Index: validator/validator.c =================================================================== --- validator/validator.c (revision 1656) +++ validator/validator.c (revision 1657) @@ -251,9 +251,8 @@ /** * Check to see if a given response needs to go through the validation * process. Typical reasons for this routine to return false are: CD bit was - * on in the original request, the response was already validated, or the - * response is a kind of message that is unvalidatable (i.e., SERVFAIL, - * REFUSED, etc.) + * on in the original request, or the response is a kind of message that + * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.) * * @param qstate: query state. * @param ret_rc: rcode for this message (if noerror - examine ret_msg). @@ -292,14 +291,25 @@ verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs."); return 0; } + return 1; +} +/** + * Check to see if the response has already been validated. + * @param ret_msg: return msg, can be NULL + * @return true if the response has already been validated + */ +static int +already_validated(struct dns_msg* ret_msg) +{ /* validate unchecked, and re-validate bogus messages */ if (ret_msg && ret_msg->rep->security > sec_status_bogus) { - verbose(VERB_ALGO, "response has already been validated"); - return 0; + verbose(VERB_ALGO, "response has already been validated: %s", + sec_status_to_string(ret_msg->rep->security)); + return 1; } - return 1; + return 0; } /** @@ -1937,6 +1947,10 @@ qstate->ext_state[id] = module_finished; return; } + if(already_validated(qstate->return_msg)) { + qstate->ext_state[id] = module_finished; + return; + } /* create state to start validation */ qstate->ext_state[id] = module_error; /* override this */ if(!vq) { @@ -2397,7 +2411,8 @@ } if(msg->rep->security != sec_status_secure) { vq->dlv_status = dlv_error; - verbose(VERB_ALGO, "response is not secure"); + verbose(VERB_ALGO, "response is not secure, %s", + sec_status_to_string(msg->rep->security)); return; } /* was the lookup a success? validated DLV? */