From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 7 Apr 2017 13:41:41 +0000 (+0200)
Subject: validate: fix bad usage of KR_RANK_INSECURE
X-Git-Tag: v1.3.0~23^2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=444b261840e9299641ed7d0aff8060a76ff99529;p=thirdparty%2Fknot-resolver.git

validate: fix bad usage of KR_RANK_INSECURE

It's supposed to mean that we have a proof from configured TAs that
the RR isn't secure (typically proof of missing DS at some point).
This case was just failure to find a fitting RRSIG; new KR_RANK_MISSING
is introduced for that purpose, for simplicity.

Also, make the validator more thorough about what ranks are safe to skip.
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 9ab00de6e..c4a54ce96 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -96,9 +96,9 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, knot_mm_t *pool)
 			continue;
 		}
 
-		if (!kr_rank_test(entry->rank, KR_RANK_INITIAL)
-		    && !kr_rank_test(entry->rank, KR_RANK_MISMATCH)) {
-			continue;
+		if (kr_rank_test(entry->rank, KR_RANK_OMIT)
+		    || kr_rank_test(entry->rank, KR_RANK_SECURE)) {
+			continue; /* these are already OK */
 		}
 
 		if (rr->type == KNOT_RRTYPE_RRSIG) {
@@ -120,7 +120,7 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, knot_mm_t *pool)
 			kr_rank_set(&entry->rank, KR_RANK_SECURE);
 		} else if (validation_result == kr_error(ENOENT)) {
 			/* no RRSIGs found */
-			kr_rank_set(&entry->rank, KR_RANK_INSECURE);
+			kr_rank_set(&entry->rank, KR_RANK_MISSING);
 			vctx->err_cnt += 1;
 		} else {
 			kr_rank_set(&entry->rank, KR_RANK_BOGUS);
@@ -474,7 +474,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
 		if (kr_rank_test(entry->rank, KR_RANK_MISMATCH)) {
 			invalid_entry = entry;
 			break;
-		} else if (kr_rank_test(entry->rank, KR_RANK_INSECURE) &&
+		} else if (kr_rank_test(entry->rank, KR_RANK_MISSING) &&
 			   !invalid_entry) {
 			invalid_entry = entry;
 		} else if (!kr_rank_test(entry->rank, KR_RANK_SECURE) &&
@@ -510,7 +510,7 @@ static int check_validation_result(kr_layer_t *ctx, ranked_rr_array_t *arr)
 		}
 		VERBOSE_MSG(qry, ">< cut changed (new signer), needs revalidation\n");
 		ret = KR_STATE_YIELD;
-	} else if (kr_rank_test(invalid_entry->rank, KR_RANK_INSECURE)) {
+	} else if (kr_rank_test(invalid_entry->rank, KR_RANK_MISSING)) {
 		ret = rrsig_not_found(ctx, rr);
 	} else if (!kr_rank_test(invalid_entry->rank, KR_RANK_SECURE)) {
 		qry->flags |= QUERY_DNSSEC_BOGUS;
diff --git a/lib/resolve.c b/lib/resolve.c
index 7a40f11c9..cf2048794 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -45,6 +45,7 @@ bool kr_rank_check(uint8_t rank)
 	case KR_RANK_INDET:
 	case KR_RANK_BOGUS:
 	case KR_RANK_MISMATCH:
+	case KR_RANK_MISSING:
 	case KR_RANK_INSECURE:
 	case KR_RANK_SECURE:
 		return true;
diff --git a/lib/resolve.h b/lib/resolve.h
index bbc5ed3a5..8b6b9dfc4 100644
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -92,10 +92,11 @@
  */
 enum kr_rank {
 	KR_RANK_INITIAL = 0, /**< Did not attempt to validate. */
-	KR_RANK_OMIT = 1,    /**< Do not attempt to validate. */
+	KR_RANK_OMIT = 1,    /**< Do not attempt to validate. (And don't consider it a validation failure.) */
 	KR_RANK_INDET,       /**< Unable to determine whether it should be secure. */
 	KR_RANK_BOGUS,       /**< Ought to be secure but isn't. */
 	KR_RANK_MISMATCH,
+	KR_RANK_MISSING,     /**< Unable to obtain a good signature. */
 
 	KR_RANK_INSECURE = 8, /**< Proven to be insecure. */