From: Mark Andrews <marka@isc.org>
Date: Thu, 24 Nov 2022 03:18:20 +0000 (+1100)
Subject: Reduce the number of verifiations required
X-Git-Tag: v9.19.12~24^2~4
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e68fecbdaa0e7ad86322bfa5e977eb1944ba821e;p=thirdparty%2Fbind9.git

Reduce the number of verifiations required

In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor.  Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index dcc98bd8f6d..617f03124e8 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1287,26 +1287,50 @@ selfsigned_dnskey(dns_validator_t *val) {
 				continue;
 			}
 
-			result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS) {
+			/*
+			 * If the REVOKE bit is not set we have a
+			 * theoretically self signed DNSKEY RRset.
+			 * This will be verified later.
+			 */
+			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+				answer = true;
 				continue;
 			}
 
-			result = dns_dnssec_verify(name, rdataset, dstkey, true,
-						   val->view->maxbits, mctx,
-						   &sigrdata, NULL);
-			dst_key_free(&dstkey);
+			result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
+							 &dstkey);
 			if (result != ISC_R_SUCCESS) {
 				continue;
 			}
 
-			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
-				answer = true;
-				continue;
+			/*
+			 * If this RRset is pending and it is trusted,
+			 * see if it was self signed by this DNSKEY.
+			 */
+			if (DNS_TRUST_PENDING(rdataset->trust) &&
+			    dns_view_istrusted(val->view, name, &key))
+			{
+				result = dns_dnssec_verify(
+					name, rdataset, dstkey, true,
+					val->view->maxbits, mctx, &sigrdata,
+					NULL);
+				if (result == ISC_R_SUCCESS) {
+					/*
+					 * The key with the REVOKE flag has
+					 * self signed the RRset so it is no
+					 * good.
+					 */
+					dns_view_untrust(val->view, name, &key);
+				}
+			} else if (rdataset->trust >= dns_trust_secure) {
+				/*
+				 * We trust this RRset so if the key is
+				 * marked revoked remove it.
+				 */
+				dns_view_untrust(val->view, name, &key);
 			}
 
-			dns_view_untrust(val->view, name, &key);
+			dst_key_free(&dstkey);
 		}
 	}