Complete the deferred validation if there are no RRSIGs

When a query is made with CD=1, we store the result in the
cache marked pending so that it can be validated later, at
which time it will either be accepted as an answer or removed
from the cache as invalid.  Deferred validation was not
attempted when there were no cached RRSIGs for DNSKEY and
DS.  We now complete the deferred validation in this scenario.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 3dd9ad719edebb15bcbeaf822a11e56b020ba281..9661afd7c903814fb2058553b088b46ecd7a307e 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1126,14 +1126,13 @@ seek_dnskey(dns_validator_t *val) {
                 * We have an rrset for the given keyname.
                 */
                val->keyset = &val->frdataset;
-               if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
-                    DNS_TRUST_ANSWER(val->frdataset.trust)) &&
-                   dns_rdataset_isassociated(&val->fsigrdataset))
+               if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+                   DNS_TRUST_ANSWER(val->frdataset.trust))
                {
                        /*
-                        * We know the key but haven't validated it yet or
-                        * we have a key of trust answer but a DS
-                        * record for the zone may have been added.
+                        * We know the key but haven't validated it yet, or
+                        * we had a key with trust level "answer" and
+                        * a DS record for the zone has now been added.
                         */
                        result = create_validator(
                                val, &siginfo->signer, dns_rdatatype_dnskey,
@@ -1143,12 +1142,6 @@ seek_dnskey(dns_validator_t *val) {
                                return result;
                        }
                        return DNS_R_WAIT;
-               } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
-                       /*
-                        * Having a pending key with no signature means that
-                        * something is broken.
-                        */
-                       result = DNS_R_CONTINUE;
                } else if (val->frdataset.trust < dns_trust_secure) {
                        /*
                         * The key is legitimately insecure.  There's no
@@ -1906,9 +1899,8 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
                 * We have a DS RRset.
                 */
                val->dsset = &val->frdataset;
-               if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
-                    DNS_TRUST_ANSWER(val->frdataset.trust)) &&
-                   dns_rdataset_isassociated(&val->fsigrdataset))
+               if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+                   DNS_TRUST_ANSWER(val->frdataset.trust))
                {
                        /*
                         * ... which is signed but not yet validated.
@@ -1916,21 +1908,12 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
                        result = create_validator(
                                val, tname, dns_rdatatype_ds, &val->frdataset,
                                &val->fsigrdataset, validator_callback_ds,
-                               "validate_dnskey");
+                               "get_dsset");
                        *resp = DNS_R_WAIT;
                        if (result != ISC_R_SUCCESS) {
                                *resp = result;
                        }
                        return ISC_R_COMPLETE;
-               } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
-                       /*
-                        * There should never be an unsigned DS.
-                        */
-                       disassociate_rdatasets(val);
-                       validator_log(val, ISC_LOG_DEBUG(2),
-                                     "unsigned DS record");
-                       *resp = DNS_R_NOVALIDSIG;
-                       return ISC_R_COMPLETE;
                }
                break;
 
@@ -3006,7 +2989,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                                        val, ISC_LOG_DEBUG(3),
                                        "no supported algorithm/digest (%s/DS)",
                                        namebuf);
-                               *resp = markanswer(val, "proveunsecure (5)");
+                               *resp = markanswer(val, "seek_ds (1)");
                                return ISC_R_COMPLETE;
                        }
 
@@ -3016,22 +2999,12 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                /*
                 * Otherwise, try to validate it now.
                 */
-               if (dns_rdataset_isassociated(&val->fsigrdataset)) {
-                       result = create_validator(
-                               val, tname, dns_rdatatype_ds, &val->frdataset,
-                               &val->fsigrdataset, validator_callback_ds,
-                               "proveunsecure");
-                       *resp = DNS_R_WAIT;
-                       if (result != ISC_R_SUCCESS) {
-                               *resp = result;
-                       }
-               } else {
-                       /*
-                        * There should never be an unsigned DS.
-                        */
-                       validator_log(val, ISC_LOG_DEBUG(3),
-                                     "unsigned DS record");
-                       *resp = DNS_R_NOVALIDSIG;
+               result = create_validator(val, tname, dns_rdatatype_ds,
+                                         &val->frdataset, &val->fsigrdataset,
+                                         validator_callback_ds, "seek_ds");
+               *resp = DNS_R_WAIT;
+               if (result != ISC_R_SUCCESS) {
+                       *resp = result;
                }
 
                return ISC_R_COMPLETE;
@@ -3042,7 +3015,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                 */
                *resp = DNS_R_WAIT;
                result = create_fetch(val, tname, dns_rdatatype_ds,
-                                     fetch_callback_ds, "proveunsecure");
+                                     fetch_callback_ds, "seek_ds");
                if (result != ISC_R_SUCCESS) {
                        *resp = result;
                }
@@ -3063,7 +3036,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                        result = create_validator(
                                val, tname, dns_rdatatype_ds, &val->frdataset,
                                &val->fsigrdataset, validator_callback_ds,
-                               "proveunsecure");
+                               "seek_ds");
                        *resp = DNS_R_WAIT;
                        if (result != ISC_R_SUCCESS) {
                                *resp = result;
@@ -3083,7 +3056,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                                         NULL) == ISC_R_SUCCESS &&
                    dns_name_equal(tname, found))
                {
-                       *resp = markanswer(val, "proveunsecure (3)");
+                       *resp = markanswer(val, "seek_ds (2)");
                        return ISC_R_COMPLETE;
                }
 
@@ -3102,7 +3075,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                }
 
                if (isdelegation(tname, &val->frdataset, result)) {
-                       *resp = markanswer(val, "proveunsecure (4)");
+                       *resp = markanswer(val, "seek_ds (3)");
                        return ISC_R_COMPLETE;
                }
 
@@ -3133,7 +3106,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                        result = create_validator(
                                val, tname, dns_rdatatype_ds, &val->frdataset,
                                &val->fsigrdataset, validator_callback_ds,
-                               "proveunsecure");
+                               "seek_ds");
                        if (result != ISC_R_SUCCESS) {
                                *resp = result;
                        }
@@ -3162,9 +3135,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                        result = create_validator(
                                val, tname, dns_rdatatype_cname,
                                &val->frdataset, &val->fsigrdataset,
-                               validator_callback_cname,
-                               "proveunsecure "
-                               "(cname)");
+                               validator_callback_cname, "seek_ds (cname)");
                        *resp = DNS_R_WAIT;
                        if (result != ISC_R_SUCCESS) {
                                *resp = result;