clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

neater explanation for unsigned or signatureless negative DS replies.

Browse Source 
git-svn-id: file:///svn/unbound/trunk@1870 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2009-10-08 06:57:23 +00:00
parent e0b639accd
commit a909fa9a3a
3 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
validator/val_utils.c
View File

@ -963,3 +963,26 @@ void val_errinf_dname(struct module_qstate* qstate, struct val_qstate* vq,
snprintf(b, sizeof(b), "%s %s", str, buf);
val_errinf(qstate, vq, b);
}
int val_has_signed_nsecs(struct reply_info* rep, char** reason)
{
size_t i, num_nsec = 0, num_nsec3 = 0;
struct packed_rrset_data* d;
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC))
num_nsec++;
else if(rep->rrsets[i]->rk.type == htons(LDNS_RR_TYPE_NSEC3))
num_nsec3++;
else continue;
d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
if(d && d->rrsig_count != 0) {
return 1;
}
}
if(num_nsec == 0 && num_nsec3 == 0)
*reason = "no DNSSEC records";
else if(num_nsec != 0)
*reason = "no signatures over NSECs";
else *reason = "no signatures over NSEC3s";
return 0;
}

8
validator/val_utils.h
View File

@ -358,4 +358,12 @@ void val_errinf_dname(struct module_qstate* qstate, struct val_qstate* vq,
*/
char* val_errinf_to_str(struct module_qstate* qstate, struct val_qstate* vq);
/**
* check if has dnssec info, and if it has signed nsecs. gives error reason.
* @param rep: reply to check.
* @param reason: returned on fail.
* @return false if message has no signed nsecs. Can not prove negatives.
*/
int val_has_signed_nsecs(struct reply_info* rep, char** reason);
#endif /* VALIDATOR_VAL_UTILS_H */

10
validator/validator.c
View File

@ -2310,6 +2310,14 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* NODATA means that the qname exists, but that there was
* no DS. This is a pretty normal case. */
uint32_t proof_ttl = 0;
enum sec_status sec;
/* make sure there are NSECs or NSEC3s with signatures */
if(!val_has_signed_nsecs(msg->rep, &reason)) {
verbose(VERB_ALGO, "no NSECs: %s", reason);
val_errinf(qstate, vq, reason);
goto return_bogus;
}
/* For subtype Name Error.
* attempt ANS 2.8.1.0 compatibility where it sets rcode
@ -2317,7 +2325,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
* Find and prove the empty nonterminal in that case */
/* Try to prove absence of the DS with NSEC */
enum sec_status sec = val_nsec_prove_nodata_dsreply(
sec = val_nsec_prove_nodata_dsreply(
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
&proof_ttl);
switch(sec) {