mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
DLV removal
This commit is contained in:
parent
fc55345dcb
commit
c0c722cd97
@ -509,11 +509,6 @@ server:
|
||||
# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
|
||||
# root-key-sentinel: yes
|
||||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# DLV is going to be decommissioned. Please do not use it any more.
|
||||
# dlv-anchor-file: "dlv.isc.org.key"
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry.
|
||||
# Zone file format, with DS and DNSKEY entries.
|
||||
|
@ -1010,21 +1010,6 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
|
||||
.B root\-key\-sentinel: \fI<yes or no>
|
||||
Root key trust anchor sentinel. Default is yes.
|
||||
.TP
|
||||
.B dlv\-anchor\-file: \fI<filename>
|
||||
This option was used during early days DNSSEC deployment when no parent-side
|
||||
DS record registrations were easily available. Nowadays, it is best to have
|
||||
DS records registered with the parent zone (many top level zones are signed).
|
||||
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
|
||||
DNSKEY entries can be used in the file, in the same format as for
|
||||
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
|
||||
would be slow. The DLV configured is used as a root trusted DLV, this
|
||||
means that it is a lookaside for the root. Default is "", or no dlv anchor
|
||||
file. DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B dlv\-anchor: \fI<"Resource Record">
|
||||
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
|
||||
DLV is going to be decommissioned. Please do not use it any more.
|
||||
.TP
|
||||
.B domain\-insecure: \fI<domain name>
|
||||
Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
|
||||
the domain name. So a trust anchor above the domain name can not make the
|
||||
|
@ -256,14 +256,6 @@ config_file
|
||||
|
||||
Files with trusted DNSKEYs in named.conf format, list.
|
||||
|
||||
.. attribute:: dlv_anchor_file
|
||||
|
||||
DLV anchor file.
|
||||
|
||||
.. attribute:: dlv_anchor_list
|
||||
|
||||
DLV anchor inline.
|
||||
|
||||
.. attribute:: max_ttl
|
||||
|
||||
The number of seconds maximal TTL used for RRsets and messages.
|
||||
|
5
services/cache/dns.c
vendored
5
services/cache/dns.c
vendored
@ -890,9 +890,8 @@ dns_cache_lookup(struct module_env* env,
|
||||
lock_rw_unlock(&rrset->entry.lock);
|
||||
}
|
||||
|
||||
/* construct DS, DNSKEY, DLV messages from rrset cache. */
|
||||
if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
|
||||
qtype == LDNS_RR_TYPE_DLV) &&
|
||||
/* construct DS, DNSKEY messages from rrset cache. */
|
||||
if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
|
||||
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
|
||||
qtype, qclass, 0, now, 0))) {
|
||||
/* if the rrset is from the additional section, and the
|
||||
|
@ -624,8 +624,6 @@ morechecks(struct config_file* cfg)
|
||||
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_filelist_wild("trusted-keys-file",
|
||||
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
|
||||
cfg->chrootdir, cfg);
|
||||
#ifdef USE_IPSECMOD
|
||||
if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
|
||||
/* only check hook if enabled */
|
||||
|
@ -233,8 +233,6 @@ config_create(void)
|
||||
cfg->trusted_keys_file_list = NULL;
|
||||
cfg->trust_anchor_signaling = 1;
|
||||
cfg->root_key_sentinel = 1;
|
||||
cfg->dlv_anchor_file = NULL;
|
||||
cfg->dlv_anchor_list = NULL;
|
||||
cfg->domain_insecure = NULL;
|
||||
cfg->val_date_override = 0;
|
||||
cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
|
||||
@ -581,8 +579,6 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
|
||||
else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
|
||||
else S_YNO("root-key-sentinel:", root_key_sentinel)
|
||||
else S_STR("dlv-anchor-file:", dlv_anchor_file)
|
||||
else S_STRLIST("dlv-anchor:", dlv_anchor_list)
|
||||
else S_STRLIST("domain-insecure:", domain_insecure)
|
||||
else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl)
|
||||
else S_YNO("val-clean-additional:", val_clean_additional)
|
||||
@ -998,7 +994,6 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_DEC(opt, "unwanted-reply-threshold", unwanted_threshold)
|
||||
else O_YNO(opt, "do-not-query-localhost", donotquery_localhost)
|
||||
else O_STR(opt, "module-config", module_conf)
|
||||
else O_STR(opt, "dlv-anchor-file", dlv_anchor_file)
|
||||
else O_DEC(opt, "val-bogus-ttl", bogus_ttl)
|
||||
else O_YNO(opt, "val-clean-additional", val_clean_additional)
|
||||
else O_DEC(opt, "val-log-level", val_log_level)
|
||||
@ -1036,7 +1031,6 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
|
||||
else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
|
||||
else O_YNO(opt, "root-key-sentinel", root_key_sentinel)
|
||||
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
|
||||
else O_LST(opt, "control-interface", control_ifs.first)
|
||||
else O_LST(opt, "domain-insecure", domain_insecure)
|
||||
else O_UNS(opt, "val-override-date", val_date_override)
|
||||
@ -1462,8 +1456,6 @@ config_delete(struct config_file* cfg)
|
||||
config_delstrlist(cfg->trusted_keys_file_list);
|
||||
config_delstrlist(cfg->trust_anchor_list);
|
||||
config_delstrlist(cfg->domain_insecure);
|
||||
free(cfg->dlv_anchor_file);
|
||||
config_delstrlist(cfg->dlv_anchor_list);
|
||||
config_deldblstrlist(cfg->acls);
|
||||
config_deldblstrlist(cfg->tcp_connection_limits);
|
||||
free(cfg->val_nsec3_key_iterations);
|
||||
|
@ -331,10 +331,6 @@ struct config_file {
|
||||
struct config_strlist* auto_trust_anchor_file_list;
|
||||
/** files with trusted DNSKEYs in named.conf format, list */
|
||||
struct config_strlist* trusted_keys_file_list;
|
||||
/** DLV anchor file */
|
||||
char* dlv_anchor_file;
|
||||
/** DLV anchor inline */
|
||||
struct config_strlist* dlv_anchor_list;
|
||||
/** insecure domain list */
|
||||
struct config_strlist* domain_insecure;
|
||||
/** send key tag query */
|
||||
|
1344
util/configparser.c
1344
util/configparser.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* A Bison parser, made by GNU Bison 3.5. */
|
||||
/* A Bison parser, made by GNU Bison 3.4.1. */
|
||||
|
||||
/* Bison interface for Yacc-like parsers in C
|
||||
|
||||
|
@ -1120,15 +1120,13 @@ server_root_hints: VAR_ROOT_HINTS STRING_ARG
|
||||
server_dlv_anchor_file: VAR_DLV_ANCHOR_FILE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_dlv_anchor_file:%s)\n", $2));
|
||||
free(cfg_parser->cfg->dlv_anchor_file);
|
||||
cfg_parser->cfg->dlv_anchor_file = $2;
|
||||
log_warn("option dlv-anchor-file ignored: DLV is decommissioned");
|
||||
}
|
||||
;
|
||||
server_dlv_anchor: VAR_DLV_ANCHOR STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_dlv_anchor:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->dlv_anchor_list, $2))
|
||||
yyerror("out of memory");
|
||||
log_warn("option dlv-anchor ignored: DLV is decommissioned");
|
||||
}
|
||||
;
|
||||
server_auto_trust_anchor_file: VAR_AUTO_TRUST_ANCHOR_FILE STRING_ARG
|
||||
|
@ -1030,8 +1030,6 @@ anchors_assemble_rrsets(struct val_anchors* anchors)
|
||||
")", b);
|
||||
(void)rbtree_delete(anchors->tree, &ta->node);
|
||||
lock_basic_unlock(&ta->lock);
|
||||
if(anchors->dlv_anchor == ta)
|
||||
anchors->dlv_anchor = NULL;
|
||||
anchors_delfunc(&ta->node, NULL);
|
||||
ta = next;
|
||||
continue;
|
||||
@ -1103,37 +1101,6 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if(cfg->dlv_anchor_file && cfg->dlv_anchor_file[0] != 0) {
|
||||
struct trust_anchor* dlva;
|
||||
nm = cfg->dlv_anchor_file;
|
||||
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
|
||||
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
|
||||
nm += strlen(cfg->chrootdir);
|
||||
if(!(dlva = anchor_read_file(anchors, parsebuf,
|
||||
nm, 1))) {
|
||||
log_err("error reading dlv-anchor-file: %s",
|
||||
cfg->dlv_anchor_file);
|
||||
sldns_buffer_free(parsebuf);
|
||||
return 0;
|
||||
}
|
||||
lock_basic_lock(&anchors->lock);
|
||||
anchors->dlv_anchor = dlva;
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
}
|
||||
for(f = cfg->dlv_anchor_list; f; f = f->next) {
|
||||
struct trust_anchor* dlva;
|
||||
if(!f->str || f->str[0] == 0) /* empty "" */
|
||||
continue;
|
||||
if(!(dlva = anchor_store_str(
|
||||
anchors, parsebuf, f->str))) {
|
||||
log_err("error in dlv-anchor: \"%s\"", f->str);
|
||||
sldns_buffer_free(parsebuf);
|
||||
return 0;
|
||||
}
|
||||
lock_basic_lock(&anchors->lock);
|
||||
anchors->dlv_anchor = dlva;
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
}
|
||||
/* do autr last, so that it sees what anchors are filled by other
|
||||
* means can can print errors about double config for the name */
|
||||
for(f = cfg->auto_trust_anchor_file_list; f; f = f->next) {
|
||||
|
@ -67,8 +67,6 @@ struct val_anchors {
|
||||
* contents of type trust_anchor.
|
||||
*/
|
||||
rbtree_type* tree;
|
||||
/** The DLV trust anchor (if one is configured, else NULL) */
|
||||
struct trust_anchor* dlv_anchor;
|
||||
/** Autotrust global data, anchors sorted by next probe time */
|
||||
struct autr_global_data* autr;
|
||||
};
|
||||
|
@ -965,108 +965,6 @@ static int neg_closest_data(struct val_neg_zone* zone,
|
||||
}
|
||||
}
|
||||
|
||||
int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len,
|
||||
uint16_t qclass, struct rrset_cache* rrset_cache, time_t now)
|
||||
{
|
||||
/* lookup closest zone */
|
||||
struct val_neg_zone* zone;
|
||||
struct val_neg_data* data;
|
||||
int labs;
|
||||
struct ub_packed_rrset_key* nsec;
|
||||
struct packed_rrset_data* d;
|
||||
uint32_t flags;
|
||||
uint8_t* wc;
|
||||
struct query_info qinfo;
|
||||
if(!neg) return 0;
|
||||
|
||||
log_nametypeclass(VERB_ALGO, "negcache dlvlookup", qname,
|
||||
LDNS_RR_TYPE_DLV, qclass);
|
||||
|
||||
labs = dname_count_labels(qname);
|
||||
lock_basic_lock(&neg->lock);
|
||||
zone = neg_closest_zone_parent(neg, qname, len, labs, qclass);
|
||||
while(zone && !zone->in_use)
|
||||
zone = zone->parent;
|
||||
if(!zone) {
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
log_nametypeclass(VERB_ALGO, "negcache zone", zone->name, 0,
|
||||
zone->dclass);
|
||||
|
||||
/* DLV is defined to use NSEC only */
|
||||
if(zone->nsec3_hash) {
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* lookup closest data record */
|
||||
(void)neg_closest_data(zone, qname, len, labs, &data);
|
||||
while(data && !data->in_use)
|
||||
data = data->parent;
|
||||
if(!data) {
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
log_nametypeclass(VERB_ALGO, "negcache rr", data->name,
|
||||
LDNS_RR_TYPE_NSEC, zone->dclass);
|
||||
|
||||
/* lookup rrset in rrset cache */
|
||||
flags = 0;
|
||||
if(query_dname_compare(data->name, zone->name) == 0)
|
||||
flags = PACKED_RRSET_NSEC_AT_APEX;
|
||||
nsec = rrset_cache_lookup(rrset_cache, data->name, data->len,
|
||||
LDNS_RR_TYPE_NSEC, zone->dclass, flags, now, 0);
|
||||
|
||||
/* check if secure and TTL ok */
|
||||
if(!nsec) {
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
d = (struct packed_rrset_data*)nsec->entry.data;
|
||||
if(!d || now > d->ttl) {
|
||||
lock_rw_unlock(&nsec->entry.lock);
|
||||
/* delete data record if expired */
|
||||
neg_delete_data(neg, data);
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
if(d->security != sec_status_secure) {
|
||||
lock_rw_unlock(&nsec->entry.lock);
|
||||
neg_delete_data(neg, data);
|
||||
lock_basic_unlock(&neg->lock);
|
||||
return 0;
|
||||
}
|
||||
verbose(VERB_ALGO, "negcache got secure rrset");
|
||||
|
||||
/* check NSEC security */
|
||||
/* check if NSEC proves no DLV type exists */
|
||||
/* check if NSEC proves NXDOMAIN for qname */
|
||||
qinfo.qname = qname;
|
||||
qinfo.qtype = LDNS_RR_TYPE_DLV;
|
||||
qinfo.qclass = qclass;
|
||||
qinfo.local_alias = NULL;
|
||||
if(!nsec_proves_nodata(nsec, &qinfo, &wc) &&
|
||||
!val_nsec_proves_name_error(nsec, qname)) {
|
||||
/* the NSEC is not a denial for the DLV */
|
||||
lock_rw_unlock(&nsec->entry.lock);
|
||||
lock_basic_unlock(&neg->lock);
|
||||
verbose(VERB_ALGO, "negcache not proven");
|
||||
return 0;
|
||||
}
|
||||
/* so the NSEC was a NODATA proof, or NXDOMAIN proof. */
|
||||
|
||||
/* no need to check for wildcard NSEC; no wildcards in DLV repos */
|
||||
/* no need to lookup SOA record for client; no response message */
|
||||
|
||||
lock_rw_unlock(&nsec->entry.lock);
|
||||
/* if OK touch the LRU for neg_data element */
|
||||
neg_lru_touch(neg, data);
|
||||
lock_basic_unlock(&neg->lock);
|
||||
verbose(VERB_ALGO, "negcache DLV denial proven");
|
||||
return 1;
|
||||
}
|
||||
|
||||
void val_neg_addreferral(struct val_neg_cache* neg, struct reply_info* rep,
|
||||
uint8_t* zone_name)
|
||||
{
|
||||
|
@ -218,26 +218,6 @@ void val_neg_addreply(struct val_neg_cache* neg, struct reply_info* rep);
|
||||
void val_neg_addreferral(struct val_neg_cache* neg, struct reply_info* rep,
|
||||
uint8_t* zone);
|
||||
|
||||
/**
|
||||
* Perform a DLV style lookup
|
||||
* During the lookup, we could find out that data has expired. In that
|
||||
* case the neg_cache entries are removed, and lookup fails.
|
||||
*
|
||||
* @param neg: negative cache.
|
||||
* @param qname: name to look for
|
||||
* @param len: length of qname.
|
||||
* @param qclass: class to look in.
|
||||
* @param rrset_cache: the rrset cache, for NSEC lookups.
|
||||
* @param now: current time for ttl checks.
|
||||
* @return
|
||||
* 0 on error
|
||||
* 0 if no proof of negative
|
||||
* 1 if indeed negative was proven
|
||||
* thus, qname DLV qclass does not exist.
|
||||
*/
|
||||
int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len,
|
||||
uint16_t qclass, struct rrset_cache* rrset_cache, time_t now);
|
||||
|
||||
/**
|
||||
* For the given query, try to get a reply out of the negative cache.
|
||||
* The reply still needs to be validated.
|
||||
|
@ -541,86 +541,3 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find shared topdomain that exists
|
||||
*/
|
||||
static void
|
||||
dlv_topdomain(struct ub_packed_rrset_key* nsec, uint8_t* qname,
|
||||
uint8_t** nm, size_t* nm_len)
|
||||
{
|
||||
/* make sure reply is part of nm */
|
||||
/* take shared topdomain with left of NSEC. */
|
||||
|
||||
/* because, if empty nonterminal, then right is subdomain of qname.
|
||||
* and any shared topdomain would be empty nonterminals.
|
||||
*
|
||||
* If nxdomain, then the right is bigger, and could have an
|
||||
* interesting shared topdomain, but if it does have one, it is
|
||||
* an empty nonterminal. An empty nonterminal shared with the left
|
||||
* one. */
|
||||
int n;
|
||||
uint8_t* common = dname_get_shared_topdomain(qname, nsec->rk.dname);
|
||||
n = dname_count_labels(*nm) - dname_count_labels(common);
|
||||
dname_remove_labels(nm, nm_len, n);
|
||||
}
|
||||
|
||||
int val_nsec_check_dlv(struct query_info* qinfo,
|
||||
struct reply_info* rep, uint8_t** nm, size_t* nm_len)
|
||||
{
|
||||
uint8_t* next;
|
||||
size_t i, nlen;
|
||||
int c;
|
||||
/* we should now have a NOERROR/NODATA or NXDOMAIN message */
|
||||
if(rep->an_numrrsets != 0) {
|
||||
return 0;
|
||||
}
|
||||
/* is this NOERROR ? */
|
||||
if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
|
||||
/* it can be a plain NSEC match - go up one more level. */
|
||||
/* or its an empty nonterminal - go up to nonempty level */
|
||||
for(i=0; i<rep->ns_numrrsets; i++) {
|
||||
if(htons(rep->rrsets[i]->rk.type)!=LDNS_RR_TYPE_NSEC ||
|
||||
!nsec_get_next(rep->rrsets[i], &next, &nlen))
|
||||
continue;
|
||||
c = dname_canonical_compare(
|
||||
rep->rrsets[i]->rk.dname, qinfo->qname);
|
||||
if(c == 0) {
|
||||
/* plain match */
|
||||
if(nsec_has_type(rep->rrsets[i],
|
||||
LDNS_RR_TYPE_DLV))
|
||||
return 0;
|
||||
dname_remove_label(nm, nm_len);
|
||||
return 1;
|
||||
} else if(c < 0 &&
|
||||
dname_strict_subdomain_c(next, qinfo->qname)) {
|
||||
/* ENT */
|
||||
dlv_topdomain(rep->rrsets[i], qinfo->qname,
|
||||
nm, nm_len);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* is this NXDOMAIN ? */
|
||||
if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) {
|
||||
/* find the qname denial NSEC record. It can tell us
|
||||
* a closest encloser name; or that we not need bother */
|
||||
for(i=0; i<rep->ns_numrrsets; i++) {
|
||||
if(htons(rep->rrsets[i]->rk.type) != LDNS_RR_TYPE_NSEC)
|
||||
continue;
|
||||
if(val_nsec_proves_name_error(rep->rrsets[i],
|
||||
qinfo->qname)) {
|
||||
log_nametypeclass(VERB_ALGO, "topdomain on",
|
||||
rep->rrsets[i]->rk.dname,
|
||||
ntohs(rep->rrsets[i]->rk.type), 0);
|
||||
dlv_topdomain(rep->rrsets[i], qinfo->qname,
|
||||
nm, nm_len);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -158,19 +158,6 @@ uint8_t* nsec_closest_encloser(uint8_t* qname,
|
||||
int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
|
||||
size_t qnamelen);
|
||||
|
||||
/**
|
||||
* Determine the DLV result, what to do with NSEC DLV reply.
|
||||
* @param qinfo: what was queried for.
|
||||
* @param rep: the nonpositive reply.
|
||||
* @param nm: dlv lookup name, to adjust for new lookup name (if needed).
|
||||
* @param nm_len: length of lookup name.
|
||||
* @return 0 on error, 1 if a higher point is found.
|
||||
* If the higher point is above the dlv repo anchor, the qname does
|
||||
* not exist.
|
||||
*/
|
||||
int val_nsec_check_dlv(struct query_info* qinfo,
|
||||
struct reply_info* rep, uint8_t** nm, size_t* nm_len);
|
||||
|
||||
/**
|
||||
* Determine if an nsec proves an insecure delegation towards the qname.
|
||||
* @param nsec: nsec rrset.
|
||||
|
@ -137,8 +137,6 @@ enum val_state {
|
||||
VAL_VALIDATE_STATE,
|
||||
/** finish up */
|
||||
VAL_FINISHED_STATE,
|
||||
/** DLV lookup state, processing DLV queries */
|
||||
VAL_DLVLOOKUP_STATE
|
||||
};
|
||||
|
||||
/**
|
||||
@ -217,27 +215,6 @@ struct val_qstate {
|
||||
|
||||
/** true if this state is waiting to prime a trust anchor */
|
||||
int wait_prime_ta;
|
||||
|
||||
/** have we already checked the DLV? */
|
||||
int dlv_checked;
|
||||
/** The name for which the DLV is looked up. For the current message
|
||||
* or for the current RRset (for CNAME, REFERRAL types).
|
||||
* If there is signer name, that may be it, else a domain name */
|
||||
uint8_t* dlv_lookup_name;
|
||||
/** length of dlv lookup name */
|
||||
size_t dlv_lookup_name_len;
|
||||
/** Name at which chain of trust stopped with insecure, starting DLV
|
||||
* DLV must result in chain going further down */
|
||||
uint8_t* dlv_insecure_at;
|
||||
/** length of dlv insecure point name */
|
||||
size_t dlv_insecure_at_len;
|
||||
/** status of DLV lookup. Indication to VAL_DLV_STATE what to do */
|
||||
enum dlv_status {
|
||||
dlv_error, /* server failure */
|
||||
dlv_success, /* got a DLV */
|
||||
dlv_ask_higher, /* ask again */
|
||||
dlv_there_is_no_dlv /* got no DLV, sure of it */
|
||||
} dlv_status;
|
||||
};
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user