From 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 3 Mar 2026 11:17:25 +0100
Subject: [PATCH] Don't verify already trusted rdatasets

If we already marked an rdataset as secure (or it has even stronger
trust), there is no need to cryptographically verify it again.
---
 lib/dns/include/dns/types.h |  1 +
 lib/dns/validator.c         | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index ef1a546154..f8d228c6d0 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -384,6 +384,7 @@ enum {
 	((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)   ((x) == dns_trust_glue)
 #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
 
 /*%
  * Name checking severities.
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a2da24e012..fd3a530ad6 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1470,11 +1470,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	bool ignore = false;
 	dns_name_t *wild;
 
+	if (DNS_TRUST_SECURE(val->rdataset->trust)) {
+		/*
+		 * This RRset was already verified before.
+		 */
+		return ISC_R_SUCCESS;
+	}
+
 	val->attributes |= VALATTR_TRIEDVERIFY;
-	wild = dns_fixedname_initname(&fixed);
 	if (over_max_validations(val)) {
 		return ISC_R_QUOTA;
 	}
+	wild = dns_fixedname_initname(&fixed);
+
 again:
 	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
 				   val->view->mctx, rdata, wild);