Fail processing incoming DNS message on first validation failure

author Mark Andrews <marka@isc.org>

Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)

committer Michał Kępień <michal@isc.org>

Thu, 1 Feb 2024 20:47:29 +0000 (21:47 +0100)
author Mark Andrews <marka@isc.org>
Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committer Michał Kępień <michal@isc.org>
Thu, 1 Feb 2024 20:47:29 +0000 (21:47 +0100)
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h

index 383dcb46e400423f6f368431186b25cda868ccfd..352a60a6a09d6b444fa20115f871eca2c80dfdfe 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -148,6 +148,7 @@ struct dns_validator {
         unsigned int  depth;
         unsigned int  authcount;
         unsigned int  authfail;
+       bool          failed;
         isc_stdtime_t start;
  };
  
diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 7ae0b3c49cef2042564ce01e8843915b9a51cfd3..e0c35740402ded1222cd957a337702881a1e1a91 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1591,20 +1591,9 @@ validate_answer(dns_validator_t *val, bool resume) {
                         continue;
                 }
  
-               do {
-                       isc_result_t tresult;
-                       vresult = verify(val, val->key, &rdata,
-                                        val->siginfo->keyid);
-                       if (vresult == ISC_R_SUCCESS) {
-                               break;
-                       }
-
-                       tresult = select_signing_key(val, val->keyset);
-                       if (tresult != ISC_R_SUCCESS) {
-                               break;
-                       }
-               } while (1);
+               vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
                 if (vresult != ISC_R_SUCCESS) {
+                       val->failed = true;
                         validator_log(val, ISC_LOG_DEBUG(3),
                                       "failed to verify rdataset");
                 } else {
@@ -1641,9 +1630,13 @@ validate_answer(dns_validator_t *val, bool resume) {
                 } else {
                         validator_log(val, ISC_LOG_DEBUG(3),
                                       "verify failure: %s",
-                                     isc_result_totext(result));
+                                     isc_result_totext(vresult));
                         resume = false;
                 }
+               if (val->failed) {
+                       result = ISC_R_NOMORE;
+                       break;
+               }
         }
         if (result != ISC_R_NOMORE) {
                 validator_log(val, ISC_LOG_DEBUG(3),
author	Mark Andrews <marka@isc.org>
	Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committer	Michał Kępień <michal@isc.org>
	Thu, 1 Feb 2024 20:47:29 +0000 (21:47 +0100)
lib/dns/include/dns/validator.h		patch \| blob \| blame \| history
lib/dns/validator.c		patch \| blob \| blame \| history