From 2e85ede2028d266a32888348bc458f3e508215e6 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 28 Mar 2019 00:48:03 +1100
Subject: [PATCH 1/3] Store the DS and RRSIG(DS) with trust
 dns_trust_pending_answer so that the validator can validate the records as
 part of validating the current request.

(cherry picked from commit 57a328d67e665a502575a42daa182440469b0173)
---
 lib/dns/resolver.c | 53 +++++++++++++++++++++++++++++++---------------
 1 file changed, 36 insertions(+), 17 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 532ecfa590..bd55c197d0 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8723,12 +8723,14 @@ rctx_answer_none(respctx_t *rctx) {
 		rctx->negative = true;
 	}
 
-	/*
-	 * Process DNSSEC records in the authority section.
-	 */
-	result = rctx_authority_dnssec(rctx);
-	if (result == ISC_R_COMPLETE) {
-		return (rctx->result);
+	if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
+		/*
+		 * Process DNSSEC records in the authority section.
+		 */
+		result = rctx_authority_dnssec(rctx);
+		if (result == ISC_R_COMPLETE) {
+			return (rctx->result);
+		}
 	}
 
 	/*
@@ -8981,18 +8983,12 @@ static isc_result_t
 rctx_authority_dnssec(respctx_t *rctx) {
 	isc_result_t result;
 	fetchctx_t *fctx = rctx->fctx;
-	dns_section_t section;
 	dns_rdataset_t *rdataset = NULL;
 	bool finished = false;
 
-	if (rctx->ns_in_answer) {
-		INSIST(fctx->type == dns_rdatatype_ns);
-		section = DNS_SECTION_ANSWER;
-	} else {
-		section = DNS_SECTION_AUTHORITY;
-	}
+	REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
 
-	result = dns_message_firstname(fctx->rmessage, section);
+	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
 	if (result != ISC_R_SUCCESS) {
 		return (ISC_R_SUCCESS);
 	}
@@ -9000,8 +8996,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 	while (!finished) {
 		dns_name_t *name = NULL;
 
-		dns_message_currentname(fctx->rmessage, section, &name);
-		result = dns_message_nextname(fctx->rmessage, section);
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+					&name);
+		result = dns_message_nextname(fctx->rmessage,
+					      DNS_SECTION_AUTHORITY);
 		if (result != ISC_R_SUCCESS) {
 			finished = true;
 		}
@@ -9017,7 +9015,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link))
 		{
+			bool checknta = true;
+			bool secure_domain = false;
 			dns_rdatatype_t type = rdataset->type;
+
 			if (type == dns_rdatatype_rrsig) {
 				type = rdataset->covers;
 			}
@@ -9077,7 +9078,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
 
 				name->attributes |= DNS_NAMEATTR_CACHE;
 				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-				if (rctx->aa) {
+
+				if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+					checknta = false;
+				}
+				if (fctx->res->view->enablevalidation) {
+					result = issecuredomain(fctx->res->view,
+							      name,
+							      dns_rdatatype_ds,
+							      fctx->now,
+							      checknta, NULL,
+							      &secure_domain);
+					if (result != ISC_R_SUCCESS) {
+						return (result);
+					}
+				}
+				if (secure_domain) {
+					rdataset->trust =
+						 dns_trust_pending_answer;
+				} else if (rctx->aa) {
 					rdataset->trust =
 					    dns_trust_authauthority;
 				} else if (ISFORWARDER(fctx->addrinfo)) {

From c9e68138999ec7f38e8472bf5efd232d53a74b84 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 3 Jun 2019 11:44:18 +1000
Subject: [PATCH 2/3] check that example/DS is not fetched when validating
 a.example

(cherry picked from commit 4293a2f4bfc87b8188d69c46e2457d07ca2f5776)
---
 bin/tests/system/dnssec/tests.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 8beea9eae2..344a3c9ba1 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -184,6 +184,15 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
+ret=0
+grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
+grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
+grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 if [ -x ${DELV} ] ; then
    ret=0
    echo_i "checking positive validation NSEC using dns_client ($n)"

From 1d925c406872682b5302cd6b49ec22951f171981 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 31 Jul 2019 17:03:37 +1000
Subject: [PATCH 3/3] add CHANGES

(cherry picked from commit ac28cc14e12b4a4c02f45176437bc53a3c38ac90)
---
 CHANGES           | 5 +++++
 doc/arm/notes.xml | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGES b/CHANGES
index f514eb0177..8b055e19ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5275.	[bug]		Mark DS records included in referral messages
+			with trust level "pending" so that they can be
+			validated and cached immediately, with no need to
+			re-query. [GL #964]
+
 5274.	[bug]		Address potential use after free race when shutting
 			down rpz. [GL #1175]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 9f5ba91667..399b70e64b 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -154,6 +154,13 @@
 	  algorithm and same Server Secret for the best performance.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  DS records included in DNS referral messages can now be validated
+	  and cached immediately, reducing the number of queries needed for
+	  a DNSSEC validation. [GL #964]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>