From: Vladimír Čunát Date: Thu, 25 Mar 2021 09:56:14 +0000 (+0100) Subject: validate: change order of tasks X-Git-Tag: v5.3.1~1^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b819108b59ec4194ece336749b428a63b1071ae7;p=thirdparty%2Fknot-resolver.git validate: change order of tasks It seems better to check RRSIGs before checking negative proofs, in terms of reasoning, being less error-prone, etc. --- diff --git a/lib/layer/validate.c b/lib/layer/validate.c index aa8aa8be4..94a0122e8 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -1037,6 +1037,33 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) } } + /* Validate all records, fail as bogus if it doesn't match. + * Do not revalidate data from cache, as it's already trusted. + * TTLs of RRsets may get lowered. */ + if (!(qry->flags.CACHED)) { + ret = validate_records(req, pkt, req->rplan.pool, has_nsec3); + if (ret != 0) { + /* something exceptional - no DNS key, empty pointers etc + * normally it shoudn't happen */ + VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n"); + qry->flags.DNSSEC_BOGUS = true; + return KR_STATE_FAIL; + } + /* check validation state and spawn subrequests */ + if (!req->answ_validated) { + ret = check_validation_result(ctx, pkt, &req->answ_selected); + if (ret != KR_STATE_DONE) { + return ret; + } + } + if (!req->auth_validated) { + ret = check_validation_result(ctx, pkt, &req->auth_selected); + if (ret != KR_STATE_DONE) { + return ret; + } + } + } + /* Validate non-existence proof if not positive answer. * In case of CNAME, iterator scheduled a sibling query for the target, * so we just drop the negative piece of information and don't try to prove it. @@ -1095,33 +1122,6 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) } } - /* Validate all records, fail as bogus if it doesn't match. - * Do not revalidate data from cache, as it's already trusted. - * TTLs of RRsets may get lowered. */ - if (!(qry->flags.CACHED)) { - ret = validate_records(req, pkt, req->rplan.pool, has_nsec3); - if (ret != 0) { - /* something exceptional - no DNS key, empty pointers etc - * normally it shoudn't happen */ - VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n"); - qry->flags.DNSSEC_BOGUS = true; - return KR_STATE_FAIL; - } - /* check validation state and spawn subrequests */ - if (!req->answ_validated) { - ret = check_validation_result(ctx, pkt, &req->answ_selected); - if (ret != KR_STATE_DONE) { - return ret; - } - } - if (!req->auth_validated) { - ret = check_validation_result(ctx, pkt, &req->auth_selected); - if (ret != KR_STATE_DONE) { - return ret; - } - } - } - wildcard_adjust_to_wire(req, qry); /* Check and update current delegation point security status. */