return ret;
}
+
+bool knot_dnssec_has_adt(const zone_contents_t *zone)
+{
+ const knot_rdataset_t *dk = node_rdataset(zone->apex, KNOT_RRTYPE_DNSKEY);
+ if (dk == NULL) {
+ return false;
+ }
+ knot_rdata_t *rd = dk->rdata;
+ for (int i = 0; i < dk->count; i++) {
+ if ((knot_dnskey_flags(rd) & KNOT_DNSKEY_FLAG_ADT)) {
+ return true;
+ }
+ rd = knot_rdataset_next(rd);
+ }
+
+ return false;
+}
* \return KNOT_E*
*/
int knot_dnssec_validate_zone(zone_update_t *update, validation_conf_t *val_conf);
+
+/*!
+ * \brief Check if any DNSKEY in the apex has ADT bit set.
+ */
+bool knot_dnssec_has_adt(const zone_contents_t *zone);
/* Get answer to QNAME. */
qdata->name = knot_pkt_qname(qdata->query);
- qdata->deleg_aware = ((qdata->extra->contents->nodes->flags & ZONE_TREE_CONTAINS_DELEG) && knot_pkt_has_deleg_aware(qdata->query));
+ qdata->deleg_aware = knot_pkt_has_deleg_aware(qdata->query) &&
+ (qdata->extra->contents->nodes->flags & ZONE_TREE_DELEG_AWARE);
if (qdata->deleg_aware) {
knot_edns_set_de(&qdata->opt_rr);
}
return KNOT_EZONESIZE;
}
+ if ((update->new_cont->nodes->flags & ZONE_TREE_CONTAINS_DELEG) &&
+ node_rrtype_exists(update->new_cont->apex, KNOT_RRTYPE_DNSKEY) && !knot_dnssec_has_adt(update->new_cont)) {
+ log_zone_warning(update->zone->name, "contains DELEG record but no DNSKEY with ADT bit");
+ }
+
val = conf_zone_get(conf, C_DNSSEC_VALIDATION, update->zone->name);
if (conf_bool(&val)) {
validation_conf_t val_conf = {
#include "knot/zone/adjust.h"
#include "knot/common/log.h"
+#include "knot/dnssec/zone-events.h"
#include "knot/dnssec/zone-nsec.h"
#include "knot/zone/adds_tree.h"
#include "knot/zone/measure.h"
assert(!(node->flags & NODE_FLAGS_DELETED));
+ if (parent == NULL && knot_dnssec_has_adt(ctx->zone)) {
+ ctx->zone->nodes->flags |= ZONE_TREE_DELEG_AWARE;
+ }
+
node->flags &= ~(NODE_FLAGS_DELEG | NODE_FLAGS_NONAUTH | NODE_FLAGS_SUBTREE_AUTH |
NODE_FLAGS_SUBTREE_DATA | NODE_FLAGS_NONAUTH_DELEG);
ZONE_TREE_USE_BINODES = (1 << 0),
/*! If set, from each bi-node in the zone tree, the second zone_node_t is valid. */
ZONE_TREE_BINO_SECOND = (1 << 1),
- /*! Indication of presence of a DELEG record anywhere in the tree -- Knot only behaves as DELEG-aware if there is any. */
+ /*! Indication of presence of a DELEG record anywhere in the tree. */
ZONE_TREE_CONTAINS_DELEG = (1 << 2),
+ /*! DELEG-awareness of the zone. */
+ ZONE_TREE_DELEG_AWARE = (1 << 3),
};
typedef struct {
projects / thirdparty / knot-dns.git / commitdiff
