diff options
| author | menakite <29005531+menakite@users.noreply.github.com> | 2024-08-07 16:14:09 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-08-13 13:41:48 +0200 |
| commit | 4fe0099eaad6aaa531df9df38957292165e11d7d (patch) | |
| tree | b6c188d020abaca9c82fe85dcd19d3910a2c9e5b /lib | |
| parent | Merge !1589: iterator: fix handling of ANY queries and != IN classes. (diff) | |
| download | knot-resolver-4fe0099eaad6aaa531df9df38957292165e11d7d.tar.xz knot-resolver-4fe0099eaad6aaa531df9df38957292165e11d7d.zip | |
{daemon,lib}: sync EDE codes supported by libknot.
Adds the following extended error codes:
* 25 (Signature Expired before Valid): KNOT_EDNS_EDE_EXPIRED_INV
* 26 (Too Early): KNOT_EDNS_EDE_TOO_EARLY
* 27 (Unsupported NSEC3 Iterations Value): KNOT_EDNS_EDE_NSEC3_ITERS
* 28 (Unable to conform to policy): KNOT_EDNS_EDE_NONCONF_POLICY
* 29 (Synthesized): KNOT_EDNS_EDE_SYNTHESIZED
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/layer/validate.c | 2 | ||||
| -rw-r--r-- | lib/resolve.c | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/lib/layer/validate.c b/lib/layer/validate.c index af20b2e4..75d68eb3 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -1137,7 +1137,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3); if (count > 8) { VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count); - kr_request_set_extended_error(req, 27/*KNOT_EDNS_EDE_NSEC3_ITERS*/, + kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS, /* It's not about iteration values per se, but close enough. */ "DYRH: too many NSEC3 records"); qry->flags.DNSSEC_BOGUS = true; diff --git a/lib/resolve.c b/lib/resolve.c index 4730f105..4b4827f2 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -972,12 +972,15 @@ knot_mm_t *kr_resolve_pool(struct kr_request *request) static int ede_priority(int info_code) { switch(info_code) { + case KNOT_EDNS_EDE_TOO_EARLY: + return 910; case KNOT_EDNS_EDE_DNSKEY_BIT: case KNOT_EDNS_EDE_DNSKEY_MISS: case KNOT_EDNS_EDE_SIG_EXPIRED: case KNOT_EDNS_EDE_SIG_NOTYET: case KNOT_EDNS_EDE_RRSIG_MISS: case KNOT_EDNS_EDE_NSEC_MISS: + case KNOT_EDNS_EDE_EXPIRED_INV: return 900; /* Specific DNSSEC failures */ case KNOT_EDNS_EDE_BOGUS: return 800; /* Generic DNSSEC failure */ @@ -990,6 +993,7 @@ static int ede_priority(int info_code) return 600; /* Policy related */ case KNOT_EDNS_EDE_DNSKEY_ALG: case KNOT_EDNS_EDE_DS_DIGEST: + case KNOT_EDNS_EDE_NSEC3_ITERS: return 500; /* Non-critical DNSSEC issues */ case KNOT_EDNS_EDE_STALE: case KNOT_EDNS_EDE_STALE_NXD: @@ -1002,10 +1006,12 @@ static int ede_priority(int info_code) case KNOT_EDNS_EDE_NREACH_AUTH: case KNOT_EDNS_EDE_NETWORK: case KNOT_EDNS_EDE_INV_DATA: + case KNOT_EDNS_EDE_SYNTHESIZED: return 200; /* Assorted codes */ case KNOT_EDNS_EDE_OTHER: return 100; /* Most generic catch-all error */ case KNOT_EDNS_EDE_NONE: + case KNOT_EDNS_EDE_NONCONF_POLICY: /* Defined by an expired Internet Draft */ return 0; /* No error - allow overriding */ default: kr_assert(false); /* Unknown info_code */ |