Reduce the number of verifiations required

In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor.  Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.

(cherry picked from commit e68fecbdaa0e7ad86322bfa5e977eb1944ba821e)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 99c9fd0a266beeeeaf56113828786d678857eef7..6cf717f870293ea057ecf6f3a715599d9c2fcd0c 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1397,26 +1397,50 @@ selfsigned_dnskey(dns_validator_t *val) {
                                continue;
                        }
 
-                       result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
-                                                        &dstkey);
-                       if (result != ISC_R_SUCCESS) {
+                       /*
+                        * If the REVOKE bit is not set we have a
+                        * theoretically self signed DNSKEY RRset.
+                        * This will be verified later.
+                        */
+                       if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+                               answer = true;
                                continue;
                        }
 
-                       result = dns_dnssec_verify(name, rdataset, dstkey, true,
-                                                  val->view->maxbits, mctx,
-                                                  &sigrdata, NULL);
-                       dst_key_free(&dstkey);
+                       result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
+                                                        &dstkey);
                        if (result != ISC_R_SUCCESS) {
                                continue;
                        }
 
-                       if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
-                               answer = true;
-                               continue;
+                       /*
+                        * If this RRset is pending and it is trusted,
+                        * see if it was self signed by this DNSKEY.
+                        */
+                       if (DNS_TRUST_PENDING(rdataset->trust) &&
+                           dns_view_istrusted(val->view, name, &key))
+                       {
+                               result = dns_dnssec_verify(
+                                       name, rdataset, dstkey, true,
+                                       val->view->maxbits, mctx, &sigrdata,
+                                       NULL);
+                               if (result == ISC_R_SUCCESS) {
+                                       /*
+                                        * The key with the REVOKE flag has
+                                        * self signed the RRset so it is no
+                                        * good.
+                                        */
+                                       dns_view_untrust(val->view, name, &key);
+                               }
+                       } else if (rdataset->trust >= dns_trust_secure) {
+                               /*
+                                * We trust this RRset so if the key is
+                                * marked revoked remove it.
+                                */
+                               dns_view_untrust(val->view, name, &key);
                        }
 
-                       dns_view_untrust(val->view, name, &key);
+                       dst_key_free(&dstkey);
                }
        }