From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Mar 2026 10:43:23 +0000 (+0100)
Subject: Check RRset trust in validate_neg_rrset()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe40620f47ce7cc10aca33b3d4f0a840f53f708d;p=thirdparty%2Fbind9.git

Check RRset trust in validate_neg_rrset()

In many places we only create a validator if the RRset has too low
trust (the RRset is pending validation, or could not be validated
before). This check was missing prior to validating negative response
data.

(cherry picked from commit 6ca67f65cd685cf8699540a852c1e3775bd48d64)
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 9f39c3a95cf..25a1a00c8b6 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2754,6 +2754,19 @@ validate_authority(dns_validator_t *val, bool resume) {
 							dns_rdatatype_soa))
 					continue;
 			}
+
+			if (rdataset->type != dns_rdatatype_nsec &&
+			    DNS_TRUST_SECURE(rdataset->trust))
+			{
+				/*
+				 * The negative response data is already
+				 * verified. We skip NSEC records, because
+				 * they require special processing in
+				 * authvalidated().
+				 */
+				continue;
+			}
+
 			val->currentset = rdataset;
 			result = create_validator(val, name, rdataset->type,
 						  rdataset, sigrdataset,
@@ -2831,6 +2844,18 @@ validate_ncache(dns_validator_t *val, bool resume) {
 						dns_rdatatype_soa))
 				continue;
 		}
+
+		if (rdataset->type != dns_rdatatype_nsec &&
+		    DNS_TRUST_SECURE(rdataset->trust))
+		{
+			/*
+			 * The negative response data is already verified.
+			 * We skip NSEC records, because they require special
+			 * processing in authvalidated().
+			 */
+			continue;
+		}
+
 		val->currentset = rdataset;
 		result = create_validator(val, name, rdataset->type,
 					  rdataset, sigrdataset,