From: Mark Andrews Date: Fri, 20 Dec 2024 09:24:05 +0000 (+1100) Subject: Complete the deferred validation if there are no RRSIGs X-Git-Tag: ondrej/lock-free-qpzone-reads-v1~60^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b900d180886ca333d94c87c782619dbedc775b5;p=thirdparty%2Fbind9.git Complete the deferred validation if there are no RRSIGs When a query is made with CD=1, we store the result in the cache marked pending so that it can be validated later, at which time it will either be accepted as an answer or removed from the cache as invalid. Deferred validation was not attempted when there were no cached RRSIGs for DNSKEY and DS. We now complete the deferred validation in this scenario. --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 3dd9ad719ed..9661afd7c90 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1126,14 +1126,13 @@ seek_dnskey(dns_validator_t *val) { * We have an rrset for the given keyname. */ val->keyset = &val->frdataset; - if ((DNS_TRUST_PENDING(val->frdataset.trust) || - DNS_TRUST_ANSWER(val->frdataset.trust)) && - dns_rdataset_isassociated(&val->fsigrdataset)) + if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { /* - * We know the key but haven't validated it yet or - * we have a key of trust answer but a DS - * record for the zone may have been added. + * We know the key but haven't validated it yet, or + * we had a key with trust level "answer" and + * a DS record for the zone has now been added. */ result = create_validator( val, &siginfo->signer, dns_rdatatype_dnskey, @@ -1143,12 +1142,6 @@ seek_dnskey(dns_validator_t *val) { return result; } return DNS_R_WAIT; - } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { - /* - * Having a pending key with no signature means that - * something is broken. - */ - result = DNS_R_CONTINUE; } else if (val->frdataset.trust < dns_trust_secure) { /* * The key is legitimately insecure. There's no @@ -1906,9 +1899,8 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) { * We have a DS RRset. */ val->dsset = &val->frdataset; - if ((DNS_TRUST_PENDING(val->frdataset.trust) || - DNS_TRUST_ANSWER(val->frdataset.trust)) && - dns_rdataset_isassociated(&val->fsigrdataset)) + if (DNS_TRUST_PENDING(val->frdataset.trust) || + DNS_TRUST_ANSWER(val->frdataset.trust)) { /* * ... which is signed but not yet validated. @@ -1916,21 +1908,12 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) { result = create_validator( val, tname, dns_rdatatype_ds, &val->frdataset, &val->fsigrdataset, validator_callback_ds, - "validate_dnskey"); + "get_dsset"); *resp = DNS_R_WAIT; if (result != ISC_R_SUCCESS) { *resp = result; } return ISC_R_COMPLETE; - } else if (DNS_TRUST_PENDING(val->frdataset.trust)) { - /* - * There should never be an unsigned DS. - */ - disassociate_rdatasets(val); - validator_log(val, ISC_LOG_DEBUG(2), - "unsigned DS record"); - *resp = DNS_R_NOVALIDSIG; - return ISC_R_COMPLETE; } break; @@ -3006,7 +2989,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { val, ISC_LOG_DEBUG(3), "no supported algorithm/digest (%s/DS)", namebuf); - *resp = markanswer(val, "proveunsecure (5)"); + *resp = markanswer(val, "seek_ds (1)"); return ISC_R_COMPLETE; } @@ -3016,22 +2999,12 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { /* * Otherwise, try to validate it now. */ - if (dns_rdataset_isassociated(&val->fsigrdataset)) { - result = create_validator( - val, tname, dns_rdatatype_ds, &val->frdataset, - &val->fsigrdataset, validator_callback_ds, - "proveunsecure"); - *resp = DNS_R_WAIT; - if (result != ISC_R_SUCCESS) { - *resp = result; - } - } else { - /* - * There should never be an unsigned DS. - */ - validator_log(val, ISC_LOG_DEBUG(3), - "unsigned DS record"); - *resp = DNS_R_NOVALIDSIG; + result = create_validator(val, tname, dns_rdatatype_ds, + &val->frdataset, &val->fsigrdataset, + validator_callback_ds, "seek_ds"); + *resp = DNS_R_WAIT; + if (result != ISC_R_SUCCESS) { + *resp = result; } return ISC_R_COMPLETE; @@ -3042,7 +3015,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { */ *resp = DNS_R_WAIT; result = create_fetch(val, tname, dns_rdatatype_ds, - fetch_callback_ds, "proveunsecure"); + fetch_callback_ds, "seek_ds"); if (result != ISC_R_SUCCESS) { *resp = result; } @@ -3063,7 +3036,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { result = create_validator( val, tname, dns_rdatatype_ds, &val->frdataset, &val->fsigrdataset, validator_callback_ds, - "proveunsecure"); + "seek_ds"); *resp = DNS_R_WAIT; if (result != ISC_R_SUCCESS) { *resp = result; @@ -3083,7 +3056,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { NULL) == ISC_R_SUCCESS && dns_name_equal(tname, found)) { - *resp = markanswer(val, "proveunsecure (3)"); + *resp = markanswer(val, "seek_ds (2)"); return ISC_R_COMPLETE; } @@ -3102,7 +3075,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { } if (isdelegation(tname, &val->frdataset, result)) { - *resp = markanswer(val, "proveunsecure (4)"); + *resp = markanswer(val, "seek_ds (3)"); return ISC_R_COMPLETE; } @@ -3133,7 +3106,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { result = create_validator( val, tname, dns_rdatatype_ds, &val->frdataset, &val->fsigrdataset, validator_callback_ds, - "proveunsecure"); + "seek_ds"); if (result != ISC_R_SUCCESS) { *resp = result; } @@ -3162,9 +3135,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { result = create_validator( val, tname, dns_rdatatype_cname, &val->frdataset, &val->fsigrdataset, - validator_callback_cname, - "proveunsecure " - "(cname)"); + validator_callback_cname, "seek_ds (cname)"); *resp = DNS_R_WAIT; if (result != ISC_R_SUCCESS) { *resp = result;