From: Mark Andrews <marka@isc.org>
Date: Wed, 27 Mar 2019 13:48:03 +0000 (+1100)
Subject: Store the DS and RRSIG(DS) with trust dns_trust_pending_answer
X-Git-Tag: v9.15.3~11^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57a328d67e665a502575a42daa182440469b0173;p=thirdparty%2Fbind9.git

Store the DS and RRSIG(DS) with trust dns_trust_pending_answer
so that the validator can validate the records as part of validating
the current request.
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index b2265e97edb..6a38e277cf8 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8697,12 +8697,14 @@ rctx_answer_none(respctx_t *rctx) {
 		rctx->negative = true;
 	}
 
-	/*
-	 * Process DNSSEC records in the authority section.
-	 */
-	result = rctx_authority_dnssec(rctx);
-	if (result == ISC_R_COMPLETE) {
-		return (rctx->result);
+	if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
+		/*
+		 * Process DNSSEC records in the authority section.
+		 */
+		result = rctx_authority_dnssec(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
 	}
 
 	/*
@@ -8955,18 +8957,12 @@ static isc_result_t
 rctx_authority_dnssec(respctx_t *rctx) {
 	isc_result_t result;
 	fetchctx_t *fctx = rctx->fctx;
-	dns_section_t section;
 	dns_rdataset_t *rdataset = NULL;
 	bool finished = false;
 
-	if (rctx->ns_in_answer) {
-		INSIST(fctx->type == dns_rdatatype_ns);
-		section = DNS_SECTION_ANSWER;
-	} else {
-		section = DNS_SECTION_AUTHORITY;
-	}
+	REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
 
-	result = dns_message_firstname(fctx->rmessage, section);
+	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
 	if (result != ISC_R_SUCCESS) {
 		return (ISC_R_SUCCESS);
 	}
@@ -8974,8 +8970,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 	while (!finished) {
 		dns_name_t *name = NULL;
 
-		dns_message_currentname(fctx->rmessage, section, &name);
-		result = dns_message_nextname(fctx->rmessage, section);
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+					&name);
+		result = dns_message_nextname(fctx->rmessage,
+					      DNS_SECTION_AUTHORITY);
 		if (result != ISC_R_SUCCESS) {
 			finished = true;
 		}
@@ -8991,7 +8989,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link))
 		{
+			bool checknta = true;
+			bool secure_domain = false;
 			dns_rdatatype_t type = rdataset->type;
+
 			if (type == dns_rdatatype_rrsig) {
 				type = rdataset->covers;
 			}
@@ -9051,7 +9052,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
 
 				name->attributes |= DNS_NAMEATTR_CACHE;
 				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-				if (rctx->aa) {
+
+				if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+					checknta = false;
+				}
+				if (fctx->res->view->enablevalidation) {
+					result = issecuredomain(fctx->res->view,
+							      name,
+							      dns_rdatatype_ds,
+							      fctx->now,
+							      checknta, NULL,
+							      &secure_domain);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+				}
+				if (secure_domain) {
+					rdataset->trust =
+						 dns_trust_pending_answer;
+				} else if (rctx->aa) {
 					rdataset->trust =
 					    dns_trust_authauthority;
 				} else if (ISFORWARDER(fctx->addrinfo)) {