}
RRSIGRecordContent rrc;
- computeRRSIG(it->second.first, signer, wildcard ? * wildcard : records[recordsCount-1].d_name, records[recordsCount-1].d_type, records[recordsCount-1].d_ttl, sigValidity, rrc, recordcontents, algo);
+ computeRRSIG(it->second.first, signer, wildcard ? *wildcard : records[recordsCount-1].d_name, records[recordsCount-1].d_type, records[recordsCount-1].d_ttl, sigValidity, rrc, recordcontents, algo);
if (broken) {
rrc.d_signature[0] ^= 42;
}
d_skipCNAMECheck = oldSkipCNAME;
d_requireAuthData = oldRequireAuthData;
- if (rcode == RCode::NoError) {
+ if (rcode == RCode::NoError || rcode == RCode::NXDomain) {
if (state == Secure) {
for (const auto& record : dsrecords) {
if (record.d_type == QType::DS) {
LOG(d_prefix<<": we now have "<<std::to_string(validatedKeys.size())<<" DNSKEYs"<<endl);
+ /* if we found at least one valid RRSIG covering the set,
+ all tentative keys are validated keys. Otherwise it means
+ we haven't found at least one DNSKEY and a matching RRSIG
+ covering this set, this looks Bogus. */
if (validatedKeys.size() != tentativeKeys.size()) {
LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl);
return Bogus;
if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves
continue;
-// vState recordState = state;
vState recordState = getValidationStatus(auth);
- LOG(d_prefix<<"Got status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
+ LOG(d_prefix<<": got status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
if (validationEnabled() && recordState == Secure) {
if (lwr.d_aabit) {
projects / thirdparty / pdns.git / commitdiff
