Remove check for missing RRSIG records from getsection

Checking whether the authority section is properly signed should
be left to the validator.  Checking in getsection (dns_message_parse)
was way too early and resulted in resolution failures of lookups
that should have otherwise succeeded.

(cherry picked from commit 83159d0a545be2845f08386f5dffdc2ac3721ba5)

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 1ac370bc053531066ae096410e20551344943c6d..63c07abecbff26156f6cc9d7ea541af5637c6298 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1197,62 +1197,6 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
        return false;
 }
 
-/*
- * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
- * covering RRSIGs.
- */
-static bool
-auth_signed(dns_namelist_t *section) {
-       dns_name_t *name;
-
-       for (name = ISC_LIST_HEAD(*section); name != NULL;
-            name = ISC_LIST_NEXT(name, link))
-       {
-               int auth_dnssec = 0, auth_rrsig = 0;
-               dns_rdataset_t *rds;
-
-               for (rds = ISC_LIST_HEAD(name->list); rds != NULL;
-                    rds = ISC_LIST_NEXT(rds, link))
-               {
-                       switch (rds->type) {
-                       case dns_rdatatype_ds:
-                               auth_dnssec |= 0x1;
-                               break;
-                       case dns_rdatatype_nsec:
-                               auth_dnssec |= 0x2;
-                               break;
-                       case dns_rdatatype_nsec3:
-                               auth_dnssec |= 0x4;
-                               break;
-                       case dns_rdatatype_rrsig:
-                               break;
-                       default:
-                               continue;
-                       }
-
-                       switch (rds->covers) {
-                       case dns_rdatatype_ds:
-                               auth_rrsig |= 0x1;
-                               break;
-                       case dns_rdatatype_nsec:
-                               auth_rrsig |= 0x2;
-                               break;
-                       case dns_rdatatype_nsec3:
-                               auth_rrsig |= 0x4;
-                               break;
-                       default:
-                               break;
-                       }
-               }
-
-               if (auth_dnssec != auth_rrsig) {
-                       return false;
-               }
-       }
-
-       return true;
-}
-
 static isc_result_t
 getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
           dns_section_t sectionid, unsigned int options) {
@@ -1723,21 +1667,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
                INSIST(!free_name);
        }
 
-       /*
-        * If any of DS, NSEC or NSEC3 appeared in the
-        * authority section of a query response without
-        * a covering RRSIG, FORMERR
-        */
-       if (sectionid == DNS_SECTION_AUTHORITY &&
-           msg->opcode == dns_opcode_query &&
-           ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
-           ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && !preserve_order &&
-           !auth_signed(section))
-       {
-               /* XXX test coverage */
-               DO_ERROR(DNS_R_FORMERR);
-       }
-
        if (seen_problem) {
                result = DNS_R_RECOVERABLE;
        }