From: Vladimír Čunát Date: Thu, 6 May 2021 16:19:46 +0000 (+0200) Subject: lib/dnssec/ta kr_ta_covers_qry(): generalize and improve X-Git-Tag: v5.4.0~20^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b16d983ea772a039269c8d02804238a4cf139aa5;p=thirdparty%2Fknot-resolver.git lib/dnssec/ta kr_ta_covers_qry(): generalize and improve The closer (N)TA will win now. That wasn't the case if we had a positive TA underneath a negative TA. (Well, I can't recall ever seeing anything close to a use case.) --- diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c index b6a8cb0bc..7d0cea47e 100644 --- a/lib/dnssec/ta.c +++ b/lib/dnssec/ta.c @@ -35,6 +35,27 @@ const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dnam return NULL; } +const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name, + const uint16_t type) +{ + assert(ctx && name); + if (type == KNOT_RRTYPE_DS && name[0] != '\0') { + /* DS is parent-side record, so the parent name needs to be covered. */ + name = knot_wire_next_label(name, NULL); + } + while (name) { + struct kr_context *ctx_nc = (struct kr_context *)/*const-cast*/ctx; + if (kr_ta_get(&ctx_nc->trust_anchors, name)) { + return name; + } + if (kr_ta_get(&ctx_nc->negative_anchors, name)) { + return NULL; + } + name = knot_wire_next_label(name, NULL); + } + return NULL; +} + /* @internal Create DS from DNSKEY, caller MUST free dst if successful. */ static int dnskey2ds(dnssec_binary_t *dst, const knot_dname_t *owner, const uint8_t *rdata, uint16_t rdlen) { @@ -130,22 +151,6 @@ int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name) return false; } -bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name, - const uint16_t type) -{ - assert(ctx && name); - if (type == KNOT_RRTYPE_DS && name[0] != '\0') { - /* DS is parent-side record, so the parent name needs to be covered. */ - name = knot_wire_next_label(name, NULL); - if (!name) { - assert(false); - return false; - } - } - return kr_ta_covers(&ctx->trust_anchors, name) - && !kr_ta_covers(&ctx->negative_anchors, name); -} - /* Delete record data */ static int del_record(const char *k, void *v, void *ext) { diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h index 40094a8b3..8f3885a28 100644 --- a/lib/dnssec/ta.h +++ b/lib/dnssec/ta.h @@ -42,12 +42,28 @@ KR_EXPORT KR_PURE int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name); struct kr_context; + /** - * A wrapper around kr_ta_covers that is aware of negative TA and types. + * Return pointer to the name of the closest positive trust anchor or NULL. + * + * "Closest" means on path towards root. Closer negative anchor results into NULL. + * @param type serves as a shorthand because DS needs to start one level higher. */ -KR_EXPORT KR_PURE +KR_PURE +const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name, + const uint16_t type); + +/** + * A trivial wrapper around kr_ta_closest + * + * TODO: drop it? The name doesn't feel very suitable either. + */ +static inline bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name, - const uint16_t type); + const uint16_t type) +{ + return kr_ta_closest(ctx, name, type) != NULL; +} /** * Remove TA from trust store.