* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.91.2.5.8.38 2008/01/17 23:45:28 tbox Exp $ */
+/* $Id: validator.c,v 1.91.2.5.8.39 2008/02/18 23:08:27 marka Exp $ */
#include <config.h>
nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t resume);
+proveunsecure(dns_validator_t *val, isc_boolean_t have_ds,
+ isc_boolean_t resume);
static void
validator_logv(dns_validator_t *val, isc_logcategory_t *category,
"falling back to insecurity proof (%s)",
dns_result_totext(eresult));
val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE);
+ result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
if (result != DNS_R_WAIT)
validator_done(val, result);
} else {
validator_done(val, result);
}
} else {
- result = proveunsecure(val, ISC_TRUE);
+ result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
if (result != DNS_R_WAIT)
validator_done(val, result);
}
* In either case we are still in a secure zone resume
* validation.
*/
- result = proveunsecure(val, ISC_TRUE);
+ result = proveunsecure(val, ISC_TF(eresult == ISC_R_SUCCESS),
+ ISC_TRUE);
if (result != DNS_R_WAIT)
validator_done(val, result);
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"dsset with trust %d", val->frdataset.trust);
if ((val->attributes & VALATTR_INSECURITY) != 0)
- result = proveunsecure(val, ISC_TRUE);
+ result = proveunsecure(val, ISC_TRUE, ISC_TRUE);
else
result = validatezonekey(val);
if (result != DNS_R_WAIT)
"nonexistence proof(s) not found");
val->attributes |= VALATTR_AUTHNONPENDING;
val->attributes |= VALATTR_INSECURITY;
- return (proveunsecure(val, ISC_FALSE));
+ return (proveunsecure(val, ISC_FALSE, ISC_FALSE));
}
static isc_boolean_t
* \li DNS_R_NOTINSECURE
*/
static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
+proveunsecure(dns_validator_t *val, isc_result_t have_ds, isc_boolean_t resume)
+{
isc_result_t result;
dns_fixedname_t fixedsecroot;
dns_name_t *secroot;
val->labels = dns_name_countlabels(secroot) + 1;
} else {
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
- if (val->frdataset.trust >= dns_trust_secure &&
+ /*
+ * If we have a DS rdataset and it is secure then check if
+ * the DS rdataset has a supported algorithm combination.
+ * If not this is a insecure delegation as far as this
+ * resolver is concerned. Fall back to DLV if available.
+ */
+ if (have_ds && val->frdataset.trust >= dns_trust_secure &&
!check_ds(val, dns_fixedname_name(&val->fname),
&val->frdataset)) {
dns_name_format(dns_fixedname_name(&val->fname),
namebuf, sizeof(namebuf));
- if (val->mustbesecure) {
+ if ((val->view->dlv == NULL || DLVTRIED(val)) &&
+ val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure at '%s'",
namebuf);
validator_log(val, ISC_LOG_DEBUG(3),
"falling back to insecurity proof");
val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE);
+ result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
if (result == DNS_R_NOTINSECURE)
result = saved_result;
}
"attempting insecurity proof");
val->attributes |= VALATTR_INSECURITY;
- result = proveunsecure(val, ISC_FALSE);
+ result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
} else if (val->event->rdataset == NULL &&
val->event->sigrdataset == NULL)
{
projects / thirdparty / bind9.git / commitdiff
