From: Remi Gacogne Date: Wed, 3 Feb 2021 17:34:58 +0000 (+0100) Subject: rec: Get rid of early zone cut computation X-Git-Tag: rec-4.5.0-beta1~4^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c1fe83b06a459ce27dff007cb8f20e6cb44791f;p=thirdparty%2Fpdns.git rec: Get rid of early zone cut computation This commits removes the early zone cut computation using DS queries. It instead determines the status of a record when it is either received from an authoritative server or retrieved from a cache, detecting missed zone cuts when the expected signatures are not present. This results in roughly 8% less outgoing queries in quick testing. One remaining issue is that we do not detect a missing zone cut when we get signatures but the DS record has not been pusblished. We should likely try to find a DS denial when the signer is not expected, or perhaps always? We also need some optimizations, like perhaps caching the (N)TA, and updating the zone cuts when we see a DS or denial of a DS in an answer. --- diff --git a/pdns/recursordist/test-aggressive_nsec_cc.cc b/pdns/recursordist/test-aggressive_nsec_cc.cc index 6a0338663e..b91fa8eff5 100644 --- a/pdns/recursordist/test-aggressive_nsec_cc.cc +++ b/pdns/recursordist/test-aggressive_nsec_cc.cc @@ -94,14 +94,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nxdomain) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata) @@ -180,14 +180,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata_wildcard) @@ -271,14 +271,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec_nodata_wildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wildcard_synthesis) @@ -362,7 +362,7 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wildcard_synthesis) BOOST_REQUIRE_EQUAL(ret.size(), 4U); BOOST_CHECK_EQUAL(ret.at(0).d_name, target); BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode()); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(DNSName("b.powerdns.com."), QType(QType::A), QClass::IN, ret); @@ -371,7 +371,7 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wildcard_synthesis) BOOST_REQUIRE_EQUAL(ret.size(), 4U); BOOST_CHECK_EQUAL(ret.at(0).d_name, DNSName("b.powerdns.com.")); BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode()); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nxdomain) @@ -470,14 +470,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nxdomain) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata) @@ -556,14 +556,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata_wildcard) @@ -659,14 +659,14 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nodata_wildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_wildcard_synthesis) @@ -758,7 +758,7 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_wildcard_synthesis) BOOST_REQUIRE_EQUAL(ret.size(), 4U); BOOST_CHECK_EQUAL(ret.at(0).d_name, target); BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode()); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); ret.clear(); res = sr->beginResolve(DNSName("b.powerdns.com."), QType(QType::A), QClass::IN, ret); @@ -767,7 +767,7 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_wildcard_synthesis) BOOST_REQUIRE_EQUAL(ret.size(), 4U); BOOST_CHECK_EQUAL(ret.at(0).d_name, DNSName("b.powerdns.com.")); BOOST_CHECK_EQUAL(ret.at(0).d_type, QType(QType::A).getCode()); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wiping) diff --git a/pdns/recursordist/test-syncres_cc1.cc b/pdns/recursordist/test-syncres_cc1.cc index 9d9a6121d3..7702091dd3 100644 --- a/pdns/recursordist/test-syncres_cc1.cc +++ b/pdns/recursordist/test-syncres_cc1.cc @@ -1771,7 +1771,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 5U); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */ - BOOST_CHECK_EQUAL(queries, 11U); + BOOST_CHECK_EQUAL(queries, 7U); BOOST_REQUIRE(ret[0].d_type == QType::DNAME); BOOST_CHECK(ret[0].d_name == dnameOwner); @@ -1797,7 +1797,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 5U); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */ - BOOST_CHECK_EQUAL(queries, 11U); + BOOST_CHECK_EQUAL(queries, 7U); BOOST_REQUIRE(ret[0].d_type == QType::DNAME); BOOST_CHECK(ret[0].d_name == dnameOwner); @@ -1918,7 +1918,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); /* DNAME + RRSIG(DNAME) + CNAME + A */ - BOOST_CHECK_EQUAL(queries, 9U); + BOOST_CHECK_EQUAL(queries, 7U); BOOST_REQUIRE(ret[0].d_type == QType::DNAME); BOOST_CHECK(ret[0].d_name == dnameOwner); @@ -1941,7 +1941,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); /* DNAME + RRSIG(DNAME) + CNAME + A */ - BOOST_CHECK_EQUAL(queries, 9U); + BOOST_CHECK_EQUAL(queries, 7U); BOOST_REQUIRE(ret[0].d_type == QType::DNAME); BOOST_CHECK(ret[0].d_name == dnameOwner); diff --git a/pdns/recursordist/test-syncres_cc2.cc b/pdns/recursordist/test-syncres_cc2.cc index 065adc5b80..4843a660ea 100644 --- a/pdns/recursordist/test-syncres_cc2.cc +++ b/pdns/recursordist/test-syncres_cc2.cc @@ -723,7 +723,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); BOOST_CHECK_EQUAL(g_negCache->size(), 1U); ret.clear(); @@ -731,7 +731,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); BOOST_CHECK_EQUAL(g_negCache->size(), 1U); ret.clear(); @@ -739,7 +739,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); BOOST_CHECK_EQUAL(g_negCache->size(), 1U); ret.clear(); @@ -747,7 +747,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); BOOST_CHECK_EQUAL(g_negCache->size(), 1U); // Now test without RFC 8020 to see the cache and query count grow @@ -759,7 +759,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); BOOST_CHECK_EQUAL(g_negCache->size(), 1U); // New query @@ -768,7 +768,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 7U); BOOST_CHECK_EQUAL(g_negCache->size(), 2U); ret.clear(); @@ -776,7 +776,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 13U); + BOOST_CHECK_EQUAL(queriesCount, 8U); BOOST_CHECK_EQUAL(g_negCache->size(), 3U); ret.clear(); @@ -784,7 +784,7 @@ BOOST_AUTO_TEST_CASE(test_rfc8020_nothing_underneath_dnssec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_CHECK_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 15U); + BOOST_CHECK_EQUAL(queriesCount, 9U); BOOST_CHECK_EQUAL(g_negCache->size(), 4U); // reset diff --git a/pdns/recursordist/test-syncres_cc3.cc b/pdns/recursordist/test-syncres_cc3.cc index e950dd05fc..699d52b2ac 100644 --- a/pdns/recursordist/test-syncres_cc3.cc +++ b/pdns/recursordist/test-syncres_cc3.cc @@ -965,7 +965,7 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_nord_dnssec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 5U); + BOOST_CHECK_EQUAL(queriesCount, 4U); BOOST_CHECK_EQUAL(DSforParentCount, 1U); /* again, to test the cache */ @@ -974,16 +974,16 @@ BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_nord_dnssec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 5U); + BOOST_CHECK_EQUAL(queriesCount, 4U); BOOST_CHECK_EQUAL(DSforParentCount, 1U); - /* new target should no cause a DS query for tets. */ + /* new target should not cause a DS query for test. */ ret.clear(); res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); BOOST_CHECK_EQUAL(DSforParentCount, 1U); } diff --git a/pdns/recursordist/test-syncres_cc4.cc b/pdns/recursordist/test-syncres_cc4.cc index 4a2ec2d608..0f46298e5e 100644 --- a/pdns/recursordist/test-syncres_cc4.cc +++ b/pdns/recursordist/test-syncres_cc4.cc @@ -164,7 +164,7 @@ BOOST_AUTO_TEST_CASE(test_auth_zone_delegation) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 3U); + BOOST_CHECK_EQUAL(queriesCount, 1U); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Indeterminate); } diff --git a/pdns/recursordist/test-syncres_cc5.cc b/pdns/recursordist/test-syncres_cc5.cc index 7ccb36cf19..042dd6eacb 100644 --- a/pdns/recursordist/test-syncres_cc5.cc +++ b/pdns/recursordist/test-syncres_cc5.cc @@ -96,7 +96,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -104,7 +104,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } static void testFixedPointInTime(time_t fixedNow) @@ -192,14 +192,14 @@ static void testFixedPointInTime(time_t fixedNow) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos1970) @@ -317,7 +317,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -325,7 +325,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* this time we ask for the NS that should be in the cache, to check the validation status */ @@ -334,7 +334,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 7U); } BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) @@ -418,7 +418,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -426,7 +426,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* this time we ask for the NS that should be in the cache, to check the validation status */ @@ -435,7 +435,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) @@ -616,7 +616,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) /* Should be insecure because of the NTA */ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 4U); + BOOST_CHECK_EQUAL(queriesCount, 3U); /* again, to test the cache */ ret.clear(); @@ -624,7 +624,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 4U); + BOOST_CHECK_EQUAL(queriesCount, 3U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) @@ -707,7 +707,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -715,7 +715,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) @@ -823,7 +823,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -831,7 +831,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) BOOST_CHECK_EQUAL(res, RCode::NXDomain); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) @@ -932,7 +932,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -944,7 +944,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) /* check that we applied the lowest TTL, here this is from the NSEC proving that the exact name did not exist */ BOOST_CHECK_LE(rec.d_ttl, 60U); } - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_proof_before_rrsig) @@ -1054,7 +1054,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_proof_before_rrsig) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -1066,7 +1066,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_proof_before_rrsig) /* check that we applied the lowest TTL, here this is from the NSEC proving that the exact name did not exist */ BOOST_CHECK_LE(rec.d_ttl, 60U); } - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) @@ -1138,7 +1138,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -1146,7 +1146,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) @@ -1229,7 +1229,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -1237,7 +1237,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_nsec3) @@ -1323,7 +1323,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_n BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); /* because we pass along the duplicated NSEC3 */ BOOST_REQUIRE_EQUAL(ret.size(), 9U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -1332,7 +1332,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_duplicated_n BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); /* because we pass along the duplicated NSEC3 */ BOOST_REQUIRE_EQUAL(ret.size(), 9U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations) @@ -1416,7 +1416,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_ite BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -1424,7 +1424,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_ite BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 8U); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) @@ -1534,7 +1534,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -1546,7 +1546,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) /* check that we applied the lowest TTL, here this is from the NSEC3 proving that the exact name did not exist (next closer) */ BOOST_CHECK_LE(rec.d_ttl, 60U); } - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) @@ -1653,7 +1653,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -1661,7 +1661,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) @@ -1759,7 +1759,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -1767,7 +1767,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) @@ -2004,14 +2004,14 @@ BOOST_AUTO_TEST_CASE(test_dnssec_incomplete_cache_zonecut_qm) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 12U); + BOOST_CHECK_EQUAL(queriesCount, 10U); ret.clear(); res = sr->beginResolve(DNSName("dns1.p03.nsone.net."), QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 16U); + BOOST_CHECK_EQUAL(queriesCount, 14U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_servfail_ds) diff --git a/pdns/recursordist/test-syncres_cc6.cc b/pdns/recursordist/test-syncres_cc6.cc index ee668204a2..5f8fb4ef8b 100644 --- a/pdns/recursordist/test-syncres_cc6.cc +++ b/pdns/recursordist/test-syncres_cc6.cc @@ -110,8 +110,8 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 9U); - BOOST_CHECK_EQUAL(dsQueriesCount, 3U); + BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(dsQueriesCount, 2U); /* again, to test the cache */ ret.clear(); @@ -119,8 +119,8 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 9U); - BOOST_CHECK_EQUAL(dsQueriesCount, 3U); + BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(dsQueriesCount, 2U); } BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) @@ -227,7 +227,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 7U); /* again, to test the cache */ ret.clear(); @@ -235,7 +235,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 7U); } BOOST_AUTO_TEST_CASE(test_dnssec_ds_root) @@ -268,6 +268,12 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_root) addRRSIG(keys, res->d_records, DNSName("."), 300); return LWResult::Result::Success; } + else if (type == QType::DNSKEY) { + setLWResult(res, 0, true, false, true); + addDNSKEY(keys, domain, 300, res->d_records); + addRRSIG(keys, res->d_records, DNSName("."), 300); + return LWResult::Result::Success; + } return LWResult::Result::Timeout; }); @@ -277,7 +283,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_root) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 1U); + BOOST_CHECK_EQUAL(queriesCount, 2U); /* again, to test the cache */ ret.clear(); @@ -285,7 +291,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_ds_root) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 1U); + BOOST_CHECK_EQUAL(queriesCount, 2U); } BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) @@ -387,7 +393,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -395,7 +401,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) @@ -585,7 +591,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_CHECK_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -593,7 +599,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) @@ -673,7 +679,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_CHECK_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* again, to test the cache */ ret.clear(); @@ -681,7 +687,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 6U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) @@ -781,10 +787,10 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); - /* 4 NS: com at ., com at com, powerdns.com at com, powerdns.com at powerdns.com - 4 DNSKEY: ., com (not for powerdns.com because DS denial in referral) + /* 2 NS: com at ., powerdns.com at com + 2 DNSKEY: ., com (not for powerdns.com because DS denial in referral) 1 query for A */ - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -793,7 +799,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_optout) @@ -1007,7 +1013,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nxd_optout) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); BOOST_CHECK(ret[0].d_type == QType::SOA); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 4U); /* again, to test the cache */ ret.clear(); @@ -1016,7 +1022,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nxd_optout) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 6U); BOOST_CHECK(ret[0].d_type == QType::SOA); - BOOST_CHECK_EQUAL(queriesCount, 6U); + BOOST_CHECK_EQUAL(queriesCount, 4U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_direct_ds) @@ -1263,7 +1269,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 7U); /* again, to test the cache */ ret.clear(); @@ -1272,7 +1278,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 9U); + BOOST_CHECK_EQUAL(queriesCount, 7U); } BOOST_AUTO_TEST_SUITE_END() diff --git a/pdns/recursordist/test-syncres_cc7.cc b/pdns/recursordist/test-syncres_cc7.cc index 4641f96b7f..1b5c70d73d 100644 --- a/pdns/recursordist/test-syncres_cc7.cc +++ b/pdns/recursordist/test-syncres_cc7.cc @@ -121,7 +121,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -130,7 +130,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); BOOST_CHECK(ret[0].d_type == QType::A); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) @@ -235,7 +235,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) 2 DNSKEY (. and com., none for powerdns.com because no DS) 1 query for A */ - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -243,7 +243,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 7U); + BOOST_CHECK_EQUAL(queriesCount, 5U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) @@ -364,7 +364,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); /* again, to test the cache */ ret.clear(); @@ -372,7 +372,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) @@ -487,7 +487,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 9U); /* again, to test the cache */ ret.clear(); @@ -495,7 +495,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 9U); } BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) @@ -613,7 +613,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); /* again, to test the cache */ ret.clear(); @@ -621,7 +621,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); } BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) @@ -709,7 +709,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); /* again, to test the cache */ ret.clear(); @@ -717,7 +717,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) @@ -805,7 +805,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); /* again, to test the cache */ ret.clear(); @@ -813,7 +813,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_REQUIRE_EQUAL(ret.size(), 3U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); } BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) @@ -901,7 +901,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 12U); + BOOST_CHECK_EQUAL(queriesCount, 9U); /* again, to test the cache */ ret.clear(); @@ -909,7 +909,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 12U); + BOOST_CHECK_EQUAL(queriesCount, 9U); } BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) @@ -1023,7 +1023,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); /* no RRSIG to show */ BOOST_CHECK_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 7U); /* again, to test the cache */ ret.clear(); @@ -1031,7 +1031,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG); BOOST_CHECK_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 7U); } BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) @@ -1564,7 +1564,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cut_with_cname_at_apex) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 7U); /* again, to test the cache */ ret.clear(); @@ -1572,7 +1572,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cut_with_cname_at_apex) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 7U); /* this time we ask for www.powerdns.com, let's make sure the CNAME does not get in the way */ ret.clear(); @@ -1580,7 +1580,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cut_with_cname_at_apex) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 11U); + BOOST_CHECK_EQUAL(queriesCount, 8U); /* now we remove the denial of powerdns.com DS from the cache and ask www2 */ BOOST_REQUIRE_EQUAL(g_negCache->wipe(target, false), 1U); @@ -1589,7 +1589,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cut_with_cname_at_apex) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure); BOOST_REQUIRE_EQUAL(ret.size(), 1U); - BOOST_CHECK_EQUAL(queriesCount, 13U); + BOOST_CHECK_EQUAL(queriesCount, 10U); } BOOST_AUTO_TEST_CASE(test_dnssec_cname_inside_secure_zone) @@ -1687,7 +1687,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_cname_inside_secure_zone) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* again, to test the cache */ ret.clear(); @@ -1695,7 +1695,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_cname_inside_secure_zone) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 4U); - BOOST_CHECK_EQUAL(queriesCount, 8U); + BOOST_CHECK_EQUAL(queriesCount, 5U); /* this time we ask for www.powerdns.com, let's make sure the CNAME does not get in the way */ ret.clear(); @@ -1703,16 +1703,16 @@ BOOST_AUTO_TEST_CASE(test_dnssec_cname_inside_secure_zone) BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 10U); + BOOST_CHECK_EQUAL(queriesCount, 6U); /* now we remove the denial of powerdns.com DS from the cache and ask www2 */ - BOOST_REQUIRE_EQUAL(g_negCache->wipe(target, false), 1U); + g_negCache->wipe(target, false); ret.clear(); res = sr->beginResolve(DNSName("www2.powerdns.com."), QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure); BOOST_REQUIRE_EQUAL(ret.size(), 2U); - BOOST_CHECK_EQUAL(queriesCount, 12U); + BOOST_CHECK_EQUAL(queriesCount, 7U); } BOOST_AUTO_TEST_SUITE_END() diff --git a/pdns/recursordist/test-syncres_cc8.cc b/pdns/recursordist/test-syncres_cc8.cc index 996214b18f..b85431750d 100644 --- a/pdns/recursordist/test-syncres_cc8.cc +++ b/pdns/recursordist/test-syncres_cc8.cc @@ -1075,7 +1075,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure) for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG); } - BOOST_CHECK_EQUAL(queriesCount, 3U); + BOOST_CHECK_EQUAL(queriesCount, 2U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure) @@ -1313,7 +1313,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure_any) for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::AAAA || record.d_type == QType::RRSIG); } - BOOST_CHECK_EQUAL(queriesCount, 4U); + BOOST_CHECK_EQUAL(queriesCount, 3U); ret.clear(); /* last one also requires validation */ @@ -1325,7 +1325,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure_any) for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::AAAA || record.d_type == QType::RRSIG); } - BOOST_CHECK_EQUAL(queriesCount, 4U); + BOOST_CHECK_EQUAL(queriesCount, 3U); } BOOST_AUTO_TEST_SUITE_END() diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc index 29874e7181..8135b2ad54 100644 --- a/pdns/recursordist/test-syncres_cc9.cc +++ b/pdns/recursordist/test-syncres_cc9.cc @@ -78,7 +78,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_secure) for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG); } - BOOST_CHECK_EQUAL(queriesCount, 4U); + BOOST_CHECK_EQUAL(queriesCount, 3U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_insecure) @@ -328,7 +328,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_additional_without_rrsig) for (const auto& record : ret) { BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A); } - BOOST_CHECK_EQUAL(queriesCount, 5U); + BOOST_CHECK_EQUAL(queriesCount, 3U); } BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure) diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 8756b3e8a0..721ade584a 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -845,6 +845,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType qtyp LOG(prefix< s_maxdepth) { string msg = "More than " + std::to_string(s_maxdepth) + " (max-recursion-depth) levels of recursion needed while resolving " + qname.toLogString(); @@ -1004,24 +1005,17 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType qtyp LOG(prefix< (unsigned int) d_now.tv_sec) { if (!wasAuthZone && shouldValidate() && (wasAuth || wasForwardRecurse) && state == vState::Indeterminate && d_requireAuthData) { - /* This means we couldn't figure out the state when this entry was cached, - most likely because we hadn't computed the zone cuts yet. */ - /* make sure they are computed before validating */ - DNSName subdomain(foundName); - /* if we are retrieving a DS, we only care about the state of the parent zone */ - if(qtype == QType::DS) - subdomain.chopOff(); + /* This means we couldn't figure out the state when this entry was cached */ - computeZoneCuts(subdomain, g_rootdnsname, depth); - - vState recordState = getValidationStatus(foundName, false); + vState recordState = getValidationStatus(foundName, signatures, qtype == QType::DS, depth); if (recordState == vState::Secure) { LOG(prefix<& records, const uint32_t ttl void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType qtype, const int res, vState& state, unsigned int depth) { - DNSName subdomain(qname); - /* if we are retrieving a DS, we only care about the state of the parent zone */ - if(qtype == QType::DS) - subdomain.chopOff(); - - computeZoneCuts(subdomain, g_rootdnsname, depth); - tcache_t tcache; reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.records); reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.signatures); @@ -1676,7 +1655,7 @@ void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& owner = entry.first.name; - vState recordState = getValidationStatus(owner, false); + vState recordState = getValidationStatus(owner, entry.second.signatures, qtype == QType::DS, depth); if (state == vState::Indeterminate) { state = recordState; } @@ -1819,17 +1798,9 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == vState::Indeterminate && d_requireAuthData) { - /* This means we couldn't figure out the state when this entry was cached, - most likely because we hadn't computed the zone cuts yet. */ - /* make sure they are computed before validating */ - DNSName subdomain(sqname); - /* if we are retrieving a DS, we only care about the state of the parent zone */ - if(qtype == QType::DS) - subdomain.chopOff(); - - computeZoneCuts(subdomain, g_rootdnsname, depth); + /* This means we couldn't figure out the state when this entry was cached */ + vState recordState = getValidationStatus(qname, signatures, qtype == QType::DS, depth); - vState recordState = getValidationStatus(qname, false); if (recordState == vState::Secure) { LOG(prefix<>& signatures, bool typeIsDS, unsigned int depth) { vState result = vState::Indeterminate; if (!shouldValidate()) { return result; } - DNSName name(subdomain); - do { - const auto& it = d_cutStates.find(name); - if (it != d_cutStates.cend()) { - if (allowIndeterminate || it->second != vState::Indeterminate) { - LOG(d_prefix<<": got status "<second<<" for name "<second; - } - } - } - while (name.chopOff()); - return result; -} - -bool SyncRes::lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState) -{ - bool foundCut = false; - dsmap_t ds; - vState dsState = getDSRecords(qname, ds, vStateIsBogus(newState) || existingState == vState::Insecure || vStateIsBogus(existingState), depth, false, &foundCut); - - if (dsState != vState::Indeterminate) { - newState = dsState; + DNSName subdomain(name); + if (typeIsDS) { + subdomain.chopOff(); } - return foundCut; -} - -void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth) -{ - if(!begin.isPartOf(end)) { - LOG(d_prefix<<" "<second<<" for name "<second; + } } - if (d_cutStates.count(begin) != 0) { - return; + /* look for the best match we have */ + DNSName best(subdomain); + while (best.chopOff()) { + const auto& it = d_cutStates.find(best); + if (it != d_cutStates.cend()) { + result = it->second; + if (vStateIsBogus(result) || result == vState::Insecure) { + LOG(d_prefix<<": got status "< labelsToAdd = subdomain.makeRelative(ds).getRawLabels(); - DNSName qname(end); - std::vector labelsToAdd = begin.makeRelative(end).getRawLabels(); + while (!labelsToAdd.empty()) { - while(qname != begin) { - if (labelsToAdd.empty()) - break; + ds.prependRawLabel(labelsToAdd.back()); + labelsToAdd.pop_back(); + LOG(d_prefix<<": - Looking for a DS at "<second != vState::Indeterminate) { - LOG(d_prefix<<": - Cut already known at "<second; - continue; + if (foundCut) { + LOG(d_prefix<<": - Found cut at "<& dnskeys, const std::vector >& signatures, unsigned int depth) @@ -2806,7 +2763,6 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname LOG(d_prefix<<"The DS for "<first.place == DNSResourceRecord::ANSWER || ((lwr.d_aabit || wasForwardRecurse) && i->first.place != DNSResourceRecord::ADDITIONAL); + /* in a non authoritative answer, we only care about the DS record (or lack of) */ + if (!isAA && (i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) { + expectSignature = true; + } + if (isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) { /* rfc2181 states: @@ -3228,65 +3189,50 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr continue; } - vState recordState = getValidationStatus(i->first.name, false); - LOG(d_prefix<<": got initial zone status "<first.name<<"|"<first.type)<first.name, i->second.signatures, i->first.type == QType::DS, depth); + LOG(d_prefix<<": got initial zone status "<first.name<<"|"<first.type)<first.place != DNSResourceRecord::ADDITIONAL) { - /* the additional entries can be insecure, - like glue: - "Glue address RRsets associated with delegations MUST NOT be signed" - */ - if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) { - LOG(d_prefix<<"Validating DNSKEY for "<first.name<first.name, i->second.records, i->second.signatures, depth); - } - else { - /* - * RFC 6672 section 5.3.1 - * In any response, a signed DNAME RR indicates a non-terminal - * redirection of the query. There might or might not be a server- - * synthesized CNAME in the answer section; if there is, the CNAME will - * never be signed. For a DNSSEC validator, verification of the DNAME - * RR and then that the CNAME was properly synthesized is sufficient - * proof. - * - * We do the synthesis check in processRecords, here we make sure we - * don't validate the CNAME. - */ - if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) { - LOG(d_prefix<<"Validating non-additional record for "<first.name<first.name, QType(i->first.type), i->second.records, i->second.signatures); - /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */ - if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) { + if (initialState == vState::Secure) { + if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) { + LOG(d_prefix<<"Validating DNSKEY for "<first.name<first.name, i->second.records, i->second.signatures, depth); + } + else { + /* + * RFC 6672 section 5.3.1 + * In any response, a signed DNAME RR indicates a non-terminal + * redirection of the query. There might or might not be a server- + * synthesized CNAME in the answer section; if there is, the CNAME will + * never be signed. For a DNSSEC validator, verification of the DNAME + * RR and then that the CNAME was properly synthesized is sufficient + * proof. + * + * We do the synthesis check in processRecords, here we make sure we + * don't validate the CNAME. + */ + if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) { + LOG(d_prefix<<"Validating non-additional "<first.type).getName()<<" record for "<first.name<first.name, QType(i->first.type), i->second.records, i->second.signatures); + /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */ + if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name, i->second.signatures, i->first.type == QType::DS, depth) == vState::Indeterminate) { recordState = vState::Indeterminate; - } } } } } else { - recordState = vState::Indeterminate; - - /* in a non authoritative answer, we only care about the DS record (or lack of) */ - if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) { - LOG(d_prefix<<"Validating DS record for "<first.name<first.name, QType(i->first.type), i->second.records, i->second.signatures); - } + recordState = initialState; + LOG(d_prefix<<"Skipping validation because the current state is "<>& signatures, bool typeIsDS, unsigned int depth); + void updateValidationStatusInCache(const DNSName &qname, QType qt, bool aa, vState newState) const; + void initZoneCutsFromTA(const DNSName& from); void handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, QType qtype, std::vector& ret, int& rcode, int depth, const std::vector& recordsFromAnswer, vState& state);