41fa06700a
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
67 lines
2.1 KiB
Diff
67 lines
2.1 KiB
Diff
Index: validator/validator.c
|
|
===================================================================
|
|
--- validator/validator.c (revision 1656)
|
|
+++ validator/validator.c (revision 1657)
|
|
@@ -251,9 +251,8 @@
|
|
/**
|
|
* Check to see if a given response needs to go through the validation
|
|
* process. Typical reasons for this routine to return false are: CD bit was
|
|
- * on in the original request, the response was already validated, or the
|
|
- * response is a kind of message that is unvalidatable (i.e., SERVFAIL,
|
|
- * REFUSED, etc.)
|
|
+ * on in the original request, or the response is a kind of message that
|
|
+ * is unvalidatable (i.e., SERVFAIL, REFUSED, etc.)
|
|
*
|
|
* @param qstate: query state.
|
|
* @param ret_rc: rcode for this message (if noerror - examine ret_msg).
|
|
@@ -292,14 +291,25 @@
|
|
verbose(VERB_ALGO, "cannot validate RRSIG, no sigs on sigs.");
|
|
return 0;
|
|
}
|
|
+ return 1;
|
|
+}
|
|
|
|
+/**
|
|
+ * Check to see if the response has already been validated.
|
|
+ * @param ret_msg: return msg, can be NULL
|
|
+ * @return true if the response has already been validated
|
|
+ */
|
|
+static int
|
|
+already_validated(struct dns_msg* ret_msg)
|
|
+{
|
|
/* validate unchecked, and re-validate bogus messages */
|
|
if (ret_msg && ret_msg->rep->security > sec_status_bogus)
|
|
{
|
|
- verbose(VERB_ALGO, "response has already been validated");
|
|
- return 0;
|
|
+ verbose(VERB_ALGO, "response has already been validated: %s",
|
|
+ sec_status_to_string(ret_msg->rep->security));
|
|
+ return 1;
|
|
}
|
|
- return 1;
|
|
+ return 0;
|
|
}
|
|
|
|
/**
|
|
@@ -1937,6 +1947,10 @@
|
|
qstate->ext_state[id] = module_finished;
|
|
return;
|
|
}
|
|
+ if(already_validated(qstate->return_msg)) {
|
|
+ qstate->ext_state[id] = module_finished;
|
|
+ return;
|
|
+ }
|
|
/* create state to start validation */
|
|
qstate->ext_state[id] = module_error; /* override this */
|
|
if(!vq) {
|
|
@@ -2397,7 +2411,8 @@
|
|
}
|
|
if(msg->rep->security != sec_status_secure) {
|
|
vq->dlv_status = dlv_error;
|
|
- verbose(VERB_ALGO, "response is not secure");
|
|
+ verbose(VERB_ALGO, "response is not secure, %s",
|
|
+ sec_status_to_string(msg->rep->security));
|
|
return;
|
|
}
|
|
/* was the lookup a success? validated DLV? */
|