Clarify logged message when an insecure DNSSEC response arrives from a zone

thought to be secure: "insecurity proof failed" instead of "not insecure".
[RT #19400]

diff --git a/CHANGES b/CHANGES
index 1d81d5eb5c47f661e650b594ab77bd87257ea873..552b98751816f3177f76539329343932081d2eb0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2566.  [cleanup]       Clarify logged message when an insecure DNSSEC
+                       response arrives from a zone thought to be secure:
+                       "insecurity proof failed" instead of "not
+                       insecure". [RT #19400]
+
 2565.  [func]          Add support for HIP record.  Includes new functions
                        dns_rdata_hip_first(), dns_rdata_hip_next()
                        and dns_rdata_hip_current().  [RT #19384]

diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index 8cf5b23348942345ceef320a65601ace9edfc431..b4a4b1aca1122f9b776d562d4ba1bd2dc44c03c8 100644 (file)
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.14 2009/02/18 23:47:48 tbox Exp $ */
+/* $Id: builtin.c,v 1.15 2009/03/01 02:45:38 each Exp $ */
 
 /*! \file
  * \brief
@@ -132,6 +132,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
                "Michael Graff",
                "Andreas Gustafsson",
                "Bob Halley",
+               "Evan Hunt",
                "David Lawrence",
                "Danny Mayer",
                "Damien Neil",

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index df79dc79d9571ba967d8ffa48b8fa5c8424270f3..f0b0236def9f6cf4206b2593950e5709c2ffd255 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.393 2009/02/27 23:01:48 marka Exp $ */
+/* $Id: resolver.c,v 1.394 2009/03/01 02:45:38 each Exp $ */
 
 /*! \file */
 
@@ -2126,7 +2126,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
        char code[64];
        isc_buffer_t b;
        isc_sockaddr_t *sa;
-       const char *sep1, *sep2;
+       const char *spc = "";
        isc_sockaddr_t *address = &addrinfo->sockaddr;
 
        if (reason == DNS_R_LAME)
@@ -2172,18 +2172,14 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
                isc_buffer_init(&b, code, sizeof(code) - 1);
                dns_rcode_totext(fctx->rmessage->rcode, &b);
                code[isc_buffer_usedlength(&b)] = '\0';
-               sep1 = "(";
-               sep2 = ") ";
+               spc = " ";
        } else if (reason == DNS_R_UNEXPECTEDOPCODE) {
                isc_buffer_init(&b, code, sizeof(code) - 1);
                dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
                code[isc_buffer_usedlength(&b)] = '\0';
-               sep1 = "(";
-               sep2 = ") ";
+               spc = " ";
        } else {
                code[0] = '\0';
-               sep1 = "";
-               sep2 = "";
        }
        dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
        dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
@@ -2191,8 +2187,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
        isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
        isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
                      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-                     "%s %s%s%sresolving '%s/%s/%s': %s",
-                     dns_result_totext(reason), sep1, code, sep2,
+                     "error (%s%s%s) resolving '%s/%s/%s': %s",
+                     dns_result_totext(reason), spc, code,
                      namebuf, typebuf, classbuf, addrbuf);
 }
 

diff --git a/lib/dns/result.c b/lib/dns/result.c
index 54c70e0e9088f673d8e7582278b649988808682d..7265d28d48fd6967a152cec65191093c99483688 100644 (file)
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: result.c,v 1.126 2009/03/01 02:45:38 each Exp $ */
 
 /*! \file */
 
@@ -105,7 +105,7 @@ static const char *text[DNS_R_NRESULTS] = {
        "no valid RRSIG",                      /*%< 59 DNS_R_NOVALIDSIG */
 
        "no valid NSEC",                       /*%< 60 DNS_R_NOVALIDNSEC */
-       "not insecure",                        /*%< 61 DNS_R_NOTINSECURE */
+       "insecurity proof failed",             /*%< 61 DNS_R_NOTINSECURE */
        "unknown service",                     /*%< 62 DNS_R_UNKNOWNSERVICE */
        "recoverable error occurred",          /*%< 63 DNS_R_RECOVERABLE */
        "unknown opt attribute record",        /*%< 64 DNS_R_UNKNOWNOPT */

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 5874750dd19409100d4121352a4218fa670caee4..0c9477de7d7788c736512a2a2b18738be9df7791 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.169 2009/02/15 23:46:23 marka Exp $ */
+/* $Id: validator.c,v 1.170 2009/03/01 02:45:38 each Exp $ */
 
 #include <config.h>
 
@@ -3222,7 +3222,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
                /*
                 * If we have a DS rdataset and it is secure then check if
                 * the DS rdataset has a supported algorithm combination.
-                * If not this is a insecure delegation as far as this
+                * If not this is an insecure delegation as far as this
                 * resolver is concerned.  Fall back to DLV if available.
                 */
                if (have_ds && val->frdataset.trust >= dns_trust_secure &&
@@ -3276,7 +3276,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
                if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
                        /*
                         * There is no DS.  If this is a delegation,
-                        * we maybe done.
+                        * we may be done.
                         */
                        if (val->frdataset.trust == dns_trust_pending) {
                                result = create_fetch(val, tname,
@@ -3394,9 +3394,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
                return (nsecvalidate(val, ISC_FALSE));
        }
 */
-
+       /* Couldn't complete insecurity proof */
        validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-       return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
+       return (DNS_R_NOTINSECURE);
 
  out:
        if (dns_rdataset_isassociated(&val->frdataset))
@@ -3435,7 +3435,7 @@ dlv_validator_start(dns_validator_t *val) {
  * \li 3. a negative answer (secure or unsecure).
  *
  * Note a answer that appears to be a secure positive answer may actually
- * be a unsecure positive answer.
+ * be an unsecure positive answer.
  */
 static void
 validator_start(isc_task_t *task, isc_event_t *event) {
@@ -3500,6 +3500,10 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
                val->attributes |= VALATTR_INSECURITY;
                result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
+               if (result != DNS_R_NOTINSECURE)
+                       validator_log(val, ISC_LOG_INFO,
+                                     "got insecure response; "
+                                     "could not prove it was valid");
        } else if (val->event->rdataset == NULL &&
                   val->event->sigrdataset == NULL)
        {