const knot_dname_t *zone_name; /*!< Name of the zone containing the RRSIG RRSet. */
uint32_t timestamp; /*!< Validation time. */
bool has_nsec3; /*!< Whether to use NSEC3 validation. */
+ uint32_t qry_uid; /*!< Current query uid. */
uint32_t flags; /*!< Output - Flags. */
uint32_t err_cnt; /*!< Output - Number of validation failures. */
int result; /*!< Output - 0 or error code. */
for (ssize_t i = 0; i < vctx->rrs->len; ++i) {
ranked_rr_array_entry_t *entry = vctx->rrs->at[i];
const knot_rrset_t *rr = entry->rr;
- if (entry->rank == KR_VLDRANK_SECURE || entry->yielded) {
+ if (entry->rank == KR_VLDRANK_SECURE ||
+ entry->yielded || vctx->qry_uid != entry->qry_uid) {
continue;
}
if (rr->type == KNOT_RRTYPE_RRSIG) {
.keys = qry->zone_cut.key,
.zone_name = qry->zone_cut.name,
.timestamp = qry->timestamp.tv_sec,
+ .qry_uid = qry->uid,
.has_nsec3 = has_nsec3,
.flags = 0,
.err_cnt = 0,
.keys = qry->zone_cut.key,
.zone_name = qry->zone_cut.name,
.timestamp = qry->timestamp.tv_sec,
+ .qry_uid = qry->uid,
.has_nsec3 = has_nsec3,
.flags = 0,
.result = 0
const knot_dname_t *signer = signature_authority(req);
if (ta_name && (!signer || !knot_dname_is_equal(ta_name, signer))) {
/* check all newly added RRSIGs */
- VERBOSE_MSG(qry, ">< cut changed, needs revalidation\n");
if (!signer) {
- /* Not a DNSSEC-signed response, ask parent for DS
+ /* Not a DNSSEC-signed response. */
+ if (ctx->state == KR_STATE_YIELD) {
+ /* Already yielded for revalidation.
+ * It means that trust chain is OK and
+ * transition to INSECURE was not occurs.
+ * Let validation logic to ask about rrsig. */
+ return KR_STATE_DONE;
+ }
+ /* Ask parent for DS
* to prove transition to INSECURE. */
const uint16_t qtype = knot_pkt_qtype(pkt);
const knot_dname_t *qname = knot_pkt_qname(pkt);
}
qry->zone_cut.name = knot_dname_copy(signer, &req->pool);
} /* else zone cut matches, but DS/DNSKEY doesn't => refetch. */
+ VERBOSE_MSG(qry, ">< cut changed, needs revalidation\n");
return KR_STATE_YIELD;
}
return KR_STATE_DONE;
projects / thirdparty / knot-resolver.git / commitdiff
