Don't verify already trusted rdatasets

author Matthijs Mekking <matthijs@isc.org>

Tue, 3 Mar 2026 10:17:25 +0000 (11:17 +0100)

committer Michał Kępień <michal@isc.org>

Wed, 25 Mar 2026 08:51:26 +0000 (09:51 +0100)
author Matthijs Mekking <matthijs@isc.org>
Tue, 3 Mar 2026 10:17:25 +0000 (11:17 +0100)
committer Michał Kępień <michal@isc.org>
Wed, 25 Mar 2026 08:51:26 +0000 (09:51 +0100)
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h

index 2468e3c348eb15325cda12694bcc3551d9ea04e7..118762ad08c46948921f734087bb2c01b9f0d5a4 100644 (file)
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -357,7 +357,7 @@ enum {
                                          (x) == dns_trust_pending_additional)
  #define DNS_TRUST_GLUE(x)              ((x) == dns_trust_glue)
  #define DNS_TRUST_ANSWER(x)            ((x) == dns_trust_answer)
-
+#define DNS_TRUST_SECURE(x)            ((x) >= dns_trust_secure)
  
  /*%
   * Name checking severities.
diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 344038e28c1b8534c5062cd0ed8f173bd8d9dd9e..9f39c3a95cf695b9cdee6516a96807c002d596f1 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1557,6 +1557,13 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
         bool ignore = false;
         dns_name_t *wild;
  
+       if (DNS_TRUST_SECURE(val->event->rdataset->trust)) {
+               /*
+                * This RRset was already verified before.
+                */
+               return ISC_R_SUCCESS;
+       }
+
         val->attributes |= VALATTR_TRIEDVERIFY;
         wild = dns_fixedname_initname(&fixed);
   again:
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 3 Mar 2026 10:17:25 +0000 (11:17 +0100)
committer	Michał Kępień <michal@isc.org>
	Wed, 25 Mar 2026 08:51:26 +0000 (09:51 +0100)
lib/dns/include/dns/types.h		patch \| blob \| blame \| history
lib/dns/validator.c		patch \| blob \| blame \| history