upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Rename isdelegation() to is_insecure_referral()

Browse source 
The name 'isdelegation()' was confusing. This function is not checking
whether this message is a delegation, but whether the denial of
existence proofs in this message is a proof of a referral to an
unsigned zone.

The name 'is_unsecure_referral()' is more appropriate.

(cherry picked from commit e0f09bb374)
This commit is contained in:
Matthijs Mekking 2026-04-02 11:20:32 +02:00
parent 33a3e1ebff
commit b5f3e92fa7
1 changed files with 14 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
lib/dns/validator.c
View file

@ -256,9 +256,9 @@ exit_check(dns_validator_t *val) {
}
/*%
* The isdelegation() function is called as part of seeking the DS record.
* Look in the NSEC or NSEC3 record returned from a DS query to see if the
* record has the NS bitmap set. If so, we are at a delegation point.
* The is_insecure_referral() function is called as part of seeking the DS
* record. Look in the NSEC or NSEC3 record returned from a DS query to see if
* the record has the NS bitmap set. If so, we are at a delegation point.
*
* If the response contains NSEC3 records with too high iterations, we cannot
* (or rather we are not going to) validate the insecurity proof. Instead we
@ -273,8 +273,9 @@ exit_check(dns_validator_t *val) {
*\li #false the NS bitmap was not set.
*/
static bool
isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
isc_result_t dbresult, const char *caller) {
is_insecure_referral(dns_validator_t *val, dns_name_t *name,
dns_rdataset_t *rdataset, isc_result_t dbresult,
const char *caller) {
dns_fixedname_t fixed;
dns_label_t hashlabel;
dns_name_t nsec3name;
@ -615,8 +616,9 @@ fetch_callback_ds(isc_task_t *task, isc_event_t *event) {
} else if (eresult == DNS_R_SERVFAIL) {
goto unexpected;
} else if (eresult != DNS_R_CNAME &&
isdelegation(val, devent->foundname, &val->frdataset,
eresult, "fetch_callback_ds"))
is_insecure_referral(val, devent->foundname,
&val->frdataset, eresult,
"fetch_callback_ds"))
{
/*
* Failed to find a DS while trying to prove
@ -784,8 +786,9 @@ validator_callback_ds(isc_task_t *task, isc_event_t *event) {
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
val->frdataset.covers == dns_rdatatype_ds &&
NEGATIVE(&val->frdataset) &&
isdelegation(val, name, &val->frdataset,
DNS_R_NCACHENXRRSET, "validator_callback_ds"))
is_insecure_referral(val, name, &val->frdataset,
DNS_R_NCACHENXRRSET,
"validator_callback_ds"))
{
result = markanswer(val, "validator_callback_ds",
"no DS and this is a delegation");
@ -2877,8 +2880,8 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
return ISC_R_COMPLETE;
}
if (isdelegation(val, tname, &val->frdataset, result,
"seek_ds"))
if (is_insecure_referral(val, tname, &val->frdataset, result,
"seek_ds"))
{
*resp = markanswer(val, "seek_ds (3)",
"this is a delegation");