validate: change order of tasks

It seems better to check RRSIGs before checking negative proofs,
in terms of reasoning, being less error-prone, etc.

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index aa8aa8be40ff01cef805155b6ac69d821628b8ec..94a0122e8506699330f3fe5cce7648f762635f70 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1037,6 +1037,33 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                }
        }
 
+       /* Validate all records, fail as bogus if it doesn't match.
+        * Do not revalidate data from cache, as it's already trusted.
+        * TTLs of RRsets may get lowered. */
+       if (!(qry->flags.CACHED)) {
+               ret = validate_records(req, pkt, req->rplan.pool, has_nsec3);
+               if (ret != 0) {
+                       /* something exceptional - no DNS key, empty pointers etc
+                        * normally it shoudn't happen */
+                       VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n");
+                       qry->flags.DNSSEC_BOGUS = true;
+                       return KR_STATE_FAIL;
+               }
+               /* check validation state and spawn subrequests */
+               if (!req->answ_validated) {
+                       ret = check_validation_result(ctx, pkt, &req->answ_selected);
+                       if (ret != KR_STATE_DONE) {
+                               return ret;
+                       }
+               }
+               if (!req->auth_validated) {
+                       ret = check_validation_result(ctx, pkt, &req->auth_selected);
+                       if (ret != KR_STATE_DONE) {
+                               return ret;
+                       }
+               }
+       }
+
        /* Validate non-existence proof if not positive answer.
         * In case of CNAME, iterator scheduled a sibling query for the target,
         * so we just drop the negative piece of information and don't try to prove it.
@@ -1095,33 +1122,6 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                }
        }
 
-       /* Validate all records, fail as bogus if it doesn't match.
-        * Do not revalidate data from cache, as it's already trusted.
-        * TTLs of RRsets may get lowered. */
-       if (!(qry->flags.CACHED)) {
-               ret = validate_records(req, pkt, req->rplan.pool, has_nsec3);
-               if (ret != 0) {
-                       /* something exceptional - no DNS key, empty pointers etc
-                        * normally it shoudn't happen */
-                       VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n");
-                       qry->flags.DNSSEC_BOGUS = true;
-                       return KR_STATE_FAIL;
-               }
-               /* check validation state and spawn subrequests */
-               if (!req->answ_validated) {
-                       ret = check_validation_result(ctx, pkt, &req->answ_selected);
-                       if (ret != KR_STATE_DONE) {
-                               return ret;
-                       }
-               }
-               if (!req->auth_validated) {
-                       ret = check_validation_result(ctx, pkt, &req->auth_selected);
-                       if (ret != KR_STATE_DONE) {
-                               return ret;
-                       }
-               }
-       }
-
        wildcard_adjust_to_wire(req, qry);
 
        /* Check and update current delegation point security status. */