upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-09 22:03:15 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

cache verify work for nsec and nsec3.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2047 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-03-17 09:49:18 +00:00
parent 42599b7044
commit 091050add6
2 changed files with 28 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
validator/val_nsec.c
View file

@ -171,6 +171,27 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
return sec_status_secure;
}
/** check security status from cache or verify rrset, returns true if secure */
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
char** reason)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
if(d->security == sec_status_secure)
return 1;
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
if(d->security == sec_status_secure)
return 1;
d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
}
return 0;
}
enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
@ -191,8 +212,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
sec = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
if(sec != sec_status_secure) {
if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
@ -221,9 +241,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
i++) {
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
sec = val_verify_rrset_entry(env, ve, rep->rrsets[i], kkey,
reason);
if(sec != sec_status_secure) {
if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
return sec_status_bogus;

10
validator/val_nsec3.c
View file

@ -1252,11 +1252,10 @@ list_is_secure(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key** list, size_t num,
struct key_entry_key* kkey, char** reason)
{
struct packed_rrset_data* d;
size_t i;
enum sec_status sec;
for(i=0; i<num; i++) {
struct packed_rrset_data* d = (struct packed_rrset_data*)
list[i]->entry.data;
d = (struct packed_rrset_data*)list[i]->entry.data;
if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
continue;
if(d->security == sec_status_secure)
@ -1264,8 +1263,9 @@ list_is_secure(struct module_env* env, struct val_env* ve,
rrset_check_sec_status(env->rrset_cache, list[i], *env->now);
if(d->security == sec_status_secure)
continue;
sec = val_verify_rrset_entry(env, ve, list[i], kkey, reason);
if(sec != sec_status_secure) {
d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
reason);
if(d->security != sec_status_secure) {
verbose(VERB_ALGO, "NSEC3 did not verify");
return 0;
}