validator: fail earlier when cut changes and no DNSKEY is found. (!1597) · Merge requests · Knot projects / Knot Resolver

menakite requested to merge menakite/knot-resolver:cutchng-nodnskey-fail-earlier into master Aug 25, 2024

Spotted this query that SERVFAILs with EDE NSEC Missing if uncached, and then Other with text O4TP: couldn't validate RRSIGs on subsequent queries: MX prolashkozmetik.com

This domain has a secure delegation, but it is not actually signed (and has no DNSKEY).

On first query it would fail after checking for NSEC(3) in https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/lib/layer/validate.c#L1274 and on subsequent queries in https://gitlab.nic.cz/knot/knot-resolver/-/blob/master/lib/layer/validate.c#L1184

This PR ensures it fails earlier, and sets the appropriate extended error.

Control query to ensure that nothing broke: PTR 213-133-203-34.newtel.in-addr.itconsult.net. Passes the same code path, but this query succeeds after updating zone cut. Works before and after patch.

Admin message

Admin message

validator: fail earlier when cut changes and no DNSKEY is found.

Merge request reports