at least for now (for queries without +cd).
It wasn't complete, and it turned out to need more changes,
and the benefits would be rather limited.
/* TODO: this classifier of authoritativity may not be perfect yet. */
rank |= KR_RANK_AUTH;
}
- return (uint8_t)rank;
+ return rank;
}
static int pick_authority(knot_pkt_t *pkt, struct kr_request *req, bool to_wire)
return ret;
}
- const uint8_t rank_val = rank_get_value(entry->rank);
- if (!knot_wire_get_cd(req->answer->wire) && rank_val && rank_val != KR_RANK_OMIT) {
- return kr_error(ENOENT); /* it would fail anyway */
+ if (!knot_wire_get_cd(req->answer->wire)
+ && entry->rank < (KR_RANK_INSECURE|KR_RANK_AUTH)) {
+ return kr_error(ENOENT);
}
/* Copy answer, keep the original message id */
static int loot_rrcache(struct kr_cache *cache, knot_pkt_t *pkt,
struct kr_query *qry, uint16_t rrtype, const bool cdbit)
{
- /* Lookup direct match first; only consider authoritative records,
- * even unvalidated, as rank handling is better to do in the iterator
- * (QUERY_DNSSEC_* flags). */
+ /* Lookup direct match first; only consider authoritative records.
+ * TODO: move rank handling into the iterator (QUERY_DNSSEC_* flags)? */
uint8_t rank = 0;
uint8_t flags = 0;
uint8_t lowest_rank = KR_RANK_AUTH;
+ if (!cdbit) {
+ lowest_rank |= KR_RANK_INSECURE;
+ }
int ret = loot_rr(cache, pkt, qry->sname, qry->sclass, rrtype, qry,
&rank, &flags, 0, lowest_rank);
if (ret) {
return ret;
}
+ if (rank & KR_RANK_INSECURE) {
+ qry->flags |= QUERY_DNSSEC_INSECURE;
+ qry->flags &= ~QUERY_DNSSEC_WANT;
+ }
+
/* Record may have RRSIGs, try to find them. */
const bool dobit = (qry->flags & QUERY_DNSSEC_WANT);
if (cdbit || (dobit && (rank & KR_RANK_SECURE))) {
ranked_rr_array_entry_t *entry = vctx->rrs->at[i];
const knot_rrset_t *rr = entry->rr;
assert((entry->rank & (KR_RANK_SECURE | KR_RANK_INSECURE)) != (KR_RANK_SECURE | KR_RANK_INSECURE));
- if (rank_test_flag(entry->rank, KR_RANK_SECURE) ||
+ if (rank_get_value(entry->rank) == KR_RANK_OMIT ||
+ rank_test_flag(entry->rank, KR_RANK_SECURE) ||
entry->yielded || vctx->qry_uid != entry->qry_uid) {
continue;
}
* https://tools.ietf.org/html/rfc4035#section-4.3
*/
enum kr_rank {
- KR_RANK_INITIAL = 0,
-
- KR_RANK_BAD = 7, /**< For simpler manipulation with the four values below. */
- KR_RANK_OMIT = 1, /**< Do not validate. */
- KR_RANK_INDET, /**< Unable to determine whether it should be secure. */
- KR_RANK_BOGUS, /**< Ought to be secure but isn't. */
+ KR_RANK_BAD = 7, /**< For simpler manipulation with the values below. */
+ KR_RANK_INITIAL = 0, /**< Did not attempt to validate. */
+ KR_RANK_OMIT = 1, /**< Do not attempt to validate. */
+ KR_RANK_INDET, /**< Unable to determine whether it should be secure. */
+ KR_RANK_BOGUS, /**< Ought to be secure but isn't. */
KR_RANK_MISMATCH,
KR_RANK_INSECURE = 8, /**< Proven to be insecure. */
projects / thirdparty / knot-resolver.git / commitdiff
