From 15bfa0b56b6a70920bce660c316b3dd717ca35c9 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Fri, 15 Jul 2016 00:23:15 +0200 Subject: [PATCH] Don't go bogus on CNAMEs to islands of security Closes #4181 Incidentally, this commit also ensures that we no longer 'jojo' between Secure and Insecure states. Once we have an Insecure, we can only go Bogus but not Secure. --- pdns/validate-recursor.cc | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc index add348c28..49ce11552 100644 --- a/pdns/validate-recursor.cc +++ b/pdns/validate-recursor.cc @@ -53,24 +53,32 @@ vState validateRecords(const vector& recs) SRRecordOracle sro; vState state=Insecure; + bool hadNTA = false; if(numsigs) { + bool first = true; for(const auto& csp : cspmap) { for(const auto& sig : csp.second.signatures) { - state = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here - if(state == NTA) { - increaseDNSSECStateCounter(state); - return Insecure; - } + vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here + + if (newState == Bogus) // No hope + return increaseDNSSECStateCounter(Bogus); + + if (first && newState == Secure) + state = Secure; + first = false; + + if (newState == Insecure || newState == NTA) // We can never go back to Secure + state = Insecure; + + if (newState == NTA) + hadNTA = true; + LOG("! state = "<& recs) if(validrrsets.size() == cspmap.size())// shortcut - everything was ok return increaseDNSSECStateCounter(Secure); - if(keys.empty()) + if(state == Insecure || keys.empty()) { + if (hadNTA) { + increaseDNSSECStateCounter(NTA); + return Insecure; + } return increaseDNSSECStateCounter(Insecure); + } #if 0 cerr<<"! validated "<& recs) return increaseDNSSECStateCounter(Bogus); } } - return increaseDNSSECStateCounter(Insecure); } -- 2.40.0