mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
neater explanation for unsigned or signatureless negative DS replies.
git-svn-id: file:///svn/unbound/trunk@1870 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
e0b639accd
commit
a909fa9a3a
@ -963,3 +963,26 @@ void val_errinf_dname(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
snprintf(b, sizeof(b), "%s %s", str, buf);
|
||||
val_errinf(qstate, vq, b);
|
||||
}
|
||||
|
||||
int val_has_signed_nsecs(struct reply_info* rep, char** reason)
|
||||
{
|
||||
size_t i, num_nsec = 0, num_nsec3 = 0;
|
||||
struct packed_rrset_data* d;
|
||||
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
|
||||
if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
|
||||
num_nsec++;
|
||||
else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
|
||||
num_nsec3++;
|
||||
else continue;
|
||||
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
|
||||
if(d && d->rrsig_count != 0) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
if(num_nsec == 0 && num_nsec3 == 0)
|
||||
*reason = "no DNSSEC records";
|
||||
else if(num_nsec != 0)
|
||||
*reason = "no signatures over NSECs";
|
||||
else *reason = "no signatures over NSEC3s";
|
||||
return 0;
|
||||
}
|
||||
|
@ -358,4 +358,12 @@ void val_errinf_dname(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
*/
|
||||
char* val_errinf_to_str(struct module_qstate* qstate, struct val_qstate* vq);
|
||||
|
||||
/**
|
||||
* check if has dnssec info, and if it has signed nsecs. gives error reason.
|
||||
* @param rep: reply to check.
|
||||
* @param reason: returned on fail.
|
||||
* @return false if message has no signed nsecs. Can not prove negatives.
|
||||
*/
|
||||
int val_has_signed_nsecs(struct reply_info* rep, char** reason);
|
||||
|
||||
#endif /* VALIDATOR_VAL_UTILS_H */
|
||||
|
@ -2310,6 +2310,14 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
/* NODATA means that the qname exists, but that there was
|
||||
* no DS. This is a pretty normal case. */
|
||||
uint32_t proof_ttl = 0;
|
||||
enum sec_status sec;
|
||||
|
||||
/* make sure there are NSECs or NSEC3s with signatures */
|
||||
if(!val_has_signed_nsecs(msg->rep, &reason)) {
|
||||
verbose(VERB_ALGO, "no NSECs: %s", reason);
|
||||
val_errinf(qstate, vq, reason);
|
||||
goto return_bogus;
|
||||
}
|
||||
|
||||
/* For subtype Name Error.
|
||||
* attempt ANS 2.8.1.0 compatibility where it sets rcode
|
||||
@ -2317,7 +2325,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
|
||||
* Find and prove the empty nonterminal in that case */
|
||||
|
||||
/* Try to prove absence of the DS with NSEC */
|
||||
enum sec_status sec = val_nsec_prove_nodata_dsreply(
|
||||
sec = val_nsec_prove_nodata_dsreply(
|
||||
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
|
||||
&proof_ttl);
|
||||
switch(sec) {
|
||||
|
Loading…
Reference in New Issue
Block a user