From: Marek VavruĊĦa Date: Thu, 24 Sep 2015 11:53:28 +0000 (+0200) Subject: lib/validate: fixed processing of RRSIG queries X-Git-Tag: v1.0.0-beta1~53^2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b68c0072b83e0407771df08c7554ebf4cd627bf9;p=thirdparty%2Fknot-resolver.git lib/validate: fixed processing of RRSIG queries --- diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 8c55bde33..e7629c9f0 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -324,7 +324,13 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt) if (!(qry->flags & QUERY_DNSSEC_WANT)) { return ctx->state; } - if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt)) { + /* Answer for RRSIG may not set DO=1, but all records MUST still validate. */ + bool use_signatures = (knot_pkt_qtype(pkt) != KNOT_RRTYPE_RRSIG); + /* @todo do not cache RRSIG answers until RFC2181 credibility is implemented */ + if (!use_signatures) { + knot_wire_set_rcode(pkt->wire, KNOT_RCODE_SERVFAIL); /* Prevent caching */ + } + if (!(qry->flags & QUERY_CACHED) && !knot_pkt_has_dnssec(pkt) && !use_signatures) { DEBUG_MSG(qry, "<= got insecure response\n"); qry->flags |= QUERY_DNSSEC_BOGUS; return KNOT_STATE_FAIL; @@ -347,7 +353,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt) */ const knot_dname_t *key_own = qry->zone_cut.key ? qry->zone_cut.key->owner : NULL; const knot_dname_t *sig_name = first_rrsig_signer_name(pkt); - if (key_own && sig_name && !knot_dname_is_equal(key_own, sig_name)) { + if (use_signatures && key_own && sig_name && !knot_dname_is_equal(key_own, sig_name)) { DEBUG_MSG(qry, ">< cut changed, needs revalidation\n"); knot_wire_set_rcode(pkt->wire, KNOT_RCODE_SERVFAIL); /* Prevent caching */ qry->flags &= ~QUERY_RESOLVED; diff --git a/tests/testdata/iter_validate.rpl b/tests/testdata/iter_validate.rpl index 6da2bf7e4..6983ea599 100644 --- a/tests/testdata/iter_validate.rpl +++ b/tests/testdata/iter_validate.rpl @@ -64,6 +64,18 @@ cz. 86400 IN RRSIG DS 8 1 86400 20150802050000 20150723040000 1518 . fEz3NpYRz SECTION ADDITIONAL a.ns.nic.cz. 172800 IN A 194.0.12.1 ENTRY_END + +; fake, this can't be validated anyway +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +cz. IN RRSIG +SECTION ANSWER +cz. 18000 IN RRSIG NS 10 1 18000 20150802132511 20150721120844 39788 cz. fEz3NpYRzgeBjKrLMpht3KFOQ0t6U2wikIaOt1HcmFvurxtPkZVvqdb0 QBQfvh8DoEXDbvpcikzMIO9XYLzzs10X/m91ybGiWzcTVcU+prVGZJP9 zZrvYAIWrpxoC4deKD+vOoNZXGnLfffi6lmGn7QRZaH0LVKjn33cIaPQ 9EM= +cz. 86400 IN RRSIG DS 8 1 86400 20150802050000 20150723040000 1518 . pf5UzinUesHzGQTav/1NxGW0AifCmzLW3S8X9tWDRwx7XSKGac7QVXgp nMNyb/NiSho9oj+ZTaQpBZQaTri+brHT4W/nE0TofqZlyYiaABb9xgxJ LgjLkt+OVcJsM3a+q+QEGSt+skNlZVDQeR+sztbuORiZXAqhxumxD8iy zZ8= +ENTRY_END RANGE_END ;a.ns.nic.cz. @@ -110,11 +122,31 @@ STEP 1 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION +cz. IN RRSIG +ENTRY_END + +; check that it answers a query for RRSIG (unauthenticated) +; digests are swapped, i.e. signatures are invalid, server shouldn't use them later +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +cz. IN RRSIG +SECTION ANSWER +cz. 18000 IN RRSIG NS 10 1 18000 20150802132511 20150721120844 39788 cz. fEz3NpYRzgeBjKrLMpht3KFOQ0t6U2wikIaOt1HcmFvurxtPkZVvqdb0 QBQfvh8DoEXDbvpcikzMIO9XYLzzs10X/m91ybGiWzcTVcU+prVGZJP9 zZrvYAIWrpxoC4deKD+vOoNZXGnLfffi6lmGn7QRZaH0LVKjn33cIaPQ 9EM= +cz. 86400 IN RRSIG DS 8 1 86400 20150802050000 20150723040000 1518 . pf5UzinUesHzGQTav/1NxGW0AifCmzLW3S8X9tWDRwx7XSKGac7QVXgp nMNyb/NiSho9oj+ZTaQpBZQaTri+brHT4W/nE0TofqZlyYiaABb9xgxJ LgjLkt+OVcJsM3a+q+QEGSt+skNlZVDQeR+sztbuORiZXAqhxumxD8iy zZ8= +ENTRY_END + +STEP 3 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION cz. IN NS ENTRY_END ; check that it answers a plain query -STEP 2 CHECK_ANSWER +STEP 4 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR @@ -127,7 +159,7 @@ cz. 18000 IN NS c.ns.nic.cz. cz. 18000 IN NS d.ns.nic.cz. ENTRY_END -STEP 3 QUERY +STEP 5 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION @@ -135,7 +167,7 @@ cz. IN NS ENTRY_END ; recursion happens here. -STEP 4 CHECK_ANSWER +STEP 6 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA AD NOERROR