Don't verify already trusted rdatasets

If we already marked an rdataset as secure (or it has even stronger trust), there is no need to cryptographically verify it again.
2026-06-10 07:59:59 -04:00 · 2026-03-03 11:17:25 +01:00 · 2026-03-03 11:17:25 +01:00 · 0ec08c2120
commit 0ec08c2120
parent 988040a5e0
2 changed files with 10 additions and 1 deletions
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@ -384,6 +384,7 @@ enum {
 	((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
 #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)

 /*%
 * Name checking severities.
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1470,11 +1470,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	bool ignore = false;
 	dns_name_t *wild;

+	if (DNS_TRUST_SECURE(val->rdataset->trust)) {
+		/*
+		 * This RRset was already verified before.
+		 */
+		return ISC_R_SUCCESS;
+	}
+
 	val->attributes |= VALATTR_TRIEDVERIFY;
-	wild = dns_fixedname_initname(&fixed);
 	if (over_max_validations(val)) {
 		return ISC_R_QUOTA;
 	}
+	wild = dns_fixedname_initname(&fixed);
+
 again:
 	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
 				   val->view->mctx, rdata, wild);