From: Petr Špaček <petr.spacek@nic.cz>
Date: Wed, 18 Mar 2020 14:20:59 +0000 (+0100)
Subject: validator: clarify message about signed non-authoritative data
X-Git-Tag: v5.1.0~26^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2cfe5f692797ffb59a8b5fdd8874cf7d9ece15ea;p=thirdparty%2Fknot-resolver.git

validator: clarify message about signed non-authoritative data
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 94a9f3467..5f01d2326 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -125,8 +125,12 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, const struct kr_que
 			kr_rank_set(&entry->rank, KR_RANK_SECURE);
 
 		} else if (kr_rank_test(rank_orig, KR_RANK_TRY)) {
-			log_bogus_rrsig(vctx, qry, rr,
-					"failed to validate non-authoritative data but continuing");
+			/* RFC 4035 section 2.2:
+			 * NS RRsets that appear at delegation points (...)
+			 * MUST NOT be signed */
+			if (vctx->rrs_counters.matching_name_type > 0)
+				log_bogus_rrsig(vctx, qry, rr,
+					"found unexpected signatures for non-authoritative data which failed to validate, continuing");
 			vctx->result = kr_ok();
 			kr_rank_set(&entry->rank, KR_RANK_TRY);
 			/* ^^ BOGUS would be more accurate, but it might change