mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-23 10:37:43 -04:00
Revert isdelegation() to return boolean value again
The isdelegation() was changed to return an isc_result_t because the idea was to have a separate return value DNS_R_NSEC3ITERRANGE to signal to the caller we could not verify the proof because of too many iterations in the NSEC3 record, or perhaps ISC_R_UNEXPECTED for a more generic cause that verification was not done. But this would make error handling more fragile and all we care about is whether we can reliably say the NS bit was not set. If we can not reliably say so, we have to treat it as an insecure referrral. Since the answer is either yes or no, we can revert back to returning a boolean value.
This commit is contained in:
Matthijs Mekking
parent
7c60b7da8a
commit
3ac1bb1c39
1 changed files with 19 additions and 21 deletions
|
|
@ -255,13 +255,13 @@ validator_done(dns_validator_t *val, isc_result_t result) {
|
|||
* the delegation.
|
||||
*
|
||||
* Returns:
|
||||
*\li #ISC_R_SUCCESS the NS bitmap was set in the NSEC or NSEC3 record, or
|
||||
* the NSEC3 covers the name (in case of opt-out), or
|
||||
* we cannot validate the insecurity proof and are going
|
||||
* to treat the message as isnecure.
|
||||
*\li #ISC_R_NOTFOUND the NS bitmap was not set,
|
||||
*\li #true the NS bitmap was set in the NSEC or NSEC3 record, or
|
||||
* the NSEC3 covers the name (in case of opt-out), or
|
||||
* we cannot validate the insecurity proof and are going
|
||||
* to treat the message as insecure.
|
||||
*\li #false the NS bitmap was not set.
|
||||
*/
|
||||
static isc_result_t
|
||||
static bool
|
||||
isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
|
||||
isc_result_t dbresult, const char *caller) {
|
||||
dns_fixedname_t fixed;
|
||||
|
|
@ -290,7 +290,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
|
|||
goto trynsec3;
|
||||
}
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return ISC_R_NOTFOUND;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -304,7 +304,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
|
|||
found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
|
||||
}
|
||||
dns_rdataset_disassociate(&set);
|
||||
return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
|
||||
return found;
|
||||
|
||||
trynsec3:
|
||||
/*
|
||||
|
|
@ -349,7 +349,7 @@ trynsec3:
|
|||
"%s: too many iterations",
|
||||
caller);
|
||||
dns_rdataset_disassociate(&set);
|
||||
return ISC_R_SUCCESS;
|
||||
return true;
|
||||
}
|
||||
length = isc_iterated_hash(
|
||||
hash, nsec3.hash, nsec3.iterations,
|
||||
|
|
@ -363,7 +363,7 @@ trynsec3:
|
|||
found = dns_nsec3_typepresent(&rdata,
|
||||
dns_rdatatype_ns);
|
||||
dns_rdataset_disassociate(&set);
|
||||
return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
|
||||
return found;
|
||||
}
|
||||
if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
|
||||
continue;
|
||||
|
|
@ -380,12 +380,12 @@ trynsec3:
|
|||
memcmp(hash, nsec3.next.base, length) < 0)))
|
||||
{
|
||||
dns_rdataset_disassociate(&set);
|
||||
return ISC_R_SUCCESS;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
dns_rdataset_disassociate(&set);
|
||||
}
|
||||
return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
|
||||
return found;
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
@ -621,10 +621,9 @@ fetch_callback_ds(void *arg) {
|
|||
break;
|
||||
case DNS_R_NXRRSET:
|
||||
case DNS_R_NCACHENXRRSET:
|
||||
result = isdelegation(val, resp->foundname,
|
||||
&val->frdataset, eresult,
|
||||
"fetch_callback_ds");
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
if (isdelegation(val, resp->foundname, &val->frdataset,
|
||||
eresult, "fetch_callback_ds"))
|
||||
{
|
||||
/*
|
||||
* Failed to find a DS while trying to prove
|
||||
* insecurity. If this is a zone cut, that
|
||||
|
|
@ -742,8 +741,7 @@ validator_callback_ds(void *arg) {
|
|||
val->frdataset.covers == dns_rdatatype_ds &&
|
||||
NEGATIVE(&val->frdataset) &&
|
||||
isdelegation(val, name, &val->frdataset,
|
||||
DNS_R_NCACHENXRRSET,
|
||||
"validator_callback_ds") == ISC_R_SUCCESS)
|
||||
DNS_R_NCACHENXRRSET, "validator_callback_ds"))
|
||||
{
|
||||
result = markanswer(val, "validator_callback_ds");
|
||||
} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
|
||||
|
|
@ -3314,9 +3312,9 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
|
|||
return ISC_R_COMPLETE;
|
||||
}
|
||||
|
||||
result = isdelegation(val, tname, &val->frdataset, result,
|
||||
"seek_ds");
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
if (isdelegation(val, tname, &val->frdataset, result,
|
||||
"seek_ds"))
|
||||
{
|
||||
*resp = markanswer(val, "seek_ds (3)");
|
||||
return ISC_R_COMPLETE;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue