From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Wed, 29 Mar 2017 11:16:10 +0000 (+0200)
Subject: Merge !240: trust anchors: support non-root TAs, one domain per file
X-Git-Tag: v1.2.5~6^2~2^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b7110e0d35e83662ca422c901a17d5b2e94aa91;p=thirdparty%2Fknot-resolver.git

Merge !240: trust anchors: support non-root TAs, one domain per file
---

1b7110e0d35e83662ca422c901a17d5b2e94aa91
diff --cc lib/resolve.c
index 0352179d9,e7f126d51..3f47a3791
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@@ -842,33 -842,29 +842,37 @@@ static int trust_chain_check(struct kr_
  	if (kr_ta_get(negative_anchors, qry->zone_cut.name)){
  		VERBOSE_MSG(qry, ">< negative TA, going insecure\n");
  		qry->flags &= ~QUERY_DNSSEC_WANT;
 +		qry->flags |= QUERY_DNSSEC_INSECURE;
 +	}
 +	if (qry->flags & QUERY_DNSSEC_NODS) {
 +		/* This is the next query iteration with minimized qname.
 +		 * At previous iteration DS non-existance has been proven */
 +		qry->flags &= ~QUERY_DNSSEC_NODS;
 +		qry->flags &= ~QUERY_DNSSEC_WANT;
 +		qry->flags |= QUERY_DNSSEC_INSECURE;
  	}
- 	/* Enable DNSSEC if enters a new island of trust. */
+ 	/* Enable DNSSEC if entering a new (or different) island of trust,
+ 	 * and update the TA RRset if required. */
  	bool want_secured = (qry->flags & QUERY_DNSSEC_WANT) &&
  			    !knot_wire_get_cd(request->answer->wire);
- 	if (!(qry->flags & QUERY_DNSSEC_WANT) &&
- 	    !knot_wire_get_cd(request->answer->wire) &&
- 	    kr_ta_get(trust_anchors, qry->zone_cut.name)) {
+ 	knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
+ 	if (!knot_wire_get_cd(request->answer->wire) && ta_rr) {
  		qry->flags |= QUERY_DNSSEC_WANT;
  		want_secured = true;
- 		WITH_VERBOSE {
- 		char qname_str[KNOT_DNAME_MAXLEN];
- 		knot_dname_to_str(qname_str, qry->zone_cut.name, sizeof(qname_str));
- 		VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
+ 
+ 		if (qry->zone_cut.trust_anchor == NULL
+ 		    || !knot_dname_is_equal(qry->zone_cut.trust_anchor->owner, qry->zone_cut.name)) {
+ 			mm_free(qry->zone_cut.pool, qry->zone_cut.trust_anchor);
+ 			qry->zone_cut.trust_anchor = knot_rrset_copy(ta_rr, qry->zone_cut.pool);
+ 
+ 			WITH_VERBOSE {
+ 			char qname_str[KNOT_DNAME_MAXLEN];
+ 			knot_dname_to_str(qname_str, ta_rr->owner, sizeof(qname_str));
+ 			VERBOSE_MSG(qry, ">< TA: '%s'\n", qname_str);
+ 			}
  		}
  	}
- 	if (want_secured && !qry->zone_cut.trust_anchor) {
- 		knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
- 		qry->zone_cut.trust_anchor = knot_rrset_copy(ta_rr, qry->zone_cut.pool);
- 	}
+ 
  	/* Try to fetch missing DS (from above the cut). */
  	const bool has_ta = (qry->zone_cut.trust_anchor != NULL);
  	const knot_dname_t *ta_name = (has_ta ? qry->zone_cut.trust_anchor->owner : NULL);