if (!(qry->flags & QUERY_DNSSEC_WANT)) {
return ctx->state;
}
- if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt)) {
+ /* Answer for RRSIG may not set DO=1, but all records MUST still validate. */
+ bool use_signatures = (knot_pkt_qtype(pkt) != KNOT_RRTYPE_RRSIG);
+ /* @todo do not cache RRSIG answers until RFC2181 credibility is implemented */
+ if (!use_signatures) {
+ knot_wire_set_rcode(pkt->wire, KNOT_RCODE_SERVFAIL); /* Prevent caching */
+ }
+ if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt) && !use_signatures) {
DEBUG_MSG(qry, "<= got insecure response\n");
qry->flags |= QUERY_DNSSEC_BOGUS;
return KNOT_STATE_FAIL;
*/
const knot_dname_t *key_own = qry->zone_cut.key ? qry->zone_cut.key->owner : NULL;
const knot_dname_t *sig_name = first_rrsig_signer_name(pkt);
- if (key_own && sig_name && !knot_dname_is_equal(key_own, sig_name)) {
+ if (use_signatures && key_own && sig_name && !knot_dname_is_equal(key_own, sig_name)) {
DEBUG_MSG(qry, ">< cut changed, needs revalidation\n");
knot_wire_set_rcode(pkt->wire, KNOT_RCODE_SERVFAIL); /* Prevent caching */
qry->flags &= ~QUERY_RESOLVED;
SECTION ADDITIONAL
a.ns.nic.cz. 172800 IN A 194.0.12.1
ENTRY_END
+
+; fake, this can't be validated anyway
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+cz. IN RRSIG
+SECTION ANSWER
+cz. 18000 IN RRSIG NS 10 1 18000 20150802132511 20150721120844 39788 cz. fEz3NpYRzgeBjKrLMpht3KFOQ0t6U2wikIaOt1HcmFvurxtPkZVvqdb0 QBQfvh8DoEXDbvpcikzMIO9XYLzzs10X/m91ybGiWzcTVcU+prVGZJP9 zZrvYAIWrpxoC4deKD+vOoNZXGnLfffi6lmGn7QRZaH0LVKjn33cIaPQ 9EM=
+cz. 86400 IN RRSIG DS 8 1 86400 20150802050000 20150723040000 1518 . pf5UzinUesHzGQTav/1NxGW0AifCmzLW3S8X9tWDRwx7XSKGac7QVXgp nMNyb/NiSho9oj+ZTaQpBZQaTri+brHT4W/nE0TofqZlyYiaABb9xgxJ LgjLkt+OVcJsM3a+q+QEGSt+skNlZVDQeR+sztbuORiZXAqhxumxD8iy zZ8=
+ENTRY_END
RANGE_END
;a.ns.nic.cz.
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
+cz. IN RRSIG
+ENTRY_END
+
+; check that it answers a query for RRSIG (unauthenticated)
+; digests are swapped, i.e. signatures are invalid, server shouldn't use them later
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+cz. IN RRSIG
+SECTION ANSWER
+cz. 18000 IN RRSIG NS 10 1 18000 20150802132511 20150721120844 39788 cz. fEz3NpYRzgeBjKrLMpht3KFOQ0t6U2wikIaOt1HcmFvurxtPkZVvqdb0 QBQfvh8DoEXDbvpcikzMIO9XYLzzs10X/m91ybGiWzcTVcU+prVGZJP9 zZrvYAIWrpxoC4deKD+vOoNZXGnLfffi6lmGn7QRZaH0LVKjn33cIaPQ 9EM=
+cz. 86400 IN RRSIG DS 8 1 86400 20150802050000 20150723040000 1518 . pf5UzinUesHzGQTav/1NxGW0AifCmzLW3S8X9tWDRwx7XSKGac7QVXgp nMNyb/NiSho9oj+ZTaQpBZQaTri+brHT4W/nE0TofqZlyYiaABb9xgxJ LgjLkt+OVcJsM3a+q+QEGSt+skNlZVDQeR+sztbuORiZXAqhxumxD8iy zZ8=
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
cz. IN NS
ENTRY_END
; check that it answers a plain query
-STEP 2 CHECK_ANSWER
+STEP 4 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
cz. 18000 IN NS d.ns.nic.cz.
ENTRY_END
-STEP 3 QUERY
+STEP 5 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
ENTRY_END
; recursion happens here.
-STEP 4 CHECK_ANSWER
+STEP 6 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AD NOERROR
projects / thirdparty / knot-resolver.git / commitdiff
