Fail processing incoming DNS message on first validation failure

author Mark Andrews <marka@isc.org>

Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)

committer Michał Kępień <michal@isc.org>

Thu, 1 Feb 2024 20:51:07 +0000 (21:51 +0100)
author Mark Andrews <marka@isc.org>
Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committer Michał Kępień <michal@isc.org>
Thu, 1 Feb 2024 20:51:07 +0000 (21:51 +0100)
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h

index b435cd67fba73356a30c60b8f1dbcc782745475a..c5d7a31a419d9f06a82041fdaf95c7985fd7ebcc 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -149,6 +149,7 @@ struct dns_validator {
         unsigned int  depth;
         unsigned int  authcount;
         unsigned int  authfail;
+       bool          failed;
         isc_stdtime_t start;
  };
  
diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 8bec8fed6c5334012ef6e74cd5971715ef3c5d98..e8e840837d4f658c5af0ae1897a83a4acab1cc62 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1591,20 +1591,9 @@ validate_answer(dns_validator_t *val, bool resume) {
                         continue;
                 }
  
-               do {
-                       isc_result_t tresult;
-                       vresult = verify(val, val->key, &rdata,
-                                        val->siginfo->keyid);
-                       if (vresult == ISC_R_SUCCESS) {
-                               break;
-                       }
-
-                       tresult = select_signing_key(val, val->keyset);
-                       if (tresult != ISC_R_SUCCESS) {
-                               break;
-                       }
-               } while (1);
+               vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
                 if (vresult != ISC_R_SUCCESS) {
+                       val->failed = true;
                         validator_log(val, ISC_LOG_DEBUG(3),
                                       "failed to verify rdataset");
                 } else {
@@ -1641,9 +1630,13 @@ validate_answer(dns_validator_t *val, bool resume) {
                 } else {
                         validator_log(val, ISC_LOG_DEBUG(3),
                                       "verify failure: %s",
-                                     isc_result_totext(result));
+                                     isc_result_totext(vresult));
                         resume = false;
                 }
+               if (val->failed) {
+                       result = ISC_R_NOMORE;
+                       break;
+               }
         }
         if (result != ISC_R_NOMORE) {
                 validator_log(val, ISC_LOG_DEBUG(3),
author	Mark Andrews <marka@isc.org>
	Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committer	Michał Kępień <michal@isc.org>
	Thu, 1 Feb 2024 20:51:07 +0000 (21:51 +0100)
lib/dns/include/dns/validator.h		patch \| blob \| blame \| history
lib/dns/validator.c		patch \| blob \| blame \| history