diff options
| author | Doug Barton <dougb@FreeBSD.org> | 2009-12-11 01:38:30 +0000 |
|---|---|---|
| committer | Doug Barton <dougb@FreeBSD.org> | 2009-12-11 01:38:30 +0000 |
| commit | 72f8010e43551591a94f39b3eb7e804bc4462f80 (patch) | |
| tree | 3a8a009bbfbba1032c32c8f9f87057cc25675884 /lib/dns/resolver.c | |
| parent | 1b113bcf17062a4582fb89ebba8f67126541c6fb (diff) | |
Diffstat (limited to 'lib/dns/resolver.c')
| -rw-r--r-- | lib/dns/resolver.c | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index dc648c9c36732..66e79c53e0d14 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.284.18.79 2008/10/17 22:02:13 jinmei Exp $ */ +/* $Id: resolver.c,v 1.284.18.79.2.1 2009/11/19 00:25:17 marka Exp $ */ /*! \file */ @@ -3887,6 +3887,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, * for it, unless it is glue. */ if (secure_domain && rdataset->trust != dns_trust_glue) { + dns_trust_t trust; /* * RRSIGs are validated as part of validating the * type they cover. @@ -3923,12 +3924,34 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, } /* + * Reject out of bailiwick additional records + * without RRSIGs as they can't possibly validate + * as "secure" and as we will never never want to + * store these as "answers" after validation. + */ + if (rdataset->trust == dns_trust_additional && + sigrdataset == NULL && EXTERNAL(rdataset)) + continue; + + /* + * XXXMPA: If we store as "answer" after validating + * then we need to do bailiwick processing and + * also need to track whether RRsets are in or + * out of bailiwick. This will require a another + * pending trust level. + * * Cache this rdataset/sigrdataset pair as - * pending data. + * pending data. Track whether it was additional + * or not. */ - rdataset->trust = dns_trust_pending; + if (rdataset->trust == dns_trust_additional) + trust = dns_trust_pending_additional; + else + trust = dns_trust_pending_answer; + + rdataset->trust = trust; if (sigrdataset != NULL) - sigrdataset->trust = dns_trust_pending; + sigrdataset->trust = trust; if (!need_validation) addedrdataset = ardataset; else @@ -4276,7 +4299,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, for (trdataset = ISC_LIST_HEAD(tname->list); trdataset != NULL; trdataset = ISC_LIST_NEXT(trdataset, link)) - trdataset->trust = dns_trust_pending; + trdataset->trust = dns_trust_pending_answer; result = dns_message_nextname(fctx->rmessage, DNS_SECTION_AUTHORITY); } |