Don't verify already trusted rdatasets

If we already marked an rdataset as secure (or it has even stronger
trust), there is no need to cryptographically verify it again.

(cherry picked from commit 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce)

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 641d81fbb2b28b5371d5fdfd8689cbab3c913757..6f406297e583e251adc5a054a2f50439b8d30a0d 100644 (file)
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -356,6 +356,7 @@ enum {
        ((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
 #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
 
 /*%
  * Name checking severities.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 662b4c094ffc62e3a9b3955bfdb2364aa4645627..976c386cdf179b3961384d99f39efafbe66119c0 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1495,6 +1495,13 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
        bool ignore = false;
        dns_name_t *wild;
 
+       if (DNS_TRUST_SECURE(val->event->rdataset->trust)) {
+               /*
+                * This RRset was already verified before.
+                */
+               return ISC_R_SUCCESS;
+       }
+
        val->attributes |= VALATTR_TRIEDVERIFY;
        wild = dns_fixedname_initname(&fixed);
 again: