|
|
41fa067 |
Index: validator/validator.c
|
|
|
41fa067 |
===================================================================
|
|
|
41fa067 |
--- validator/validator.c (revision 1656)
|
|
|
41fa067 |
+++ validator/validator.c (revision 1657)
|
|
|
41fa067 |
@@ -251,9 +251,8 @@
|
|
|
41fa067 |
/**
|
|
|
41fa067 |
* Check to see if a given response needs to go through the validation
|
|
|
41fa067 |
* process. Typical reasons for this routine to return false are: CD bit was
|
|
|
41fa067 |
- * on in the original request, the response was already validated, or the
|
|
|
41fa067 |
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
|
|
|
41fa067 |
- * REFUSED, etc.)
|
|
|
41fa067 |
+ * on in the original request, or the response is a kind of message that
|
|
|
41fa067 |
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
|
|
|
41fa067 |
*
|
|
|
41fa067 |
* @param qstate: query state.
|
|
|
41fa067 |
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
|
|
|
41fa067 |
@@ -292,14 +291,25 @@
|
|
|
41fa067 |
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
|
|
|
41fa067 |
return 0;
|
|
|
41fa067 |
}
|
|
|
41fa067 |
+ return 1;
|
|
|
41fa067 |
+}
|
|
|
41fa067 |
|
|
|
41fa067 |
+/**
|
|
|
41fa067 |
+ * Check to see if the response has already been validated.
|
|
|
41fa067 |
+ * @param ret_msg: return msg, can be NULL
|
|
|
41fa067 |
+ * @return true if the response has already been validated
|
|
|
41fa067 |
+ */
|
|
|
41fa067 |
+static int
|
|
|
41fa067 |
+already_validated(struct dns_msg* ret_msg)
|
|
|
41fa067 |
+{
|
|
|
41fa067 |
/* validate unchecked, and re-validate bogus messages */
|
|
|
41fa067 |
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
|
|
|
41fa067 |
{
|
|
|
41fa067 |
- verbose(VERB_ALGO, "response has already been validated");
|
|
|
41fa067 |
- return 0;
|
|
|
41fa067 |
+ verbose(VERB_ALGO, "response has already been validated: %s",
|
|
|
41fa067 |
+ sec_status_to_string(ret_msg->rep->security));
|
|
|
41fa067 |
+ return 1;
|
|
|
41fa067 |
}
|
|
|
41fa067 |
- return 1;
|
|
|
41fa067 |
+ return 0;
|
|
|
41fa067 |
}
|
|
|
41fa067 |
|
|
|
41fa067 |
/**
|
|
|
41fa067 |
@@ -1937,6 +1947,10 @@
|
|
|
41fa067 |
qstate->ext_state[id] = module_finished;
|
|
|
41fa067 |
return;
|
|
|
41fa067 |
}
|
|
|
41fa067 |
+ if(already_validated(qstate->return_msg)) {
|
|
|
41fa067 |
+ qstate->ext_state[id] = module_finished;
|
|
|
41fa067 |
+ return;
|
|
|
41fa067 |
+ }
|
|
|
41fa067 |
/* create state to start validation */
|
|
|
41fa067 |
qstate->ext_state[id] = module_error; /* override this */
|
|
|
41fa067 |
if(!vq) {
|
|
|
41fa067 |
@@ -2397,7 +2411,8 @@
|
|
|
41fa067 |
}
|
|
|
41fa067 |
if(msg->rep->security != sec_status_secure) {
|
|
|
41fa067 |
vq->dlv_status = dlv_error;
|
|
|
41fa067 |
- verbose(VERB_ALGO, "response is not secure");
|
|
|
41fa067 |
+ verbose(VERB_ALGO, "response is not secure, %s",
|
|
|
41fa067 |
+ sec_status_to_string(msg->rep->security));
|
|
|
41fa067 |
return;
|
|
|
41fa067 |
}
|
|
|
41fa067 |
/* was the lookup a success? validated DLV? */
|