aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/validator
diff options
context:
space:
mode:
Diffstat (limited to 'external/unbound/validator')
-rw-r--r--external/unbound/validator/autotrust.c31
-rw-r--r--external/unbound/validator/validator.c2
2 files changed, 22 insertions, 11 deletions
diff --git a/external/unbound/validator/autotrust.c b/external/unbound/validator/autotrust.c
index d90eec9eb..e63b086e6 100644
--- a/external/unbound/validator/autotrust.c
+++ b/external/unbound/validator/autotrust.c
@@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
{
char* reason = NULL;
uint8_t sigalg[ALGO_NEEDS_MAX+1];
- int downprot = 1;
+ int downprot = env->cfg->harden_algo_downgrade;
enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
/* sigalg is ignored, it returns algorithms signalled to exist, but
@@ -1447,9 +1447,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
if(rrsig_exp_interval/2 < x)
x = rrsig_exp_interval/2;
/* MAX(1hr, x) */
- if(x < 3600)
- tp->autr->query_interval = 3600;
- else tp->autr->query_interval = x;
+ if(!autr_permit_small_holddown) {
+ if(x < 3600)
+ tp->autr->query_interval = 3600;
+ else tp->autr->query_interval = x;
+ } else tp->autr->query_interval = x;
/* x= MIN(1day, ttl/10, expire/10) */
x = 24 * 3600;
@@ -1458,9 +1460,11 @@ set_tp_times(struct trust_anchor* tp, time_t rrsig_exp_interval,
if(rrsig_exp_interval/10 < x)
x = rrsig_exp_interval/10;
/* MAX(1hr, x) */
- if(x < 3600)
- tp->autr->retry_time = 3600;
- else tp->autr->retry_time = x;
+ if(!autr_permit_small_holddown) {
+ if(x < 3600)
+ tp->autr->retry_time = 3600;
+ else tp->autr->retry_time = x;
+ } else tp->autr->retry_time = x;
if(qi != tp->autr->query_interval || rt != tp->autr->retry_time) {
*changed = 1;
@@ -1959,8 +1963,12 @@ calc_next_probe(struct module_env* env, time_t wait)
{
/* make it random, 90-100% */
time_t rnd, rest;
- if(wait < 3600)
- wait = 3600;
+ if(!autr_permit_small_holddown) {
+ if(wait < 3600)
+ wait = 3600;
+ } else {
+ if(wait == 0) wait = 1;
+ }
rnd = wait/10;
rest = wait-rnd;
rnd = (time_t)ub_random_max(env->rnd, (long int)rnd);
@@ -2349,6 +2357,8 @@ todo_probe(struct module_env* env, time_t* next)
if( (el=rbtree_first(&env->anchors->autr->probe)) == RBTREE_NULL) {
/* in case of revoked anchors */
lock_basic_unlock(&env->anchors->lock);
+ /* signal that there are no anchors to probe */
+ *next = 0;
return NULL;
}
tp = (struct trust_anchor*)el->key;
@@ -2378,6 +2388,7 @@ autr_probe_timer(struct module_env* env)
struct trust_anchor* tp;
time_t next_probe = 3600;
int num = 0;
+ if(autr_permit_small_holddown) next_probe = 1;
verbose(VERB_ALGO, "autotrust probe timer callback");
/* while there are still anchors to probe */
while( (tp = todo_probe(env, &next_probe)) ) {
@@ -2386,7 +2397,7 @@ autr_probe_timer(struct module_env* env)
num++;
}
regional_free_all(env->scratch);
- if(num == 0)
+ if(next_probe == 0)
return 0; /* no trust points to probe */
verbose(VERB_ALGO, "autotrust probe timer %d callbacks done", num);
return next_probe;
diff --git a/external/unbound/validator/validator.c b/external/unbound/validator/validator.c
index 74068659f..f8b429e52 100644
--- a/external/unbound/validator/validator.c
+++ b/external/unbound/validator/validator.c
@@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
vq->state = VAL_VALIDATE_STATE;
return;
}
- downprot = 1;
+ downprot = qstate->env->cfg->harden_algo_downgrade;
vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
ve, dnskey, vq->ds_rrset, downprot, &reason);