upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Don't verify already trusted rdatasets

Browse source 
If we already marked an rdataset as secure (or it has even stronger
trust), there is no need to cryptographically verify it again.

(cherry picked from commit 0ec08c2120)
This commit is contained in:
Matthijs Mekking 2026-03-03 11:17:25 +01:00 committed by Michał Kępień
parent cd1f2fed56
commit 4ba3caff98
No known key found for this signature in database
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/dns/include/dns/types.h
View file

@ -393,6 +393,7 @@ enum {
((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
#define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
/*%
* Name checking severities.

10
lib/dns/validator.c
View file

@ -1516,11 +1516,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
bool ignore = false;
dns_name_t *wild;
if (DNS_TRUST_SECURE(val->rdataset->trust)) {
/*
* This RRset was already verified before.
*/
return ISC_R_SUCCESS;
}
val->attributes |= VALATTR_TRIEDVERIFY;
wild = dns_fixedname_initname(&fixed);
if (over_max_validations(val)) {
return ISC_R_QUOTA;
}
wild = dns_fixedname_initname(&fixed);
again:
result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
val->view->maxbits, val->view->mctx, rdata,