]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 85fba4e)
Handle DNS_R_NCACHENXRRSET in fetch_callback_{dnskey,validator}()
authorMark Andrews <marka@isc.org>
Wed, 28 Oct 2020 00:58:38 +0000 (11:58 +1100)
committerMark Andrews <marka@isc.org>
Thu, 29 Oct 2020 21:25:03 +0000 (08:25 +1100)
DNS_R_NCACHENXRRSET can be return when zones are in transition state
from being unsigned to signed and signed to unsigned.  The validation
should be resumed and should result in a insecure answer.

(cherry picked from commit 718e597def1daaae7edf9b151f6b24e0acc5c87a)

lib/dns/validator.c patch | blob | blame | history

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1605261a48616cae3cd09b3181dd9a8428be6219..9d966f7bb17669f53759eafdf933e6b0390d338b 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -418,17 +418,24 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
        val->fetch = NULL;
        if (CANCELED(val)) {
                validator_done(val, ISC_R_CANCELED);
-       } else if (eresult == ISC_R_SUCCESS) {
-               validator_log(val, ISC_LOG_DEBUG(3),
-                             "keyset with trust %s",
+       } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+               /*
+                * We have an answer to our DNSKEY query.  Either the DNSKEY
+                * RRset or a NODATA response.
+                */
+               validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+                             eresult == ISC_R_SUCCESS ? "keyset"
+                                                      : "NCACHENXRRSET",
                              dns_trust_totext(rdataset->trust));
                /*
-                * Only extract the dst key if the keyset is secure.
+                * Only extract the dst key if the keyset exists and is secure.
                 */
-               if (rdataset->trust >= dns_trust_secure) {
+               if (eresult == ISC_R_SUCCESS &&
+                   rdataset->trust >= dns_trust_secure) {
                        result = get_dst_key(val, val->siginfo, rdataset);
-                       if (result == ISC_R_SUCCESS)
+                       if (result == ISC_R_SUCCESS) {
                                val->keyset = &val->frdataset;
+                       }
                }
                result = validate(val, true);
                if (result == DNS_R_NOVALIDSIG &&
Mirror of https://gitlab.isc.org/isc-projects/bind9.git