add packet cache - only direct NAME+TYPE hit ATM

Used for queries that are BOGUS or (negative and either insecure or unvalidated). FIXME: review, opt-out, etc.

add packet cache - only direct NAME+TYPE hit ATM
Used for queries that are BOGUS or (negative and either insecure or unvalidated). FIXME: review, opt-out, etc.
5b383a2b · Vladimír Čunát · beb78004 · 5b383a2b · 5b383a2b
Verified Commit 5b383a2b authored 7 years ago by Vladimír Čunát
--- a/lib/cache.c
+++ b/lib/cache.c
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -91,18 +91,23 @@
 *   https://tools.ietf.org/html/rfc4035#section-4.3
 */
 enum kr_rank {
+	/* Initial-like states.  No validation has been attempted (yet). */
 	KR_RANK_INITIAL = 0, /**< Did not attempt to validate. It's assumed
 					compulsory to validate (or prove insecure). */
 	KR_RANK_OMIT,        /**< Do not attempt to validate.
 					(And don't consider it a validation failure.) */
 	KR_RANK_TRY,         /**< Attempt to validate, but failures are non-fatal. */

+	/* Failure states.  These have higher value because they have more information. */
 	KR_RANK_INDET = 4,   /**< Unable to determine whether it should be secure. */
 	KR_RANK_BOGUS,       /**< Ought to be secure but isn't. */
 	KR_RANK_MISMATCH,
 	KR_RANK_MISSING,     /**< Unable to obtain a good signature. */

-	KR_RANK_INSECURE = 8, /**< Proven to be insecure. */
+	/** Proven to be insecure, i.e. we have a chain of trust from TAs
+	 * that cryptographically denies the possibility of existence
+	 * of a positive chain of trust from the TAs to the record. */
+	KR_RANK_INSECURE = 8,

 	/** Authoritative data flag; the chain of authority was "verified".
 	 *  Even if not set, only in-bailiwick stuff is acceptable,