From: Wouter Wijngaards Date: Fri, 24 Aug 2007 13:14:23 +0000 (+0000) Subject: DS and DNSKEY not from additional synthesis. Nicer signature expiration errors. X-Git-Tag: release-0.5~95 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87fafec48a5a23a1dc218b2047ab2d1dec707e47;p=thirdparty%2Funbound.git DS and DNSKEY not from additional synthesis. Nicer signature expiration errors. git-svn-id: file:///svn/unbound/trunk@546 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index cc75f7498..37a5e77f7 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,10 @@ routine. This makes the proof routines prettier. - fixup cname handling in validator, cname-to-positive and cname-to- nodata work. + - Do not synthesize DNSKEY and DS responses from the rrset cache if + the rrset is from the additional section. Signatures may have + fallen off the packet, and cause validation failure. + - more verbose signature date errors (with the date attached). 23 August 2007: Wouter - CNAME handling - move needs_validation to before val_new(). diff --git a/services/cache/dns.c b/services/cache/dns.c index 6705a5a5a..8dcabf015 100644 --- a/services/cache/dns.c +++ b/services/cache/dns.c @@ -588,10 +588,22 @@ dns_cache_lookup(struct module_env* env, if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) && (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, qtype, qclass, 0, now, 0))) { - struct dns_msg* msg = rrset_msg(rrset, region, now, &k); - if(msg) { - lock_rw_unlock(&rrset->entry.lock); - return msg; + /* if the rrset is from the additional section, and the + * signatures have fallen off, then do not synthesize a msg + * instead, allow a full query for signed results to happen. + * Forego all rrset data from additional section, because + * some signatures may not be present and cause validation + * failure. + */ + struct packed_rrset_data *d = (struct packed_rrset_data*) + rrset->entry.data; + if(d->trust != rrset_trust_add_noAA && + d->trust != rrset_trust_add_AA) { + struct dns_msg* msg = rrset_msg(rrset, region, now, &k); + if(msg) { + lock_rw_unlock(&rrset->entry.lock); + return msg; + } } lock_rw_unlock(&rrset->entry.lock); } diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 6fd19406b..7da9356ed 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1011,6 +1011,32 @@ rrset_canonical(struct region* region, ldns_buffer* buf, return 1; } +/** pretty print rrsig error with dates */ +static void +sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now) +{ + struct tm tm; + char expi_buf[16]; + char incep_buf[16]; + char now_buf[16]; + time_t te, ti, tn; + + if(verbosity < VERB_ALGO) + return; + te = (time_t)expi; + ti = (time_t)incep; + tn = (time_t)now; + memset(&tm, 0, sizeof(tm)); + if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm) + &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm) + &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) { + log_info("%s expi=%s incep=%s now=%s", str, expi_buf, + incep_buf, now_buf); + } else + log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi, + (unsigned)incep, (unsigned)now); +} + /** check rrsig dates */ static int check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p) @@ -1030,17 +1056,17 @@ check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p) /* check them */ if(incep - expi > 0) { - verbose(VERB_ALGO, "verify: inception after expiration, " - "signature bad"); + sigdate_error("verify: inception after expiration, " + "signature bad", expi, incep, now); return 0; } if(incep - now > 0) { - verbose(VERB_ALGO, "verify: signature bad, current time is" - " before inception date"); + sigdate_error("verify: signature bad, current time is" + " before inception date", expi, incep, now); return 0; } if(now - expi > 0) { - verbose(VERB_ALGO, "verify: signature expired"); + sigdate_error("verify: signature expired", expi, incep, now); return 0; } return 1;