From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 23 Feb 2026 18:42:49 +0000 (+0100)
Subject: Count temporal problems with DNSSEC validation as attempts
X-Git-Tag: v9.21.21~6^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ba57a1f0f871e32b85c4f38b53b3ac4e198754b;p=thirdparty%2Fbind9.git

Count temporal problems with DNSSEC validation as attempts

After KeyTrap, the temporal DNSSEC were originally hard errors that
caused validation failures even if the records had another valid
signature.  This has been changed and the RRSIGs outside of the
inception and expiration time are not counted as hard errors.  However,
these errors are not even counted as validation attempts, so excessive
number of expired RRSIGs would cause some non-cryptograhic extra work
for the validator.  This has been fixed and the temporal errors are
correctly counted as validation attempts.
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index da01b52a09e..44482328344 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1406,6 +1406,8 @@ selfsigned_dnskey(dns_validator_t *val) {
 					dst_key_free(&dstkey);
 					return ISC_R_QUOTA;
 				}
+				consume_validation(val);
+
 				result = dns_dnssec_verify(name, rdataset,
 							   dstkey, true, mctx,
 							   &sigrdata, NULL);
@@ -1414,11 +1416,10 @@ selfsigned_dnskey(dns_validator_t *val) {
 				case DNS_R_SIGEXPIRED:
 					/*
 					 * Temporal errors don't count towards
-					 * max validations nor max fails.
+					 * max fails.
 					 */
 					break;
 				case ISC_R_SUCCESS:
-					consume_validation(val);
 					/*
 					 * The key with the REVOKE flag has
 					 * self signed the RRset so it is no
@@ -1427,7 +1428,6 @@ selfsigned_dnskey(dns_validator_t *val) {
 					dns_view_untrust(val->view, name, &key);
 					break;
 				default:
-					consume_validation(val);
 					if (over_max_fails(val)) {
 						dst_key_free(&dstkey);
 						return ISC_R_QUOTA;
@@ -1469,7 +1469,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	isc_result_t result;
 	dns_fixedname_t fixed;
 	bool ignore = false;
-	dns_name_t *wild;
+	dns_name_t *wild = dns_fixedname_initname(&fixed);
 
 	if (DNS_TRUST_SECURE(val->rdataset->trust)) {
 		/*
@@ -1482,7 +1482,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	if (over_max_validations(val)) {
 		return ISC_R_QUOTA;
 	}
-	wild = dns_fixedname_initname(&fixed);
+	consume_validation(val);
 
 again:
 	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
@@ -1532,8 +1532,7 @@ again:
 	case DNS_R_SIGFUTURE:
 	case DNS_R_SIGEXPIRED:
 		/*
-		 * Temporal errors don't count towards max validations nor max
-		 * fails.
+		 * Temporal errors don't count towards max fails.
 		 */
 		validator_addede(val,
 				 result == DNS_R_SIGEXPIRED
@@ -1542,10 +1541,8 @@ again:
 				 NULL);
 		break;
 	case ISC_R_SUCCESS:
-		consume_validation(val);
 		break;
 	default:
-		consume_validation(val);
 		if (over_max_fails(val)) {
 			result = ISC_R_QUOTA;
 			break;