From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 26 Jul 2017 13:51:21 +0000 (+0200)
Subject: rec: Don't always validate when DNSSEC is set to process
X-Git-Tag: dnsdist-1.2.0~34^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0c43f455a5a5f729562f21f1ddd533bb1180fb5a;p=pdns

rec: Don't always validate when DNSSEC is set to process

Also fix DNSSEC validation statistics.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 997739a09..01e69844a 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -765,6 +765,7 @@ static void startDoResolve(void *p)
     uint32_t minTTL=std::numeric_limits<uint32_t>::max();
 
     SyncRes sr(dc->d_now);
+
     bool DNSSECOK=false;
     if(t_pdl) {
       sr.setLuaEngine(t_pdl);
@@ -782,9 +783,12 @@ static void startDoResolve(void *p)
       // Ignore the client-set CD flag
       pw.getHeader()->cd=0;
     }
+    sr.setDNSSECValidationRequested(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process));
+
 #ifdef HAVE_PROTOBUF
     sr.setInitialRequestId(dc->d_uuid);
 #endif
+
     if (g_useIncomingECS) {
       sr.setIncomingECSFound(dc->d_ecsFound);
       if (dc->d_ecsFound) {
@@ -1030,7 +1034,7 @@ static void startDoResolve(void *p)
       pw.getHeader()->rcode=res;
 
       // Does the validation mode or query demand validation?
-      if(!shouldNotValidate && (g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process))) {
+      if(!shouldNotValidate && sr.isDNSSECValidationRequested()) {
         try {
           if(sr.doLog()) {
             L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->d_remote.toStringWithPort()<<endl;
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index cca6af233..399e49f5b 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -171,13 +171,22 @@ static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=f
 
   sr = std::unique_ptr<SyncRes>(new SyncRes(now));
   sr->setDoEDNS0(true);
-  sr->setDoDNSSEC(dnssec);
+  if (dnssec) {
+    sr->setDoDNSSEC(dnssec);
+  }
+
   sr->setLogMode(debug == false ? SyncRes::LogNone : SyncRes::Log);
 
   SyncRes::setDomainMap(std::make_shared<SyncRes::domainmap_t>());
   SyncRes::clearNegCache();
 }
 
+static void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
+{
+  sr->setDNSSECValidationRequested(true);
+  g_dnssecmode = mode;
+}
+
 static void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false, bool edns=false)
 {
   res->d_rcode = rcode;
@@ -3208,7 +3217,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3273,7 +3282,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3359,7 +3368,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3423,7 +3432,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3508,7 +3517,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3583,7 +3592,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3649,7 +3658,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3730,7 +3739,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3809,7 +3818,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3875,7 +3884,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -3942,7 +3951,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4041,7 +4050,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4149,7 +4158,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4253,7 +4262,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4357,7 +4366,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4445,7 +4454,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -4541,7 +4550,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("nx.powerdns.com.");
@@ -4649,7 +4658,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("www.powerdns.com.");
@@ -4752,7 +4761,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("www.powerdns.com.");
@@ -4862,7 +4871,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("www.powerdns.com.");
@@ -4971,7 +4980,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -5064,7 +5073,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -5157,7 +5166,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -5264,7 +5273,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("www.sub.powerdns.com.");
@@ -5382,7 +5391,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("www.sub.powerdns.com.");
@@ -5498,7 +5507,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -5606,7 +5615,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -5730,7 +5739,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("power-dns.com.");
@@ -5851,7 +5860,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("power-dns.com.");
@@ -5952,7 +5961,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("power-dns.com.");
@@ -6053,7 +6062,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("power-dns.com.");
@@ -6154,7 +6163,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -6271,7 +6280,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -6371,7 +6380,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target("powerdns.com.");
@@ -6471,7 +6480,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_nta) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
@@ -6537,7 +6546,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ta) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);
 
-  g_dnssecmode = DNSSECMode::ValidateAll;
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
   primeHints();
   const DNSName target(".");
diff --git a/pdns/secpoll-recursor.cc b/pdns/secpoll-recursor.cc
index 25d14187b..88145d16e 100644
--- a/pdns/secpoll-recursor.cc
+++ b/pdns/secpoll-recursor.cc
@@ -25,8 +25,11 @@ void doSecPoll(time_t* last_secpoll)
   struct timeval now;
   gettimeofday(&now, 0);
   SyncRes sr(now);
-  if (g_dnssecmode != DNSSECMode::Off)
+  if (g_dnssecmode != DNSSECMode::Off) {
     sr.setDoDNSSEC(true);
+    sr.setDNSSECValidationRequested(true);
+  }
+
   vector<DNSRecord> ret;
 
   string version = "recursor-" +pkgv;
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 0f608abfb..89975fc8e 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -135,6 +135,14 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
   set<GetBestNSAnswer> beenthere;
   int res=doResolve(qname, qtype, ret, 0, beenthere, state);
   d_queryValidationState = state;
+
+  if (d_queryValidationState != Indeterminate) {
+    g_stats.dnssecValidations++;
+  }
+  if (d_DNSSECValidationRequested) {
+    increaseDNSSECStateCounter(d_queryValidationState);
+  }
+
   return res;
 }
 
@@ -822,7 +830,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
     for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
       if(j->d_ttl>(unsigned int) d_now.tv_sec) {
 
-        if (validationEnabled() && wasAuth && state == Indeterminate && d_requireAuthData) {
+        if (d_DNSSECValidationRequested && wasAuth && state == Indeterminate && d_requireAuthData) {
           /* This means we couldn't figure out the state when this entry was cached,
              most likely because we hadn't computed the zone cuts yet. */
           /* make sure they are computed before validating */
@@ -978,7 +986,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
 
     LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": ");
 
-    if (validationEnabled() && sqt != QType::DNSKEY && wasCachedAuth && cachedState == Indeterminate && d_requireAuthData) {
+    if (d_DNSSECValidationRequested && sqt != QType::DNSKEY && wasCachedAuth && cachedState == Indeterminate && d_requireAuthData) {
 
       /* This means we couldn't figure out the state when this entry was cached,
          most likely because we hadn't computed the zone cuts yet. */
@@ -1258,6 +1266,8 @@ uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const
   for(const auto& record : records)
     lowestTTD = min(lowestTTD, record.d_ttl);
 
+  /* even if it was not requested for that request (Process, and neither AD nor DO set),
+     it might be requested at a later time so we need to be careful with the TTL. */
   if (validationEnabled() && !signatures.empty()) {
     /* if we are validating, we don't want to cache records after their signatures
        expires. */
@@ -1391,7 +1401,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
 
 bool SyncRes::haveExactValidationStatus(const DNSName& domain)
 {
-  if (!validationEnabled()) {
+  if (!d_DNSSECValidationRequested) {
     return false;
   }
   const auto& it = d_cutStates.find(domain);
@@ -1405,7 +1415,7 @@ vState SyncRes::getValidationStatus(const DNSName& subdomain)
 {
   vState result = Indeterminate;
 
-  if (!validationEnabled()) {
+  if (!d_DNSSECValidationRequested) {
     return result;
   }
   DNSName name(subdomain);
@@ -1443,7 +1453,7 @@ void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned
   LOG(d_prefix<<": setting cut state for "<<end<<" to "<<vStates[cutState]<<endl);
   d_cutStates[end] = cutState;
 
-  if (!validationEnabled()) {
+  if (!d_DNSSECValidationRequested) {
     return;
   }
 
@@ -1807,7 +1817,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     vState recordState = getValidationStatus(auth);
     LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
 
-    if (validationEnabled() && recordState == Secure) {
+    if (d_DNSSECValidationRequested && recordState == Secure) {
       if (isAA) {
         if (i->first.place != DNSResourceRecord::ADDITIONAL) {
           /* the additional entries can be insecure,
@@ -1839,7 +1849,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       updateValidationState(state, recordState);
     }
     else {
-      if (validationEnabled()) {
+      if (d_DNSSECValidationRequested) {
         LOG(d_prefix<<"Skipping validation because the current state is "<<vStates[recordState]<<endl);
       }
     }
@@ -2459,6 +2469,7 @@ int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback) {
   sr.setDoEDNS0(true);
   sr.setUpdatingRootNS();
   sr.setDoDNSSEC(g_dnssecmode != DNSSECMode::Off);
+  sr.setDNSSECValidationRequested(g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate);
   sr.setAsyncCallback(asyncCallback);
 
   vector<DNSRecord> ret;
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index cfe4ccf57..cbbae96c6 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -570,6 +570,16 @@ public:
     d_doDNSSEC=state;
   }
 
+  void setDNSSECValidationRequested(bool requested=true)
+  {
+    d_DNSSECValidationRequested = requested;
+  }
+
+  bool isDNSSECValidationRequested() const
+  {
+    return d_DNSSECValidationRequested;
+  }
+
   void setWantsRPZ(bool state=true)
   {
     d_wantsRPZ=state;
@@ -778,6 +788,7 @@ private:
    */
   bool d_cacheonly;
   bool d_doDNSSEC;
+  bool d_DNSSECValidationRequested{false};
   bool d_doEDNS0{true};
   bool d_incomingECSFound{false};
   bool d_requireAuthData{true};
diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index ea36c83c9..83e383328 100644
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -6,38 +6,6 @@
 DNSSECMode g_dnssecmode{DNSSECMode::ProcessNoValidate};
 bool g_dnssecLogBogus;
 
-extern int getMTaskerTID();
-
-#define LOG(x) if(g_dnssecLOG) { L <<Logger::Warning << x; }
-
-class SRRecordOracle : public DNSRecordOracle
-{
-public:
-  SRRecordOracle(const ResolveContext& ctx): d_ctx(ctx)
-  {
-  }
-  vector<DNSRecord> get(const DNSName& qname, uint16_t qtype) override
-  {
-    struct timeval tv;
-    gettimeofday(&tv, 0);
-    SyncRes sr(tv);
-    sr.setId(getMTaskerTID());
-#ifdef HAVE_PROTOBUF
-    sr.setInitialRequestId(d_ctx.d_initialRequestId);
-#endif
-
-    vector<DNSRecord> ret;
-    sr.setDoDNSSEC(true);
-    if (qtype == QType::DS || qtype == QType::DNSKEY || qtype == QType::NS)
-      sr.setSkipCNAMECheck(true);
-    sr.beginResolve(qname, QType(qtype), 1, ret);
-    d_queries += sr.d_outqueries;
-    return ret;
-  }
-  const ResolveContext& d_ctx;
-  unsigned int d_queries{0};
-};
-
 bool checkDNSSECDisabled() {
   return warnIfDNSSECDisabled("");
 }
@@ -51,127 +19,8 @@ bool warnIfDNSSECDisabled(const string& msg) {
   return false;
 }
 
-static vState increaseDNSSECStateCounter(const vState& state)
+vState increaseDNSSECStateCounter(const vState& state)
 {
   g_stats.dnssecResults[state]++;
   return state;
 }
-
-/*
- * This inline possibly sets currentState based on the new state. It will only
- * set it to Secure iff the newState is Secure and mayUpgradeToSecure == true.
- * This should be set by the calling function when checking more than one record
- * and this is not the first record, this way, we can never go *back* to Secure
- * from an Insecure vState
- */
-static void processNewState(vState& currentState, const vState& newState, bool& hadNTA, const bool& mayUpgradeToSecure)
-{
-  if (mayUpgradeToSecure && newState == Secure)
-    currentState = Secure;
-
-  if (newState == Insecure || newState == NTA) // We can never go back to Secure
-    currentState = Insecure;
-
-  if (newState == NTA)
-    hadNTA = true;
-}
-
-vState validateRecords(const ResolveContext& ctx, const vector<DNSRecord>& recs)
-{
-  if(recs.empty())
-    return Insecure; // can't secure nothing 
-
-  g_stats.dnssecValidations++;
-
-  cspmap_t cspmap=harvestCSPFromRecs(recs);
-  LOG("Got "<<cspmap.size()<<" RRSETs: "<<endl);
-  size_t numsigs=0;
-  for(const auto& csp : cspmap) {
-    LOG("Going to validate: "<<csp.first.first<<"/"<<DNSRecordContent::NumberToType(csp.first.second)<<": "<<csp.second.signatures.size()<<" sigs for "<<csp.second.records.size()<<" records"<<endl);
-    numsigs+= csp.second.signatures.size();
-  }
-   
-  skeyset_t keys;
-  cspmap_t validrrsets;
-
-  SRRecordOracle sro(ctx);
-
-  vState state=Insecure;
-  bool hadNTA = false;
-  if(numsigs) {
-    bool first = true;
-    for(const auto& csp : cspmap) {
-      for(const auto& sig : csp.second.signatures) {
-        vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
-
-        if (newState == Bogus) // No hope
-          return increaseDNSSECStateCounter(Bogus);
-
-        processNewState(state, newState, hadNTA, first);
-
-        first = false;
-
-        LOG("! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl);
-        for(const auto& k : keys) {
-          LOG("Key: "<<k->getZoneRepresentation()<< " {tag="<<k->getTag()<<"}"<<endl);
-        }
-      }
-    }
-    validateWithKeySet(cspmap, validrrsets, keys);
-  }
-  else {
-    LOG("! no sigs, hoping for Insecure status of "<<recs.begin()->d_name<<endl);
-
-    bool first = true;
-    for(const auto& rec : recs) {
-      vState newState = getKeysFor(sro, rec.d_name, keys);
-
-      if (newState == Bogus) // We're done
-        return increaseDNSSECStateCounter(Bogus);
-
-      processNewState(state, newState, hadNTA, first);
-      first = false;
-
-      LOG("! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys "<<endl);
-
-      if (state != Insecure && state != NTA) {
-        /* we had no sigs, remember? */
-        return increaseDNSSECStateCounter(Bogus);
-      }
-    }
-    return increaseDNSSECStateCounter(state);
-  }
-
-  LOG("Took "<<sro.d_queries<<" queries"<<endl);
-  if(validrrsets.size() == cspmap.size())// shortcut - everything was ok
-    return increaseDNSSECStateCounter(Secure);
-
-  if(state == Insecure || keys.empty()) {
-    if (hadNTA) {
-      increaseDNSSECStateCounter(NTA);
-      return Insecure;
-    }
-    return increaseDNSSECStateCounter(Insecure);
-  }
-
-#if 0
-  cerr<<"! validated "<<validrrsets.size()<<" RRsets out of "<<cspmap.size()<<endl;
-
-  cerr<<"% validated RRs:"<<endl;
-  for(auto i=validrrsets.begin(); i!=validrrsets.end(); i++) {
-        cerr<<"% "<<i->first.first<<"/"<<DNSRecordContent::NumberToType(i->first.second)<<endl;
-    for(auto j=i->second.records.begin(); j!=i->second.records.end(); j++) {
-            cerr<<"\t% > "<<(*j)->getZoneRepresentation()<<endl;
-    }
-  }
-#endif
-  //  cerr<<"Input to validate: "<<endl;
-  for(const auto& csp : cspmap) {
-    LOG(csp.first.first<<"|"<<DNSRecordContent::NumberToType(csp.first.second)<<" with "<<csp.second.signatures.size()<<" signatures"<<endl);
-    if(!csp.second.signatures.empty() && !validrrsets.count(csp.first)) {
-      LOG("Lacks signature, must have one, signatures: "<<csp.second.signatures.size()<<", valid rrsets: "<<validrrsets.count(csp.first)<<endl);
-      return increaseDNSSECStateCounter(Bogus);
-    }
-  }
-  return increaseDNSSECStateCounter(Insecure);
-}
diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh
index ff261091e..bc589ba1f 100644
--- a/pdns/validate-recursor.hh
+++ b/pdns/validate-recursor.hh
@@ -20,13 +20,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #pragma once
-#include "dnsparser.hh"
 #include "namespaces.hh"
 #include "validate.hh"
 #include "logger.hh"
-#include "resolve-context.hh"
-
-vState validateRecords(const ResolveContext& ctx, const vector<DNSRecord>& recs);
 
 /* Off: 3.x behaviour, we do no DNSSEC, no EDNS
    ProcessNoValidate: we gather DNSSEC records on all queries, but we will never validate
@@ -41,3 +37,4 @@ extern bool g_dnssecLogBogus;
 
 bool checkDNSSECDisabled();
 bool warnIfDNSSECDisabled(const string& msg);
+vState increaseDNSSECStateCounter(const vState& state);