From: Matthijs Mekking Date: Tue, 3 Mar 2026 10:17:25 +0000 (+0100) Subject: Don't verify already trusted rdatasets X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1d47d57e4cb496a8b64ea292467cd05a769d1e6;p=thirdparty%2Fbind9.git Don't verify already trusted rdatasets If we already marked an rdataset as secure (or it has even stronger trust), there is no need to cryptographically verify it again. (cherry picked from commit 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce) --- diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 2468e3c348e..118762ad08c 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -357,7 +357,7 @@ enum { (x) == dns_trust_pending_additional) #define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer) - +#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure) /*% * Name checking severities. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 344038e28c1..9f39c3a95cf 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1557,6 +1557,13 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, bool ignore = false; dns_name_t *wild; + if (DNS_TRUST_SECURE(val->event->rdataset->trust)) { + /* + * This RRset was already verified before. + */ + return ISC_R_SUCCESS; + } + val->attributes |= VALATTR_TRIEDVERIFY; wild = dns_fixedname_initname(&fixed); again: