<<")"<<endl);
- return it->second;
- }
- }
- }
- while (name.chopOff());
- return result;
-}
-
-bool SyncRes::lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState)
-{
- bool foundCut = false;
- dsmap_t ds;
- vState dsState = getDSRecords(qname, ds, vStateIsBogus(newState) || existingState == vState::Insecure || vStateIsBogus(existingState), depth, false, &foundCut);
-
- if (dsState != vState::Indeterminate) {
- newState = dsState;
+ DNSName subdomain(name);
+ if (typeIsDS) {
+ subdomain.chopOff();
}
- return foundCut;
-}
-
-void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth)
-{
- if(!begin.isPartOf(end)) {
- LOG(d_prefix<<" "<<begin.toLogString()<<" is not part of "<<end.toLogString()<<endl);
- throw PDNSException(begin.toLogString() + " is not part of " + end.toLogString());
+ {
+ const auto& it = d_cutStates.find(subdomain);
+ if (it != d_cutStates.cend()) {
+ LOG(d_prefix<<": got status "<<it->second<<" for name "<<subdomain<<endl);
+ return it->second;
+ }
}
- if (d_cutStates.count(begin) != 0) {
- return;
+ /* look for the best match we have */
+ DNSName best(subdomain);
+ while (best.chopOff()) {
+ const auto& it = d_cutStates.find(best);
+ if (it != d_cutStates.cend()) {
+ result = it->second;
+ if (vStateIsBogus(result) || result == vState::Insecure) {
+ LOG(d_prefix<<": got status "<<result<<" for name "<<best<<endl);
+ return result;
+ }
+ break;
+ }
}
- const bool oldCacheOnly = setCacheOnly(false);
- const bool oldWantsRPZ = d_wantsRPZ;
- d_wantsRPZ = false;
-
- dsmap_t ds;
- vState cutState = getDSRecords(end, ds, false, depth);
- LOG(d_prefix<<": setting cut state for "<<end<<" to "<<cutState<<endl);
- d_cutStates[end] = cutState;
-
- if (!shouldValidate()) {
- setCacheOnly(oldCacheOnly);
- d_wantsRPZ = oldWantsRPZ;
- return;
- }
+ /* by now we have the best match, it's likely Secure (otherwise we would not be there)
+ but we don't know if we missed a cut (or several).
+ We could see see if we have DS (or denial of) in cache but let's not worry for now,
+ we will if we don't have a signature, or if the signer doesn't match what we expect */
+ if (signatures.empty() && best != subdomain) {
+ /* no signatures, we likely missed a cut, let's try to find it */
+ LOG(d_prefix<<": no signatures, we likely missed a cut between "<<best<<" and "<<subdomain<<", looking for it"<<endl);
+ DNSName ds(best);
+ std::vector<string> labelsToAdd = subdomain.makeRelative(ds).getRawLabels();
- DNSName qname(end);
- std::vector<string> labelsToAdd = begin.makeRelative(end).getRawLabels();
+ while (!labelsToAdd.empty()) {
- while(qname != begin) {
- if (labelsToAdd.empty())
- break;
+ ds.prependRawLabel(labelsToAdd.back());
+ labelsToAdd.pop_back();
+ LOG(d_prefix<<": - Looking for a DS at "<<ds<<endl);
- qname.prependRawLabel(labelsToAdd.back());
- labelsToAdd.pop_back();
- LOG(d_prefix<<": - Looking for a cut at "<<qname<<endl);
+ bool foundCut = false;
+ dsmap_t results;
+ vState dsState = getDSRecords(ds, results, false, depth, false, &foundCut);
- const auto cutIt = d_cutStates.find(qname);
- if (cutIt != d_cutStates.cend()) {
- if (cutIt->second != vState::Indeterminate) {
- LOG(d_prefix<<": - Cut already known at "<<qname<<endl);
- cutState = cutIt->second;
- continue;
+ if (foundCut) {
+ LOG(d_prefix<<": - Found cut at "<<ds<<endl);
+ LOG(d_prefix<<": New state for "<<ds<<" is "<<dsState<<endl);
+ if (dsState != vState::Secure) {
+ return dsState;
+ }
}
}
- /* no need to look for NS and DS if we are already insecure or bogus,
- just look for (N)TA
- */
- if (cutState == vState::Insecure || vStateIsBogus(cutState)) {
- dsmap_t cutDS;
- vState newState = getDSRecords(qname, cutDS, true, depth);
- if (newState == vState::Indeterminate) {
- continue;
- }
-
- LOG(d_prefix<<": New state for "<<qname<<" is "<<newState<<endl);
- cutState = newState;
+ /* we did not miss a cut, good luck */
+ return result;
+ }
- d_cutStates[qname] = cutState;
+#warning test me, write a unit test if needed
+#if 0
+ DNSName signer = getSigner(signatures);
- continue;
+ if (!signer.empty() && name.isPartOf(signer)) {
+ if (signer == best) {
+ return result;
}
- vState newState = vState::Indeterminate;
- /* temporarily mark as vState::Indeterminate, so that we won't enter an endless loop
- trying to determine that zone cut again. */
- d_cutStates[qname] = newState;
- bool foundCut = lookForCut(qname, depth, cutState, newState);
- if (foundCut) {
- LOG(d_prefix<<": - Found cut at "<<qname<<endl);
- if (newState != vState::Indeterminate) {
- cutState = newState;
- }
- LOG(d_prefix<<": New state for "<<qname<<" is "<<cutState<<endl);
- d_cutStates[qname] = cutState;
- }
- else {
- /* remove the temporary cut */
- LOG(d_prefix<<qname<<": removing cut state for "<<qname<<endl);
- d_cutStates.erase(qname);
- }
+ /* the zone cut is not the one we expected,
+ this is fine because we will retrieve the needed DNSKEYs and DSs
+ later, and even go Insecure if we missed a cut to Insecure (no DS)
+ and the signatures do not validate (we should not go Bogus in that
+ case) */
}
+ /* something is not right, but let's not worry about that for now.. */
+#endif
- LOG(d_prefix<<": list of cuts from "<<begin<<" to "<<end<<endl);
- for (const auto& cut : d_cutStates) {
- if (cut.first.isRoot() || (begin.isPartOf(cut.first) && cut.first.isPartOf(end))) {
- LOG(" - "<<cut.first<<": "<<cut.second<<endl);
- }
- }
- setCacheOnly(oldCacheOnly);
- d_wantsRPZ = oldWantsRPZ;
+ return result;
}
vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth)
LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl);
return vState::BogusSelfSignedDS;
}
- return vState::Indeterminate;
}
vState state = getDNSKeys(signer, keys, depth);
if (state != vState::Secure) {
even if the answer is not AA. Of course that's not only true inside a Secure
zone, but we check that below. */
bool expectSignature = i->first.place == DNSResourceRecord::ANSWER || ((lwr.d_aabit || wasForwardRecurse) && i->first.place != DNSResourceRecord::ADDITIONAL);
+ /* in a non authoritative answer, we only care about the DS record (or lack of) */
+ if (!isAA && (i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) {
+ expectSignature = true;
+ }
+
if (isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) {
/*
rfc2181 states:
continue;
}
- vState recordState = getValidationStatus(i->first.name, false);
- LOG(d_prefix<<": got initial zone status "<<recordState<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
+ vState recordState = vState::Indeterminate;
- if (shouldValidate() && recordState == vState::Secure) {
- vState initialState = recordState;
+ if (expectSignature && shouldValidate()) {
+ vState initialState = getValidationStatus(i->first.name, i->second.signatures, i->first.type == QType::DS, depth);
+ LOG(d_prefix<<": got initial zone status "<<initialState<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
- if (expectSignature) {
- if (i->first.place != DNSResourceRecord::ADDITIONAL) {
- /* the additional entries can be insecure,
- like glue:
- "Glue address RRsets associated with delegations MUST NOT be signed"
- */
- if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) {
- LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
- recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
- }
- else {
- /*
- * RFC 6672 section 5.3.1
- * In any response, a signed DNAME RR indicates a non-terminal
- * redirection of the query. There might or might not be a server-
- * synthesized CNAME in the answer section; if there is, the CNAME will
- * never be signed. For a DNSSEC validator, verification of the DNAME
- * RR and then that the CNAME was properly synthesized is sufficient
- * proof.
- *
- * We do the synthesis check in processRecords, here we make sure we
- * don't validate the CNAME.
- */
- if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) {
- LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
- recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, QType(i->first.type), i->second.records, i->second.signatures);
- /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
- if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) {
+ if (initialState == vState::Secure) {
+ if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) {
+ LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
+ recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
+ }
+ else {
+ /*
+ * RFC 6672 section 5.3.1
+ * In any response, a signed DNAME RR indicates a non-terminal
+ * redirection of the query. There might or might not be a server-
+ * synthesized CNAME in the answer section; if there is, the CNAME will
+ * never be signed. For a DNSSEC validator, verification of the DNAME
+ * RR and then that the CNAME was properly synthesized is sufficient
+ * proof.
+ *
+ * We do the synthesis check in processRecords, here we make sure we
+ * don't validate the CNAME.
+ */
+ if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) {
+ LOG(d_prefix<<"Validating non-additional "<<QType(i->first.type).getName()<<" record for "<<i->first.name<<endl);
+ recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, QType(i->first.type), i->second.records, i->second.signatures);
+ /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
+ if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name, i->second.signatures, i->first.type == QType::DS, depth) == vState::Indeterminate) {
recordState = vState::Indeterminate;
- }
}
}
}
}
else {
- recordState = vState::Indeterminate;
-
- /* in a non authoritative answer, we only care about the DS record (or lack of) */
- if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) {
- LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl);
- recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, QType(i->first.type), i->second.records, i->second.signatures);
- }
+ recordState = initialState;
+ LOG(d_prefix<<"Skipping validation because the current state is "<<recordState<<endl);
}
- if (initialState == vState::Secure && state != recordState && expectSignature) {
+ LOG(d_prefix<<"Validation result is "<<recordState<<", current state is "<<state<<endl);
+ if (state != recordState) {
updateValidationState(state, recordState);
}
}
- else {
- if (shouldValidate()) {
- LOG(d_prefix<<"Skipping validation because the current state is "<<recordState<<endl);
- }
- }
if (vStateIsBogus(recordState)) {
/* this is a TTD by now, be careful */
return true;
}
- if(lwr.d_rcode == RCode::NXDomain) {
+ if (lwr.d_rcode == RCode::NXDomain) {
LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl);
- if (state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+ auto tempState = getValidationStatus(qname, {}, qtype == QType::DS, depth);
+ if (tempState == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
LOG(prefix<<qname<<": NXDOMAIN without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
updateValidationState(state, vState::BogusMissingNegativeIndication);
}
return true;
}
- if(nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) {
+ if (nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) {
LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl);
- if(state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+ auto tempState = getValidationStatus(qname, {}, qtype == QType::DS, depth);
+ if (tempState == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
updateValidationState(state, vState::BogusMissingNegativeIndication);
}
void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, QType qtype, const int res, vState& state, unsigned int depth);
vState getTA(const DNSName& zone, dsmap_t& ds);
bool haveExactValidationStatus(const DNSName& domain);
- vState getValidationStatus(const DNSName& subdomain, bool allowIndeterminate=true);
- void updateValidationStatusInCache(const DNSName &qname, QType qt, bool aa, vState newState) const;
- bool lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState);
- void computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth);
+ vState getValidationStatus(const DNSName& subdomain, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool typeIsDS, unsigned int depth);
+ void updateValidationStatusInCache(const DNSName &qname, QType qt, bool aa, vState newState) const;
+ void initZoneCutsFromTA(const DNSName& from);
void handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, QType qtype, std::vector<DNSRecord>& ret, int& rcode, int depth, const std::vector<DNSRecord>& recordsFromAnswer, vState& state);
projects / thirdparty / pdns.git / commitdiff
