From 4ba3caff98f8d0ed585e6a30087202007e072ffb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 3 Mar 2026 11:17:25 +0100 Subject: [PATCH] Don't verify already trusted rdatasets If we already marked an rdataset as secure (or it has even stronger trust), there is no need to cryptographically verify it again. (cherry picked from commit 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce) --- lib/dns/include/dns/types.h | 1 + lib/dns/validator.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 992bfceef5..f44427f3e2 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -393,6 +393,7 @@ enum { ((x) == dns_trust_additional || (x) == dns_trust_pending_additional) #define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer) +#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure) /*% * Name checking severities. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 884209fc12..ebf7a95dde 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1516,11 +1516,19 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, bool ignore = false; dns_name_t *wild; + if (DNS_TRUST_SECURE(val->rdataset->trust)) { + /* + * This RRset was already verified before. + */ + return ISC_R_SUCCESS; + } + val->attributes |= VALATTR_TRIEDVERIFY; - wild = dns_fixedname_initname(&fixed); if (over_max_validations(val)) { return ISC_R_QUOTA; } + wild = dns_fixedname_initname(&fixed); + again: result = dns_dnssec_verify(val->name, val->rdataset, key, ignore, val->view->maxbits, val->view->mctx, rdata,