lib/dnssec: rewrite most of NSEC validation code (!1294) · Merge requests · Knot projects / Knot Resolver

Merged lib/dnssec: rewrite most of NSEC validation code

Merged Vladimír Čunát requested to merge dnssec-nsec-negative into master 2 years ago

May 18, 2022

NEWS for the rewrite of some NSEC validation parts · ee9bfa66
Vladimír Čunát authored 2 years ago

ee9bfa66
lib/dnssec: nits · 1ece2cab
Vladimír Čunát authored 2 years ago

1ece2cab

lib/dnssec: rewrite kr_nsec_ref_to_unsigned() · da1104f6

- I see no motivation to search for NS records here;
  and I didn't like that loop nesting
- philosophy shift akin to the recent
  replacement of kr_nsec_existence_denial()

da1104f6

lib/dnssec: drop kr_nsec_name_error_response_check() · 6da74af8
Vladimír Čunát authored 2 years ago
```
Just as with NODATA; basically the same comments
apply here (i.e. for NXDOMAIN) as well.
```
6da74af8

lib/dnssec: replace kr_nsec_existence_denial() · 9c1ad65f

Vladimír Čunát authored 2 years ago

The NSEC validation code has been written very mechanically
according to RFC 4033..4035, but those explain wildcard-related
topics in a way that's hard to understand right.

So here I rewrite it with a different philosophy, so it should be
easier to understand, a bit faster, and less buggy and bug-prone.

9c1ad65f

daemon/lua nit: sort RR rank names in debug logs · cb77f9eb
Vladimír Čunát authored 2 years ago
```
I was diffing logs from different runs and got annoyed by the shuffles.
```
cb77f9eb

Admin message

Admin message

lib/dnssec: rewrite most of NSEC validation code

Merge request reports

Activity