return vState::BogusUnableToGetDSs;
}
-vState SyncRes::getValidationStatus(const DNSName& name, bool hasSignatures, bool typeIsDS, unsigned int depth)
+vState SyncRes::getValidationStatus(const DNSName& name, bool wouldBeValid, bool typeIsDS, unsigned int depth)
{
vState result = vState::Indeterminate;
but we don't know if we missed a cut (or several).
We could see if we have DS (or denial of) in cache but let's not worry for now,
we will if we don't have a signature, or if the signer doesn't match what we expect */
- if (!hasSignatures && best != subdomain) {
- /* no signatures, we likely missed a cut, let's try to find it */
- LOG(d_prefix<<": no signatures for "<<name<<", we likely missed a cut between "<<best<<" and "<<subdomain<<", looking for it"<<endl);
+ if (!wouldBeValid && best != subdomain) {
+ /* no signatures or Bogus, we likely missed a cut, let's try to find it */
+ LOG(d_prefix<<": no or invalid signature/proof for "<<name<<", we likely missed a cut between "<<best<<" and "<<subdomain<<", looking for it"<<endl);
DNSName ds(best);
std::vector<string> labelsToAdd = subdomain.makeRelative(ds).getRawLabels();
return state;
}
+ if (state == vState::Insecure) {
+ return state;
+ }
+
LOG(d_prefix<<"Returning Bogus state from "<<__func__<<"("<<signer<<")"<<endl);
return vState::BogusUnableToGetDNSKEYs;
}
}
const DNSName signer = getSigner(signatures);
+ bool dsFailed = false;
if (!signer.empty() && name.isPartOf(signer)) {
vState state = vState::Secure;
requesting it from the parent zone. Something is very wrong */
LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself"<<endl);
state = vState::BogusSelfSignedDS;
+ dsFailed = true;
}
else if (qtype == QType::DNSKEY && signer == qname) {
/* that actually does happen when a server returns NS records in authority
vState dsState = getDSRecords(signer, results, false, depth, true);
if (vStateIsBogus(dsState) || dsState == vState::Insecure) {
state = dsState;
+ if (vStateIsBogus(dsState)) {
+ dsFailed = true;
+ }
}
else {
LOG(d_prefix<<"Unable to get the DS for "<<signer<<endl);
state = vState::BogusUnableToGetDNSKEYs;
+ dsFailed = true;
}
}
else {
}
if (state != vState::Secure) {
+ if (!vStateIsBogus(state)) {
+ return state;
+ }
/* try again to get the missed cuts, harder this time */
- LOG(d_prefix<<"checking whether we missed a zone cut before returning a Bogus state"<<endl);
- auto zState = getValidationStatus(name, false, type == QType::DS, depth);
+ LOG(d_prefix<<"checking whether we missed a zone cut for "<<signer<<" before returning a Bogus state for "<<name<<"|"<<type.toString()<<endl);
+ auto zState = getValidationStatus(signer, false, dsFailed, depth);
if (zState == vState::Secure) {
- LOG(d_prefix<<"we are still in a Secure zone, returning "<<vStateToString(state)<<endl);
/* too bad */
+ LOG(d_prefix<<"we are still in a Secure zone, returning "<<vStateToString(state)<<endl);
return state;
}
else {
void updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool isDS, unsigned int depth);
void computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, QType qtype, const int res, vState& state, unsigned int depth);
vState getTA(const DNSName& zone, dsmap_t& ds);
- vState getValidationStatus(const DNSName& subdomain, bool hasSignatures, bool typeIsDS, unsigned int depth);
+ vState getValidationStatus(const DNSName& subdomain, bool wouldBeValid, bool typeIsDS, unsigned int depth);
void updateValidationStatusInCache(const DNSName &qname, QType qt, bool aa, vState newState) const;
void initZoneCutsFromTA(const DNSName& from);
projects / thirdparty / pdns.git / commitdiff
