}
/*%
- * Mark the RRsets as a answer.
+ * Mark the rdatasets in val->event with trust level "answer",
+ * indicating that they did not validate, but could be cached as insecure.
+ *
+ * If we are validating a name that is marked as "must be secure", log a
+ * warning and return DNS_R_MUSTBESECURE instead.
*/
-static inline void
-markanswer(dns_validator_t *val, const char *where) {
+static inline isc_result_t
+markanswer(dns_validator_t *val, const char *where, const char *mbstext) {
+ if (val->mustbesecure && mbstext != NULL) {
+ validator_log(val, ISC_LOG_WARNING,
+ "must be secure failure, %s", mbstext);
+ return (DNS_R_MUSTBESECURE);
+ }
+
validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
if (val->event->rdataset != NULL) {
dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
dns_rdataset_settrust(val->event->sigrdataset,
dns_trust_answer);
}
+
+ return (ISC_R_SUCCESS);
}
+/*%
+ * Mark the RRsets with trust level secure.
+ */
static inline void
marksecure(dns_validatorevent_t *event) {
dns_rdataset_settrust(event->rdataset, dns_trust_secure);
validator_done(val, DNS_R_BROKENCHAIN);
}
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
+
if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
}
+
if (want_destroy) {
destroy(val);
}
validator_done(val, DNS_R_BROKENCHAIN);
}
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
+
if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
}
+
if (want_destroy) {
destroy(val);
}
*/
tname = dns_fixedname_name(&devent->foundname);
if (eresult != DNS_R_CNAME &&
- isdelegation(tname, &val->frdataset, eresult)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, no DS"
- " and this is a delegation");
- validator_done(val, DNS_R_MUSTBESECURE);
- } else {
- markanswer(val, "dsfetched2");
- validator_done(val, ISC_R_SUCCESS);
- }
+ isdelegation(tname, &val->frdataset, eresult))
+ {
+ result = markanswer(val, "dsfetched2",
+ "no DS and this is a delegation");
+ validator_done(val, result);
} else {
result = proveunsecure(val, false, true);
if (result != DNS_R_WAIT) {
validator_done(val, DNS_R_NOVALIDDS);
}
}
+
isc_event_free(&event);
want_destroy = exit_check(val);
UNLOCK(&val->lock);
+
if (fetch != NULL) {
dns_resolver_destroyfetch(&fetch);
}
+
if (want_destroy) {
destroy(val);
}
isc_result_totext(eresult));
validator_done(val, DNS_R_BROKENCHAIN);
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
if (want_destroy) {
NEGATIVE(&val->frdataset) &&
isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET))
{
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, no DS "
- "and this is a delegation");
- result = DNS_R_MUSTBESECURE;
- } else {
- markanswer(val, "dsvalidated");
- result = ISC_R_SUCCESS;
- }
+ result = markanswer(val, "dsvalidated",
+ "no DS and this is a delegation");
} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
result = proveunsecure(val, have_dsset, true);
} else {
isc_result_totext(eresult));
validator_done(val, DNS_R_BROKENCHAIN);
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
if (want_destroy) {
isc_result_totext(eresult));
validator_done(val, DNS_R_BROKENCHAIN);
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
if (want_destroy) {
validator_done(val, result);
}
}
+
want_destroy = exit_check(val);
UNLOCK(&val->lock);
if (want_destroy) {
found)
!= ISC_R_SUCCESS)
{
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure "
- "failure, not beneath "
- "secure root");
- return (DNS_R_MUSTBESECURE);
- }
validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
- markanswer(val, "validatezonekey (1)");
- return (ISC_R_SUCCESS);
+ "not beneath secure root");
+ return (markanswer(val, "validatezonekey (1)",
+ "not beneath secure root"));
}
if (result == DNS_R_PARTIALMATCH ||
result == ISC_R_SUCCESS)
INSIST(val->dsset != NULL);
if (val->dsset->trust < dns_trust_secure) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure,"
- " insecure DS");
- return (DNS_R_MUSTBESECURE);
- }
- markanswer(val, "validatezonekey (2)");
- return (ISC_R_SUCCESS);
+ return (markanswer(val, "validatezonekey (2)", "insecure DS"));
}
/*
validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
return (result);
} else if (result == ISC_R_NOMORE && !supported_algorithm) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "no supported algorithm/digest (DS)");
- return (DNS_R_MUSTBESECURE);
- }
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm/digest (DS)");
- markanswer(val, "validatezonekey (3)");
- return (ISC_R_SUCCESS);
+ return (markanswer(val, "validatezonekey (3)",
+ "no supported algorithm/digest (DS)"));
} else {
validator_log(val, ISC_LOG_INFO,
"no valid signature found (DS)");
marksecure(val->event);
return (ISC_R_SUCCESS);
} else if (FOUNDOPTOUT(val) &&
- dns_name_countlabels(dns_fixedname_name(&val->wild))
- != 0)
+ dns_name_countlabels(dns_fixedname_name(&val->wild)) != 0)
{
validator_log(val, ISC_LOG_DEBUG(3),
"optout proof found");
val->event->optout = true;
- markanswer(val, "nsecvalidate (1)");
+ markanswer(val, "nsecvalidate (1)", NULL);
return (ISC_R_SUCCESS);
} else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
validator_log(val, ISC_LOG_DEBUG(3),
"unknown NSEC3 hash algorithm found");
- markanswer(val, "nsecvalidate (2)");
+ markanswer(val, "nsecvalidate (2)", NULL);
return (ISC_R_SUCCESS);
}
validator_log(val, ISC_LOG_DEBUG(3),
NULL, NULL) == ISC_R_SUCCESS &&
dns_name_equal(tname, found))
{
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "no DS at zone cut");
- *resp = DNS_R_MUSTBESECURE;
- } else {
- markanswer(val, "proveunsecure (3)");
- *resp = ISC_R_SUCCESS;
- }
+ *resp = markanswer(val, "proveunsecure (3)",
+ "no DS at zone cut");
return (ISC_R_COMPLETE);
}
}
if (isdelegation(tname, &val->frdataset, result)) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "%s is a delegation",
- namebuf);
- *resp = DNS_R_MUSTBESECURE;
- } else {
- markanswer(val, "proveunsecure (4)");
- *resp = ISC_R_SUCCESS;
- }
+ *resp = markanswer(val, "proveunsecure (4)",
+ "this is a delegation");
return (ISC_R_COMPLETE);
}
"no supported algorithm/"
"digest (%s/DS)",
namebuf);
- if (val->mustbesecure) {
- validator_log(val,
- ISC_LOG_WARNING,
- "must be secure failure, "
- "no supported algorithm/"
- "digest (%s/DS)",
- namebuf);
- *resp = DNS_R_MUSTBESECURE;
- } else {
- markanswer(val, "proveunsecure (5)");
- *resp = ISC_R_SUCCESS;
- }
+ *resp = markanswer(val, "proveunsecure (5)",
+ "no supported "
+ "algorithm/digest (DS)");
return (ISC_R_COMPLETE);
}
result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot);
if (result == ISC_R_NOTFOUND) {
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure, "
- "not beneath secure root");
- result = DNS_R_MUSTBESECURE;
- goto out;
- }
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
- markanswer(val, "proveunsecure (1)");
- return (ISC_R_SUCCESS);
+ return (markanswer(val, "proveunsecure (1)",
+ "not beneath secure root"));
} else if (result != ISC_R_SUCCESS) {
return (result);
}
{
dns_name_format(dns_fixedname_name(&val->fname),
namebuf, sizeof(namebuf));
- if (val->mustbesecure) {
- validator_log(val, ISC_LOG_WARNING,
- "must be secure failure at '%s'",
- namebuf);
- result = DNS_R_MUSTBESECURE;
- goto out;
- }
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm/digest (%s/DS)",
namebuf);
- markanswer(val, "proveunsecure (2)");
- result = ISC_R_SUCCESS;
+ result = markanswer(val, "proveunsecure (2)", namebuf);
goto out;
}
val->labels++;
validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
want_destroy = exit_check(val);
-
UNLOCK(&val->lock);
-
if (want_destroy) {
destroy(val);
}
projects / thirdparty / bind9.git / commitdiff
