summaryrefslogtreecommitdiff
path: root/validator/validator.c
diff options
context:
space:
mode:
Diffstat (limited to 'validator/validator.c')
-rw-r--r--validator/validator.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/validator/validator.c b/validator/validator.c
index 111cbe140353e..456bffd005f30 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -572,7 +572,8 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
}
/* Verify the answer rrset */
- sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
+ sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
+ LDNS_SECTION_ANSWER, qstate);
/* If the (answer) rrset failed to validate, then this
* message is BAD. */
if(sec != sec_status_secure) {
@@ -601,7 +602,8 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
chase_reply->ns_numrrsets; i++) {
s = chase_reply->rrsets[i];
- sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
+ sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
+ LDNS_SECTION_AUTHORITY, qstate);
/* If anything in the authority section fails to be secure,
* we have a bad message. */
if(sec != sec_status_secure) {
@@ -629,7 +631,7 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
val_find_rrset_signer(s, &sname, &slen);
if(sname && query_dname_compare(sname, key_entry->name)==0)
(void)val_verify_rrset_entry(env, ve, s, key_entry,
- &reason);
+ &reason, LDNS_SECTION_ADDITIONAL, qstate);
/* the additional section can fail to be secure,
* it is optional, check signature in case we need
* to clean the additional section later. */
@@ -2484,7 +2486,7 @@ primeResponseToKE(struct ub_packed_rrset_key* dnskey_rrset,
/* attempt to verify with trust anchor DS and DNSKEY */
kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve,
dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
- &reason);
+ &reason, qstate);
if(!kkey) {
log_err("out of memory: verifying prime TA");
return NULL;
@@ -2574,7 +2576,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* Verify only returns BOGUS or SECURE. If the rrset is
* bogus, then we are done. */
sec = val_verify_rrset_entry(qstate->env, ve, ds,
- vq->key_entry, &reason);
+ vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
if(sec != sec_status_secure) {
verbose(VERB_DETAIL, "DS rrset in DS response did "
"not verify");
@@ -2621,7 +2623,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
/* Try to prove absence of the DS with NSEC */
sec = val_nsec_prove_nodata_dsreply(
qstate->env, ve, qinfo, msg->rep, vq->key_entry,
- &proof_ttl, &reason);
+ &proof_ttl, &reason, qstate);
switch(sec) {
case sec_status_secure:
verbose(VERB_DETAIL, "NSEC RRset for the "
@@ -2649,7 +2651,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
sec = nsec3_prove_nods(qstate->env, ve,
msg->rep->rrsets + msg->rep->an_numrrsets,
- msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
+ msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason,
+ qstate);
switch(sec) {
case sec_status_insecure:
/* case insecure also continues to unsigned
@@ -2710,7 +2713,7 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
goto return_bogus;
}
sec = val_verify_rrset_entry(qstate->env, ve, cname,
- vq->key_entry, &reason);
+ vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
if(sec == sec_status_secure) {
verbose(VERB_ALGO, "CNAME validated, "
"proof that DS does not exist");
@@ -2876,7 +2879,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
}
downprot = qstate->env->cfg->harden_algo_downgrade;
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
- ve, dnskey, vq->ds_rrset, downprot, &reason);
+ ve, dnskey, vq->ds_rrset, downprot, &reason, qstate);
if(!vq->key_entry) {
log_err("out of memory in verify new DNSKEYs");
@@ -2952,7 +2955,8 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
}
if(ta->autr) {
- if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
+ if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
+ qstate)) {
/* trust anchor revoked, restart with less anchors */
vq->state = VAL_INIT_STATE;
vq->trust_anchor_name = NULL;
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 18:20:40 +0000