summaryrefslogtreecommitdiff
path: root/validator/val_nsec.c
diff options
context:
space:
mode:
Diffstat (limited to 'validator/val_nsec.c')
-rw-r--r--validator/val_nsec.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 1e4f440ffc091..4604f3d6d4232 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -176,7 +176,7 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec,
static int
nsec_verify_rrset(struct module_env* env, struct val_env* ve,
struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey,
- char** reason)
+ char** reason, struct module_qstate* qstate)
{
struct packed_rrset_data* d = (struct packed_rrset_data*)
nsec->entry.data;
@@ -185,7 +185,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
if(d->security == sec_status_secure)
return 1;
- d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
+ d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
+ LDNS_SECTION_AUTHORITY, qstate);
if(d->security == sec_status_secure) {
rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
return 1;
@@ -196,7 +197,8 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
enum sec_status
val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
struct query_info* qinfo, struct reply_info* rep,
- struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
+ struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
+ struct module_qstate* qstate)
{
struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC,
@@ -213,7 +215,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
* 1) this is a delegation point and there is no DS
* 2) this is not a delegation point */
if(nsec) {
- if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
+ if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
verbose(VERB_ALGO, "NSEC RRset for the "
"referral did not verify.");
return sec_status_bogus;
@@ -242,7 +244,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
i++) {
if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
continue;
- if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
+ if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
+ qstate)) {
verbose(VERB_ALGO, "NSEC for empty non-terminal "
"did not verify.");
return sec_status_bogus;
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 08:11:04 +0000