DS and DNSKEY not from additional synthesis. Nicer signature expiration errors.

git-svn-id: file:///svn/unbound/trunk@546 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -5,6 +5,10 @@
 	  routine. This makes the proof routines prettier.
 	- fixup cname handling in validator, cname-to-positive and cname-to-
 	  nodata work.
+	- Do not synthesize DNSKEY and DS responses from the rrset cache if
+	  the rrset is from the additional section. Signatures may have
+	  fallen off the packet, and cause validation failure.
+	- more verbose signature date errors (with the date attached).
 
 23 August 2007: Wouter
 	- CNAME handling - move needs_validation to before val_new().

services/cache/dns.c

@@ -588,10 +588,22 @@ dns_cache_lookup(struct module_env* env,
 	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
 		(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		qtype, qclass, 0, now, 0))) {
-		struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
-		if(msg) {
-			lock_rw_unlock(&rrset->entry.lock);
-			return msg;
+		/* if the rrset is from the additional section, and the
+		 * signatures have fallen off, then do not synthesize a msg
+		 * instead, allow a full query for signed results to happen.
+		 * Forego all rrset data from additional section, because
+		 * some signatures may not be present and cause validation
+		 * failure.
+		 */
+		struct packed_rrset_data *d = (struct packed_rrset_data*)
+			rrset->entry.data;
+		if(d->trust != rrset_trust_add_noAA && 
+			d->trust != rrset_trust_add_AA) {
+			struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+			if(msg) {
+				lock_rw_unlock(&rrset->entry.lock);
+				return msg;
+			}
 		}
 		lock_rw_unlock(&rrset->entry.lock);
 	}

validator/val_sigcrypt.c

@@ -1011,6 +1011,32 @@ rrset_canonical(struct region* region, ldns_buffer* buf,
 	return 1;
 }
 
+/** pretty print rrsig error with dates */
+static void
+sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)
+{
+	struct tm tm;
+	char expi_buf[16];
+	char incep_buf[16];
+	char now_buf[16];
+	time_t te, ti, tn;
+
+	if(verbosity < VERB_ALGO)
+		return;
+	te = (time_t)expi;
+	ti = (time_t)incep;
+	tn = (time_t)now;
+	memset(&tm, 0, sizeof(tm));
+	if(gmtime_r(&te, &tm) && strftime(expi_buf, 15, "%Y%m%d%H%M%S", &tm)
+	 &&gmtime_r(&ti, &tm) && strftime(incep_buf, 15, "%Y%m%d%H%M%S", &tm)
+	 &&gmtime_r(&tn, &tm) && strftime(now_buf, 15, "%Y%m%d%H%M%S", &tm)) {
+		log_info("%s expi=%s incep=%s now=%s", str, expi_buf, 
+			incep_buf, now_buf);
+	} else
+		log_info("%s expi=%u incep=%u now=%u", str, (unsigned)expi, 
+			(unsigned)incep, (unsigned)now);
+}
+
 /** check rrsig dates */
 static int
 check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p)
@@ -1030,17 +1056,17 @@ check_dates(struct val_env* ve, uint8_t* expi_p, uint8_t* incep_p)
 
 	/* check them */
 	if(incep - expi > 0) {
-		verbose(VERB_ALGO, "verify: inception after expiration, "
-			"signature bad");
+		sigdate_error("verify: inception after expiration, "
+			"signature bad", expi, incep, now);
 		return 0;
 	}
 	if(incep - now > 0) {
-		verbose(VERB_ALGO, "verify: signature bad, current time is"
-			" before inception date");
+		sigdate_error("verify: signature bad, current time is"
+			" before inception date", expi, incep, now);
 		return 0;
 	}
 	if(now - expi > 0) {
-		verbose(VERB_ALGO, "verify: signature expired");
+		sigdate_error("verify: signature expired", expi, incep, now);
 		return 0;
 	}
 	return 1;