From: Grigorii Demidov Date: Wed, 1 Mar 2017 12:47:27 +0000 (+0100) Subject: layer/validate: don't treat anwsers which contain DS non-existance proof as unsecured X-Git-Tag: v1.3.0~23^2~65^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ade6df9dd5c8ab478452a58e2ae1db54520646f5;p=thirdparty%2Fknot-resolver.git layer/validate: don't treat anwsers which contain DS non-existance proof as unsecured --- diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 1b9dd5d3e..bdff94a3a 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -294,7 +294,7 @@ static int update_parent_keys(struct kr_query *qry, uint16_t answer_type) break; case KNOT_RRTYPE_DS: VERBOSE_MSG(qry, "<= parent: updating DS\n"); - if (qry->flags & QUERY_DNSSEC_INSECURE) { /* DS non-existence proven. */ + if (qry->flags & (QUERY_DNSSEC_NODS | QUERY_DNSSEC_INSECURE)) { /* DS non-existence proven. */ mark_insecure_parents(qry); } else { /* DS existence proven. */ parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, parent->zone_cut.pool); @@ -371,8 +371,7 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_ qry->flags |= QUERY_DNSSEC_BOGUS; } else { VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n"); - qry->flags &= ~QUERY_DNSSEC_WANT; - qry->flags |= QUERY_DNSSEC_INSECURE; + qry->flags |= QUERY_DNSSEC_NODS; } return ret; } @@ -666,8 +665,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) if (ret != 0) { if (has_nsec3 && (ret == kr_error(DNSSEC_OUT_OF_RANGE))) { VERBOSE_MSG(qry, "<= can't prove NODATA due to optout, going insecure\n"); - qry->flags &= ~QUERY_DNSSEC_WANT; - qry->flags |= QUERY_DNSSEC_INSECURE; + qry->flags |= QUERY_DNSSEC_NODS; /* Could not return from here, * we must continue, validate NSEC\NSEC3 and * call update_parent_keys() to mark @@ -729,7 +727,8 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) return KR_STATE_FAIL; } else if (pkt_rcode == KNOT_RCODE_NOERROR && referral && - ((qry->flags & (QUERY_DNSSEC_WANT | QUERY_DNSSEC_INSECURE)) == QUERY_DNSSEC_INSECURE)) { + (((qry->flags & (QUERY_DNSSEC_WANT | QUERY_DNSSEC_INSECURE)) == QUERY_DNSSEC_INSECURE) || + (qry->flags & QUERY_DNSSEC_NODS))) { /* referral with proven DS non-existance */ qtype = KNOT_RRTYPE_DS; } diff --git a/lib/resolve.c b/lib/resolve.c index fe55019c5..af538b37f 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -185,9 +185,11 @@ static int ns_fetch_cut(struct kr_query *qry, const knot_dname_t *requested_name /* It can occur that here parent query already have * provably insecured zonecut which not in the cache yet. */ + const uint32_t insec_flags = QUERY_DNSSEC_INSECURE | QUERY_DNSSEC_NODS; + const uint32_t cut_flags = QUERY_AWAIT_IPV4 | QUERY_AWAIT_IPV6; const bool is_insecured = ((qry->parent != NULL) && - (qry->parent->flags & (QUERY_AWAIT_IPV4 | QUERY_AWAIT_IPV6)) == 0 && - (qry->parent->flags & QUERY_DNSSEC_INSECURE) != 0); + (qry->parent->flags & cut_flags) == 0 && + (qry->parent->flags & insec_flags) != 0); /* Want DNSSEC if it's possible to secure this name * (e.g. is covered by any TA) */ diff --git a/lib/rplan.h b/lib/rplan.h index 92f94d09e..6a70835eb 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -53,6 +53,7 @@ X(REORDER_RR, 1 << 24) /**< Reorder cached RRs. */ \ X(TRACE, 1 << 25) /**< Log answer with kr_verbose_log(), unless -DNDEBUG. */ \ X(NO_0X20, 1 << 26) /**< Disable query case randomization . */ \ + X(DNSSEC_NODS, 1 << 27) /**< DS non-existance is proven */ \ /* 1 << 31 Used by ../modules/dns64/dns64.lua */ /** Query flags */