diff --git a/src/dnssec.c b/src/dnssec.c index 8342c9a9..7deb0cb2 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1251,15 +1251,29 @@ static void chain_validate_dnssec(chain_head *chain, rrset_iter *tas) { chain_head *head; + /* The netreq status is the worst for any head */ for (head = chain; head; head = head->next) { switch (chain_head_validate(head, tas)) { - case GETDNS_DNSSEC_SECURE: if (!head->netreq->bogus) - head->netreq->secure = 1; - break; - case GETDNS_DNSSEC_BOGUS : head->netreq->bogus = 1; - head->netreq->secure = 0; - break; - default : break; + + case GETDNS_DNSSEC_SECURE: + if (head->netreq->dnssec_status == + GETDNS_DNSSEC_INDETERMINATE) + head->netreq->dnssec_status = + GETDNS_DNSSEC_SECURE; + break; + + case GETDNS_DNSSEC_INSECURE: + if (head->netreq->dnssec_status != GETDNS_DNSSEC_BOGUS) + head->netreq->dnssec_status = + GETDNS_DNSSEC_INSECURE; + break; + + case GETDNS_DNSSEC_BOGUS : + head->netreq->dnssec_status = GETDNS_DNSSEC_BOGUS; + break; + + default: + break; } } } diff --git a/src/request-internal.c b/src/request-internal.c index 2a72b6c2..60e9c67e 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -96,8 +96,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, net_req->state = NET_REQ_NOT_SENT; net_req->owner = owner; - net_req->secure = 0; - net_req->bogus = 0; + net_req->dnssec_status = GETDNS_DNSSEC_INDETERMINATE; net_req->upstream = NULL; net_req->fd = -1; diff --git a/src/stub.c b/src/stub.c index 48fc0bd9..eee4de9a 100644 --- a/src/stub.c +++ b/src/stub.c @@ -1220,10 +1220,6 @@ upstream_read_cb(void *userarg) upstream->tcp.read_buf = NULL; upstream->upstreams->current = 0; - /* TODO: DNSSEC */ - netreq->secure = 0; - netreq->bogus = 0; - stub_cleanup(netreq); /* More to read/write for syncronous lookups? */ diff --git a/src/types-internal.h b/src/types-internal.h index 4c65c576..303718dc 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -196,9 +196,8 @@ typedef struct getdns_network_req /* request class */ uint16_t request_class; - /* result */ - int secure; - int bogus; + /* dnssec status */ + int dnssec_status; /* For stub resolving */ struct getdns_upstream *upstream; diff --git a/src/util-internal.c b/src/util-internal.c index 0273aea1..9a675d2a 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -734,21 +734,22 @@ create_getdns_response(getdns_dns_req *completed_request) continue; nreplies++; - if (netreq->secure) + if (netreq->dnssec_status == GETDNS_DNSSEC_SECURE) nsecure++; - else if (! netreq->bogus) + else if (! netreq->dnssec_status != GETDNS_DNSSEC_BOGUS) ninsecure++; - if (dnssec_return_status && netreq->bogus) + + if (dnssec_return_status && + netreq->dnssec_status == GETDNS_DNSSEC_BOGUS) nbogus++; - else if (GLDNS_RCODE_NOERROR == - GLDNS_RCODE_WIRE(netreq->response)) - nanswers++; + if (! completed_request->dnssec_return_validation_chain) { - if (dnssec_return_status && netreq->bogus) + if (dnssec_return_status && + netreq->dnssec_status == GETDNS_DNSSEC_BOGUS) continue; else if (completed_request->dnssec_return_only_secure - && ! netreq->secure) + && netreq->dnssec_status != GETDNS_DNSSEC_SECURE) continue; } if (!(reply = priv_getdns_create_reply_dict(context, @@ -763,15 +764,18 @@ create_getdns_response(getdns_dns_req *completed_request) result, "canonical_name", canonical_name)) goto error; } + /* TODO: Check instead if canonical_name for request_type + * is in the answer section. + */ + if (GLDNS_RCODE_NOERROR == + GLDNS_RCODE_WIRE(netreq->response)) + nanswers++; + if (dnssec_return_status || completed_request->dnssec_return_validation_chain) { if (getdns_dict_set_int(reply, "dnssec_status", - ( netreq->secure ? GETDNS_DNSSEC_SECURE - : netreq->bogus ? GETDNS_DNSSEC_BOGUS - : rrsigs_in_answer && - context->has_ta ? GETDNS_DNSSEC_INDETERMINATE - : GETDNS_DNSSEC_INSECURE ))) + netreq->dnssec_status)) goto error; } @@ -861,8 +865,12 @@ getdns_apply_network_result(getdns_network_req* netreq, { size_t dname_len; - netreq->secure = ub_res->secure; - netreq->bogus = ub_res->bogus; + if (ub_res->bogus) + netreq->dnssec_status = GETDNS_DNSSEC_BOGUS; + else if (ub_res->secure) + netreq->dnssec_status = GETDNS_DNSSEC_SECURE; + else if (netreq->owner->context->has_ta) + netreq->dnssec_status = GETDNS_DNSSEC_INSECURE; if (ub_res == NULL) /* Timeout */ return GETDNS_RETURN_GOOD;