kr_ta_covers_qry: add this wrapper function

diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c
index 9f3476634e5e028ecfcae51ff31c01a20926e66c..6743362b1c7798ed471921b85d941e937c34a9f3 100644 (file)
--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -23,6 +23,7 @@
 
 #include "lib/defines.h"
 #include "lib/dnssec/ta.h"
+#include "lib/resolve.h"
 #include "lib/utils.h"
 
 knot_rrset_t *kr_ta_get(map_t *trust_anchors, const knot_dname_t *name)
@@ -123,6 +124,22 @@ int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name)
        return false;
 }
 
+bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name,
+                     const uint16_t type)
+{
+       assert(ctx && name);
+       if (type == KNOT_RRTYPE_DS && name[0] != '\0') {
+               /* DS is parent-side record, so the parent name needs to be covered. */
+               name = knot_wire_next_label(name, NULL);
+               if (!name) {
+                       assert(false);
+                       return kr_error(EINVAL);
+               }
+       }
+       return kr_ta_covers(&ctx->trust_anchors, name)
+               && !kr_ta_covers(&ctx->negative_anchors, name);
+}
+
 /* Delete record data */
 static int del_record(const char *k, void *v, void *ext)
 {

diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h
index 260fdcdf81417165f9a67ceb05ab6afb566983eb..9a8c498fb63a157fce0450c710a8779ea096ace5 100644 (file)
--- a/lib/dnssec/ta.h
+++ b/lib/dnssec/ta.h
@@ -52,6 +52,14 @@ int kr_ta_add(map_t *trust_anchors, const knot_dname_t *name, uint16_t type,
 KR_EXPORT KR_PURE
 int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name);
 
+struct kr_context;
+/**
+ * A wrapper around kr_ta_covers that is aware of negative TA and types.
+ */
+KR_EXPORT KR_PURE
+bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name,
+                     const uint16_t type);
+
 /**
  * Remove TA from trust store.
  * @param  trust_anchors trust store

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 53329c39bb0ede9243c0e09c5dd683bb29ec6fbc..ef2ba8b5ead7aa015f09ef0ec29d41e912dd6a61 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -634,8 +634,7 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
                if (query->flags & QUERY_DNSSEC_INSECURE) {
                        next->flags &= ~QUERY_DNSSEC_WANT;
                        next->flags |= QUERY_DNSSEC_INSECURE;
-               } else if (kr_ta_covers(&req->ctx->trust_anchors, cname) &&
-                   !kr_ta_covers(&req->ctx->negative_anchors, cname)) {
+               } else if (kr_ta_covers_qry(req->ctx, cname, query->stype)) {
                        /* Want DNSSEC if it's posible to secure
                         * this name (e.g. is covered by any TA) */
                        next->flags |= QUERY_DNSSEC_WANT;

diff --git a/lib/resolve.c b/lib/resolve.c
index c2fc9a85fbc03bb42b9cc13436b5d7bb81542887..0c35faac09775a8070a84c6ec570588c3f7b654a 100644 (file)
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -196,9 +196,6 @@ static void check_empty_nonterms(struct kr_query *qry, knot_pkt_t *pkt, struct k
 static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name,
                        struct kr_request *req, knot_pkt_t *pkt)
 {
-       map_t *trust_anchors = &req->ctx->trust_anchors;
-       map_t *negative_anchors = &req->ctx->negative_anchors;
-
        /* It can occur that here parent query already have
         * provably insecured zonecut which not in the cache yet. */
        const uint32_t insec_flags = QUERY_DNSSEC_INSECURE | QUERY_DNSSEC_NODS;
@@ -214,8 +211,7 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name
                 * even if cut name is covered by TA. */
                qry->flags &= ~QUERY_DNSSEC_WANT;
                qry->flags |= QUERY_DNSSEC_INSECURE;
-       } else if (!kr_ta_covers(negative_anchors, qry->zone_cut.name) &&
-                  kr_ta_covers(trust_anchors, qry->zone_cut.name)) {
+       } else if (kr_ta_covers_qry(req->ctx, qry->zone_cut.name, KNOT_RRTYPE_NS)) {
                qry->flags |= QUERY_DNSSEC_WANT;
        } else {
                qry->flags &= ~QUERY_DNSSEC_WANT;
@@ -255,8 +251,7 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name
        /* Zonecut name can change, check it again
         * to prevent unnecessary DS & DNSKEY queries */
        if (!(qry->flags & QUERY_DNSSEC_INSECURE) &&
-           !kr_ta_covers(negative_anchors, cut_found.name) &&
-           kr_ta_covers(trust_anchors, cut_found.name)) {
+           kr_ta_covers_qry(req->ctx, cut_found.name, KNOT_RRTYPE_NS)) {
                qry->flags |= QUERY_DNSSEC_WANT;
        } else {
                qry->flags &= ~QUERY_DNSSEC_WANT;
@@ -699,10 +694,8 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
        /* Deferred zone cut lookup for this query. */
        qry->flags |= QUERY_AWAIT_CUT;
        /* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
-       map_t *negative_anchors = &request->ctx->negative_anchors;
-       map_t *trust_anchors = &request->ctx->trust_anchors;
        if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
-           kr_ta_covers(trust_anchors, qname) && !kr_ta_covers(negative_anchors, qname)) {
+           kr_ta_covers_qry(request->ctx, qname, qtype)) {
                qry->flags |= QUERY_DNSSEC_WANT;
        }