routine. This makes the proof routines prettier.
- fixup cname handling in validator, cname-to-positive and cname-to-
nodata work.
+ - Do not synthesize DNSKEY and DS responses from the rrset cache if
+ the rrset is from the additional section. Signatures may have
+ fallen off the packet, and cause validation failure.
+ - more verbose signature date errors (with the date attached).
23 August 2007: Wouter
- CNAME handling - move needs_validation to before val_new().
if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
qtype, qclass, 0, now, 0))) {
- struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
- if(msg) {
- lock_rw_unlock(&rrset->entry.lock);
- return msg;
+ /* if the rrset is from the additional section, and the
+ * signatures have fallen off, then do not synthesize a msg
+ * instead, allow a full query for signed results to happen.
+ * Forego all rrset data from additional section, because
+ * some signatures may not be present and cause validation
+ * failure.
+ */
+ struct packed_rrset_data *d = (struct packed_rrset_data*)
+ rrset->entry.data;
+ if(d->trust != rrset_trust_add_noAA &&
+ d->trust != rrset_trust_add_AA) {
+ struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+ if(msg) {
+ lock_rw_unlock(&rrset->entry.lock);
+ return msg;
+ }
}
lock_rw_unlock(&rrset->entry.lock);
}
return 1;
}
+/** pretty print rrsig error with dates */
+static void
+sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)
+{
+ struct tm tm;
+ char expi_buf[16];
+ char incep_buf[16];
+ char now_buf[16];
+ time_t te, ti, tn;
+
+ if(verbosity < VERB_ALGO)
+ return;
+ te = (time_t)expi;
+ ti = (time_t)incep;
+ tn = (time_t)now;
+ memset(&tm, 0, sizeof(tm));
+ if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm)
+ &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm)
+ &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) {
+ log_info("%s expi=%s incep=%s now=%s", str, expi_buf,
+ incep_buf, now_buf);
+ } else
+ log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi,
+ (unsigned)incep, (unsigned)now);
+}
+
/** check rrsig dates */
static int
check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p)
/* check them */
if(incep - expi > 0) {
- verbose(VERB_ALGO, "verify: inception after expiration, "
- "signature bad");
+ sigdate_error("verify: inception after expiration, "
+ "signature bad", expi, incep, now);
return 0;
}
if(incep - now > 0) {
- verbose(VERB_ALGO, "verify: signature bad, current time is"
- " before inception date");
+ sigdate_error("verify: signature bad, current time is"
+ " before inception date", expi, incep, now);
return 0;
}
if(now - expi > 0) {
- verbose(VERB_ALGO, "verify: signature expired");
+ sigdate_error("verify: signature expired", expi, incep, now);
return 0;
}
return 1;
projects / thirdparty / unbound.git / commitdiff
