[PR #2289] [MERGED] test caching of chain of trust link #2925

New issue

Closed

opened 2026-03-16 11:15:47 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:15:47 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2289
Author: @japaric
Created: 7/8/2024
Status: ✅ Merged
Merged: 7/9/2024
Merged by: @japaric

Base: main ← Head: ja-test-cache-chain-link

📝 Commits (1)

97d6b87 test caching of chain of trust link

📊 Changes

1 file changed (+53 additions, -0 deletions)

View changed files

📝 conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_5.rs (+53 -0)

📄 Description

while investigating #2274 I think I found the problem: the intermediate records that DnssecDnsHandle identifies as "Secure" while doing the chain of trust validation are not re-inserted into the DnsLru so they remain as "Proof::Indeterminate" in the cache until they are directly queried.

The test here is meant to expose the issue as a test failure but it actually already passes. From the hickory logs I can see that hickory re-validates the chain of trust on the second query (DS com.) even though that DS com. record was validated during the first query. The re-validation does not trigger a network operation because the "Indeterminate" records are all cached but it does perform the signature validation once again, which is likely expensive.

The test can't observe the unwanted behavior because it's not visible at the network level. Still, I think this is a good test to add.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2289 **Author:** [@japaric](https://github.com/japaric) **Created:** 7/8/2024 **Status:** ✅ Merged **Merged:** 7/9/2024 **Merged by:** [@japaric](https://github.com/japaric) **Base:** `main` ← **Head:** `ja-test-cache-chain-link` --- ### 📝 Commits (1) - [`97d6b87`](https://github.com/hickory-dns/hickory-dns/commit/97d6b87a6cba538ef54e6c8e7947f2e1bffa96e4) test caching of chain of trust link ### 📊 Changes **1 file changed** (+53 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/rfc4035/section_4/section_4_5.rs` (+53 -0) </details> ### 📄 Description while investigating #2274 I think I found the problem: the intermediate records that `DnssecDnsHandle` identifies as "Secure" while doing the chain of trust validation are not re-inserted into the `DnsLru` so they remain as "Proof::Indeterminate" in the cache until they are directly queried. The test here is meant to expose the issue as a test failure but it actually already passes. From the hickory logs I can see that hickory re-validates the chain of trust on the second query (`DS com.`) even though that `DS com.` record was validated during the first query. The re-validation does not trigger a network operation because the "Indeterminate" records are all cached but it does perform the signature validation once again, which is likely expensive. The test can't observe the unwanted behavior because it's not visible at the network level. Still, I think this is a good test to add. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>