diff options
| author | Doug Barton <dougb@FreeBSD.org> | 2011-02-05 03:14:55 +0000 | 
|---|---|---|
| committer | Doug Barton <dougb@FreeBSD.org> | 2011-02-05 03:14:55 +0000 | 
| commit | fccc60c828fe78d2bd780145733aec0ab99dc91f (patch) | |
| tree | 601b0776df11a070020ab894b76fd90e36393936 /lib/dns/validator.c | |
| parent | f805c4c11684ad447d955512cb705ebc2aba9ef3 (diff) | |
Diffstat (limited to 'lib/dns/validator.c')
| -rw-r--r-- | lib/dns/validator.c | 74 | 
1 files changed, 45 insertions, 29 deletions
| diff --git a/lib/dns/validator.c b/lib/dns/validator.c index fc6f4544c3c8..054c5a67ce28 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@   * PERFORMANCE OF THIS SOFTWARE.   */ -/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.23 2010-11-16 02:23:44 marka Exp $ */  #include <config.h> @@ -2135,7 +2135,7 @@ dlv_validatezonekey(dns_validator_t *val) {  					     &sigrdata);  			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);  			RUNTIME_CHECK(result == ISC_R_SUCCESS); -			if (dlv.key_tag != sig.keyid && +			if (dlv.key_tag != sig.keyid ||  			    dlv.algorithm != sig.algorithm)  				continue;  			dstkey = NULL; @@ -2218,6 +2218,17 @@ validatezonekey(dns_validator_t *val) {  		return (dlv_validatezonekey(val));  	if (val->dsset == NULL) { + +		/* +		 * We have a dlv sep.  Skip looking up the SEP from +		 * {trusted,managed}-keys.  If the dlv sep is for the +		 * root then it will have been handled above so we don't +		 * need to check whether val->event->name is "." prior to +		 * looking up the DS. +		 */ +		if (val->havedlvsep) +			goto find_ds; +  		/*  		 * First, see if this key was signed by a trusted key.  		 */ @@ -2250,13 +2261,13 @@ validatezonekey(dns_validator_t *val) {  				  val->event->name, found) != ISC_R_SUCCESS) {  				if (val->mustbesecure) {  					validator_log(val, ISC_LOG_WARNING, -						      "must be secure failure, " -						      "not beneath secure root"); +						     "must be secure failure, " +						     "not beneath secure root");  					return (DNS_R_MUSTBESECURE);  				} else  					validator_log(val, ISC_LOG_DEBUG(3), -						      "not beneath secure root"); -				if (val->view->dlv == NULL || DLVTRIED(val)) { +						     "not beneath secure root"); +				if (val->view->dlv == NULL) {  					markanswer(val, "validatezonekey (1)");  					return (ISC_R_SUCCESS);  				} @@ -2292,17 +2303,6 @@ validatezonekey(dns_validator_t *val) {  			}  		} -		/* -		 * If this is the root name and there was no trusted key, -		 * give up, since there's no DS at the root. -		 */ -		if (dns_name_equal(event->name, dns_rootname)) { -			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) -				return (DNS_R_NOVALIDSIG); -			else -				return (DNS_R_NOVALIDDS); -		} -  		if (atsep) {  			/*  			 * We have not found a key to verify this DNSKEY @@ -2323,6 +2323,22 @@ validatezonekey(dns_validator_t *val) {  		}  		/* +		 * If this is the root name and there was no trusted key, +		 * give up, since there's no DS at the root. +		 */ +		if (dns_name_equal(event->name, dns_rootname)) { +			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) { +				validator_log(val, ISC_LOG_DEBUG(3), +					      "root key failed to validate"); +				return (DNS_R_NOVALIDSIG); +			} else { +				validator_log(val, ISC_LOG_DEBUG(3), +					      "no trusted root key"); +				return (DNS_R_NOVALIDDS); +			} +		} + find_ds: +		/*  		 * Otherwise, try to find the DS record.  		 */  		result = view_find(val, val->event->name, dns_rdatatype_ds); @@ -4038,19 +4054,19 @@ dns_validator_cancel(dns_validator_t *validator) {  	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); -	if (validator->event != NULL) { -		if (validator->fetch != NULL) -			dns_resolver_cancelfetch(validator->fetch); - -		if (validator->subvalidator != NULL) -			dns_validator_cancel(validator->subvalidator); -		if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { -			isc_task_t *task = validator->event->ev_sender; -			validator->options &= ~DNS_VALIDATOR_DEFER; -			isc_event_free((isc_event_t **)&validator->event); -			isc_task_detach(&task); -		} +	if ((validator->attributes & VALATTR_CANCELED) == 0) {  		validator->attributes |= VALATTR_CANCELED; +		if (validator->event != NULL) { +			if (validator->fetch != NULL) +				dns_resolver_cancelfetch(validator->fetch); + +			if (validator->subvalidator != NULL) +				dns_validator_cancel(validator->subvalidator); +			if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { +				validator->options &= ~DNS_VALIDATOR_DEFER; +				validator_done(validator, ISC_R_CANCELED); +			} +		}  	}  	UNLOCK(&validator->lock);  } | 
