upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-23 10:37:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Check RRset trust in validate_neg_rrset()

Browse source 
In many places we only create a validator if the RRset has too low
trust (the RRset is pending validation, or could not be validated
before). This check was missing prior to validating negative response
data.
This commit is contained in:
Matthijs Mekking 2026-03-03 11:43:23 +01:00 committed by Michał Kępień
parent d4c7c83a70
commit 6ca67f65cd
No known key found for this signature in database
1 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/dns/validator.c
View file

@ -2777,11 +2777,21 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
}
}
if (rdataset->type != dns_rdatatype_nsec &&
DNS_TRUST_SECURE(rdataset->trust))
{
/*
* The negative response data is already verified.
* We skip NSEC records, because they require special
* processing in validator_callback_nsec().
*/
return DNS_R_CONTINUE;
}
val->nxset = rdataset;
RETERR(create_validator(val, name, rdataset->type, rdataset,
sigrdataset, validator_callback_nsec,
"validate_neg_rrset"));
val->authcount++;
return DNS_R_WAIT;
}
@ -2884,11 +2894,9 @@ validate_ncache(dns_validator_t *val, bool resume) {
}
result = validate_neg_rrset(val, name, rdataset, sigrdataset);
if (result == DNS_R_CONTINUE) {
continue;
if (result != DNS_R_CONTINUE) {
return result;
}
return result;
}
if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;