aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/bind9/lib/dns/resolver.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/lib/dns/resolver.c')
-rw-r--r--contrib/bind9/lib/dns/resolver.c31
1 files changed, 27 insertions, 4 deletions
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index dc648c9c3673..db1a69876213 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -3887,6 +3887,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
* for it, unless it is glue.
*/
if (secure_domain && rdataset->trust != dns_trust_glue) {
+ dns_trust_t trust;
/*
* RRSIGs are validated as part of validating the
* type they cover.
@@ -3923,12 +3924,34 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
}
/*
+ * Reject out of bailiwick additional records
+ * without RRSIGs as they can't possibly validate
+ * as "secure" and as we will never never want to
+ * store these as "answers" after validation.
+ */
+ if (rdataset->trust == dns_trust_additional &&
+ sigrdataset == NULL && EXTERNAL(rdataset))
+ continue;
+
+ /*
+ * XXXMPA: If we store as "answer" after validating
+ * then we need to do bailiwick processing and
+ * also need to track whether RRsets are in or
+ * out of bailiwick. This will require a another
+ * pending trust level.
+ *
* Cache this rdataset/sigrdataset pair as
- * pending data.
+ * pending data. Track whether it was additional
+ * or not.
*/
- rdataset->trust = dns_trust_pending;
+ if (rdataset->trust == dns_trust_additional)
+ trust = dns_trust_pending_additional;
+ else
+ trust = dns_trust_pending_answer;
+
+ rdataset->trust = trust;
if (sigrdataset != NULL)
- sigrdataset->trust = dns_trust_pending;
+ sigrdataset->trust = trust;
if (!need_validation)
addedrdataset = ardataset;
else
@@ -4276,7 +4299,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
for (trdataset = ISC_LIST_HEAD(tname->list);
trdataset != NULL;
trdataset = ISC_LIST_NEXT(trdataset, link))
- trdataset->trust = dns_trust_pending;
+ trdataset->trust = dns_trust_pending_answer;
result = dns_message_nextname(fctx->rmessage,
DNS_SECTION_AUTHORITY);
}