Commit 78cb3f07 authored by Marek Vavrusa's avatar Marek Vavrusa
Browse files

lib/validate: scrubbed extra rrs in NS were checked

the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously, 
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records
parent aecaf1f2
......@@ -177,10 +177,15 @@ static int commit_rr(const char *key, void *val, void *data)
/* Save RRSIG in a special cache. */
uint16_t rank = KEY_FLAG_RANK(key);
if (baton->qry->flags & QUERY_DNSSEC_WANT)
rank |= KR_RANK_SECURE;
if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
rank |= KR_RANK_INSECURE;
/* Non-authoritative NSs should never be trusted,
* it may be present in an otherwise secure answer but it
* is only a hint for local state. */
if (rr->type != KNOT_RRTYPE_NS || (rank & KR_RANK_AUTH)) {
if (baton->qry->flags & QUERY_DNSSEC_WANT)
rank |= KR_RANK_SECURE;
if (baton->qry->flags & QUERY_DNSSEC_INSECURE)
rank |= KR_RANK_INSECURE;
}
if (KEY_COVERING_RRSIG(key)) {
return commit_rrsig(baton, rank, rr);
}
......
......@@ -125,7 +125,7 @@ static int validate_section(struct kr_query *qry, knot_pkt_t *answer,
continue;
}
/* Only validate answers from current cut, records above the cut are stripped. */
if (section_id == KNOT_ANSWER && !knot_dname_in(qry->zone_cut.name, rr->owner)) {
if (!knot_dname_in(qry->zone_cut.name, rr->owner)) {
continue;
}
ret = kr_rrmap_add(&stash, rr, 0, pool);
......
deckard @ 866b7b95
Subproject commit 7d8a8ce66e41c4ffa2ebf1edc3839494873855c1
Subproject commit 866b7b95ce7355d112b9e47504825c31c6fcb27a
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment