From: TCY16 <tom@nlnetlabs.nl>
Date: Wed, 15 Sep 2021 09:17:04 +0000 (+0200)
Subject: add possible EDE spots
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3576033b62035ef2795d7c7f8fcecdb34d4a4c0b;p=thirdparty%2Funbound.git

add possible EDE spots
---

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 08a963058..c30b02282 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -682,6 +682,9 @@ dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	int buf_canon = 0;
 	verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo);
 	if(!dnskey_algo_id_is_supported(algo)) {
+		// @TODO do we do LDNS_EDE_UNSUPPORTED_DNSKEY_ALG here?
+		// if (reason_bogus)
+		//	*reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG;
 		verbose(VERB_QUERY, "verify sig: unknown algorithm");
 		return sec_status_insecure;
 	}
@@ -1421,6 +1424,7 @@ check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p,
 			"signature bad", expi, incep, now);
 		*reason = "signature inception after expiration";
 		/* @TODO Tom, wat hier te doen? */
+
 		return 0;
 	}
 	if(compare_1982(incep, now) > 0) {
diff --git a/validator/val_utils.c b/validator/val_utils.c
index d0a59ef02..e94a1bb9f 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -570,6 +570,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 	if(!has_useful_ds) {
 		verbose(VERB_ALGO, "No usable DS records were found -- "
 			"treating as insecure.");
+		// @TODO add ede DNSSEC Indeterminate?
 		return sec_status_insecure;
 	}
 	/* If any were understandable, then it is bad. */
@@ -786,6 +787,9 @@ val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset)
 		if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name);
 		else snprintf(aerr, sizeof(aerr), "%d",
 			(int)ds_get_key_algo(ds_rrset, i));
+
+		// @TODO do we want to add EDE Unsupported DS Digest Type here?
+
 		verbose(VERB_ALGO, "DS unsupported, hash %s %s, "
 			"key algorithm %s %s", herr,
 			(ds_digest_algo_is_supported(ds_rrset, 0)?
diff --git a/validator/validator.c b/validator/validator.c
index f71c2191a..51bdea77f 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2405,6 +2405,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 		verbose(VERB_DETAIL, "DS response was error, thus bogus");
 		errinf(qstate, rc);
 		errinf(qstate, "no DS");
+
 		goto return_bogus;
 	}
 
@@ -2587,6 +2588,9 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 		goto return_bogus;
 	}
 return_bogus:
+
+	// @TODO add EDE NSEC MISSING
+
 	*ke = key_entry_create_bad(qstate->region, qinfo->qname,
 		qinfo->qname_len, qinfo->qclass, 
 		BOGUS_KEY_TTL, *qstate->env->now);