From 7841de08af11fa4ee48628ecbfdf4de38c8ae606 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 27 Feb 2025 17:10:21 -0800 Subject: [PATCH] add functions to match rdataset types - dns_rdataset_issigtype() returns true if the rdataset is of type RRSIG and covers a specified type - dns_rdataset_matchestype() returns true if the rdataset is of the specified type *or* the RRSIG covering it. --- lib/dns/include/dns/rdataset.h | 27 ++++++++++++++++++++++++ lib/dns/resolver.c | 38 ++++++++++++++-------------------- 2 files changed, 42 insertions(+), 23 deletions(-) diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h index 7bf6170586..5934d9b0ac 100644 --- a/lib/dns/include/dns/rdataset.h +++ b/lib/dns/include/dns/rdataset.h @@ -673,3 +673,30 @@ dns_rdataset_equals(const dns_rdataset_t *rdataset1, * \li 'rdataset1' is a valid rdataset. * \li 'rdataset2' is a valid rdataset. */ + +/*% + * Returns true if the rdataset is of type 'type', or type RRSIG + * and covers 'type'. + */ +static inline bool +dns_rdataset_matchestype(const dns_rdataset_t *rdataset, + const dns_rdatatype_t type) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + + return rdataset->type == type || + (rdataset->type == dns_rdatatype_rrsig && + rdataset->covers == type); +} + +/*% + * Returns true if the rdataset is of type 'type', or type RRSIG + * and covers 'type'. + */ +static inline bool +dns_rdataset_issigtype(const dns_rdataset_t *rdataset, + const dns_rdatatype_t type) { + REQUIRE(DNS_RDATASET_VALID(rdataset)); + + return rdataset->type == dns_rdatatype_rrsig && + rdataset->covers == type; +} diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index cdd15f1dc0..d2497ba373 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5473,13 +5473,14 @@ answer_response: } ISC_LIST_FOREACH (name->list, s, link) { - if (s->type == dns_rdatatype_rrsig && - s->covers == rdataset->type) + if (dns_rdataset_issigtype(sigrdataset, + rdataset->type)) { sigrdataset = s; break; } } + if (sigrdataset == NULL || sigrdataset->trust != dns_trust_secure) { @@ -5674,7 +5675,7 @@ findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name, * Find the SIG for this rdataset, if we have it. */ ISC_LIST_FOREACH (name->list, sig, link) { - if (sig->type == dns_rdatatype_rrsig && sig->covers == type) { + if (dns_rdataset_issigtype(sig, type)) { sigrdataset = sig; break; } @@ -5751,9 +5752,7 @@ findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name, if (noqname != NULL) { ISC_LIST_FOREACH (noqname->list, sig, link) { - if (sig->type == dns_rdatatype_rrsig && - sig->covers == found) - { + if (dns_rdataset_issigtype(sig, found)) { *noqnamep = noqname; break; } @@ -5896,9 +5895,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message, * Find the RRSIG for this rdataset, if we have it. */ ISC_LIST_FOREACH (name->list, sig, link) { - if (sig->type == dns_rdatatype_rrsig && - sig->covers == rdataset->type) - { + if (dns_rdataset_issigtype(sig, rdataset->type)) { sigrdataset = sig; break; } @@ -5927,14 +5924,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message, continue; } + /* + * Ignore unrelated non-answer rdatasets that are + * missing signatures. + */ if (sigrdataset == NULL && need_validation && !ANSWER(rdataset)) { - /* - * Ignore unrelated non-answer - * rdatasets that are missing - * signatures. - */ continue; } @@ -6124,9 +6120,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message, } } if (rdataset->trust == dns_trust_glue && - (rdataset->type == dns_rdatatype_ns || - (rdataset->type == dns_rdatatype_rrsig && - rdataset->covers == dns_rdatatype_ns))) + dns_rdataset_matchestype(rdataset, + dns_rdatatype_ns)) { /* * If the trust level is @@ -8474,9 +8469,7 @@ rctx_answer_match(respctx_t *rctx) { return ISC_R_COMPLETE; } - if (sigrdataset->type != dns_rdatatype_rrsig || - sigrdataset->covers != rctx->type) - { + if (!dns_rdataset_issigtype(sigrdataset, rctx->type)) { continue; } @@ -8622,9 +8615,8 @@ rctx_authority_positive(respctx_t *rctx) { * nothing else. */ ISC_LIST_FOREACH (name->list, rdataset, link) { - if (rdataset->type == dns_rdatatype_ns || - (rdataset->type == dns_rdatatype_rrsig && - rdataset->covers == dns_rdatatype_ns)) + if (dns_rdataset_matchestype(rdataset, + dns_rdatatype_ns)) { name->attributes.cache = true; rdataset->attributes.cache = true;