[9.20] fix: usr: Count temporal problems with DNSSEC validation as attempts

After KeyTrap, the temporal DNSSEC were originally hard errors that caused validation failures even if the records had another valid signature. This has been changed and the RRSIGs outside of the inception and expiration time are not counted as hard errors. However, these errors are not even counted as validation attempts, so excessive number of expired RRSIGs would cause some non-cryptograhic extra work for the validator. This has been fixed and the temporal errors are correctly counted as validation attempts. Closes #5760 Backport of MR !11589 Merge branch 'backport-5760-count-DNSSEC-temporal-errors-as-validation-attempts-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11763
2026-06-10 09:29:19 -04:00 · 2026-03-30 19:01:19 +02:00 · 2026-03-30 19:01:19 +02:00 · e4399fc6b2
commit e4399fc6b2
parent 545ce3ae22 bd3c7d8014
1 changed files with 6 additions and 9 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1452,6 +1452,8 @@ selfsigned_dnskey(dns_validator_t *val) {
 					dst_key_free(&dstkey);
 					return ISC_R_QUOTA;
 				}
+				consume_validation(val);
+
 				result = dns_dnssec_verify(
 					name, rdataset, dstkey, true,
 					val->view->maxbits, mctx, &sigrdata,
@ -1461,11 +1463,10 @@ selfsigned_dnskey(dns_validator_t *val) {
 				case DNS_R_SIGEXPIRED:
 					/*
 					 * Temporal errors don't count towards
-					 * max validations nor max fails.
+					 * max fails.
 					 */
 					break;
 				case ISC_R_SUCCESS:
-					consume_validation(val);
 					/*
 					 * The key with the REVOKE flag has
 					 * self signed the RRset so it is no
@ -1474,7 +1475,6 @@ selfsigned_dnskey(dns_validator_t *val) {
 					dns_view_untrust(val->view, name, &key);
 					break;
 				default:
-					consume_validation(val);
 					if (over_max_fails(val)) {
 						dst_key_free(&dstkey);
 						return ISC_R_QUOTA;
@ -1515,7 +1515,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	isc_result_t result;
 	dns_fixedname_t fixed;
 	bool ignore = false;
-	dns_name_t *wild;
+	dns_name_t *wild = dns_fixedname_initname(&fixed);

 	if (DNS_TRUST_SECURE(val->rdataset->trust)) {
 		/*
@ -1528,7 +1528,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
 	if (over_max_validations(val)) {
 		return ISC_R_QUOTA;
 	}
-	wild = dns_fixedname_initname(&fixed);
+	consume_validation(val);

 again:
 	result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
@ -1579,8 +1579,7 @@ again:
 	case DNS_R_SIGFUTURE:
 	case DNS_R_SIGEXPIRED:
 		/*
-		 * Temporal errors don't count towards max validations nor max
-		 * fails.
+		 * Temporal errors don't count towards max fails.
 		 */
 		validator_addede(val,
 				 result == DNS_R_SIGEXPIRED
@ -1589,10 +1588,8 @@ again:
 				 NULL);
 		break;
 	case ISC_R_SUCCESS:
-		consume_validation(val);
 		break;
 	default:
-		consume_validation(val);
 		if (over_max_fails(val)) {
 			result = ISC_R_QUOTA;
 			break;