Do not mark additional section items bogus.

git-svn-id: file:///svn/unbound/trunk@1222 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,6 +1,8 @@
 2 September 2008: Wouter
 	- DoS protection features. Queries are jostled out to make room.
 	- testbound can pass time, increasing the internal timer.
+	- do not mark unsigned additionals bogus, leave unchecked, which
+	  is removed too.
 
 1 September 2008: Wouter
 	- disallow nonrecursive queries for cache snooping by default.

doc/plan

@@ -34,9 +34,9 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
 + DoS vector, flush more.
 	50% of max is for run-to-completion
 	50% rest is for lifo queue with 100-200 msec timeout.
-* records in the additional section should not be marked bogus
-if they have no signer or a different signed. Validate if you can,
-otherwise leave unchecked.
++ records in the additional section should not be marked bogus
+  if they have no signer or a different signed. Validate if you can,
+  otherwise leave unchecked.
 * block DNS rebinding attacks, block all A records from 1918 IP blocks,
 like dnswall does.  Allow certain subdomains to do it, config options.
 	one option that controls on/off of all private space.

validator/val_utils.c

@@ -150,13 +150,7 @@ rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen)
 	*sname = data;
 }
 
-/**
- * Find the signer name for an RRset.
- * @param rrset: the rrset.
- * @param sname: signer name is returned or NULL if not signed.
- * @param slen: length of sname (or 0).
- */
-static void 
+void 
 val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
 	size_t* slen)
 {

validator/val_utils.h

@@ -257,6 +257,15 @@ void val_mark_insecure(struct reply_info* rep, struct key_entry_key* kkey,
  */
 size_t val_next_unchecked(struct reply_info* rep, size_t skip);
 
+/**
+ * Find the signer name for an RRset.
+ * @param rrset: the rrset.
+ * @param sname: signer name is returned or NULL if not signed.
+ * @param slen: length of sname (or 0).
+ */
+void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
+	size_t* slen);
+
 /**
  * Get string to denote the classification result.
  * @param subtype: from classification function.

validator/validator.c

@@ -373,7 +373,8 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve,
 	struct query_info* qchase, struct reply_info* chase_reply, 
 	struct key_entry_key* key_entry)
 {
-	size_t i;
+	uint8_t* sname;
+	size_t i, slen;
 	struct ub_packed_rrset_key* s;
 	enum sec_status sec;
 	int dname_seen = 0;
@@ -438,6 +439,10 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve,
 	for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; 
 		i<chase_reply->rrset_count; i++) {
 		s = chase_reply->rrsets[i];
+		/* only validate rrs that have signatures with the key */
+		/* leave others unchecked, those get removed later on too */
+		val_find_rrset_signer(s, &sname, &slen);
+		if(sname && query_dname_compare(sname, key_entry->name)==0)
 			(void)val_verify_rrset_entry(env, ve, s, key_entry);
 		/* the additional section can fail to be secure, 
 		 * it is optional, check signature in case we need