dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
+ isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
#ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE;
#endif
- if (additionaltype == dns_rdatasetadditional_fromcache &&
- DNS_TRUST_PENDING(rdataset->trust) &&
+ if (additionaltype ==
+ dns_rdatasetadditional_fromcache &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
+ invalid = ISC_TRUE;
+ }
+
+ if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
+ isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
/*
* There's an A; check whether we're filtering AAAA
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
#endif
- if (additionaltype == dns_rdatasetadditional_fromcache &&
- DNS_TRUST_PENDING(rdataset->trust) &&
+ if (additionaltype ==
+ dns_rdatasetadditional_fromcache &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
+ invalid = ISC_TRUE;
+ }
+
+ if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdatasetadditional_t additionaltype;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
+ isc_boolean_t invalid;
/*
* If we don't have an additional cache call query_addadditional.
*/
result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
client->now, rdataset, sigrdataset);
+
/*
- * If we can't promote glue/pending from the cache to secure
- * then drop it.
+ * Try to promote pending/glue from the cache to secure.
+ * If unable to do so, drop it from the response unless
+ * it's glue, in which case it may still be needed.
*/
+ invalid = ISC_FALSE;
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
- DNS_TRUST_PENDING(rdataset->trust) &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
+ invalid = ISC_TRUE;
+ }
+ if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
0, client->now, rdataset, sigrdataset);
/*
- * If we can't promote glue/pending from the cache to secure
- * then drop it.
+ * Try to promote pending/glue from the cache to secure.
+ * If unable to do so, drop it from the response unless
+ * it's glue, in which case it may still be needed.
*/
+ invalid = ISC_FALSE;
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
- DNS_TRUST_PENDING(rdataset->trust) &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
+ invalid = ISC_TRUE;
+ }
+ if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
projects / thirdparty / bind9.git / commitdiff
