From 4a4605fbefd74ae8417f4601950e313ea2977eba Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 28 Oct 2020 11:58:38 +1100 Subject: [PATCH] Handle DNS_R_NCACHENXRRSET in fetch_callback_{dnskey,validator}() DNS_R_NCACHENXRRSET can be return when zones are in transition state from being unsigned to signed and signed to unsigned. The validation should be resumed and should result in a insecure answer. (cherry picked from commit 718e597def1daaae7edf9b151f6b24e0acc5c87a) --- lib/dns/validator.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 1605261a486..9d966f7bb17 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -418,17 +418,24 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) { val->fetch = NULL; if (CANCELED(val)) { validator_done(val, ISC_R_CANCELED); - } else if (eresult == ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "keyset with trust %s", + } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) { + /* + * We have an answer to our DNSKEY query. Either the DNSKEY + * RRset or a NODATA response. + */ + validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s", + eresult == ISC_R_SUCCESS ? "keyset" + : "NCACHENXRRSET", dns_trust_totext(rdataset->trust)); /* - * Only extract the dst key if the keyset is secure. + * Only extract the dst key if the keyset exists and is secure. */ - if (rdataset->trust >= dns_trust_secure) { + if (eresult == ISC_R_SUCCESS && + rdataset->trust >= dns_trust_secure) { result = get_dst_key(val, val->siginfo, rdataset); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { val->keyset = &val->frdataset; + } } result = validate(val, true); if (result == DNS_R_NOVALIDSIG && -- 2.47.3