[PR #2936] [MERGED] Only fetch signer's DS RRset when validating keys #3430

New issue

Closed

opened 2026-03-16 11:43:21 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:43:21 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2936
Author: @divergentdave
Created: 4/16/2025
Status: ✅ Merged
Merged: 4/24/2025
Merged by: @bluejekyll

Base: main ← Head: david/split-ds-function

📝 Commits (2)

7e4b271 Add convenience constructor for ProofError
f6f02cd Only fetch signer's DS RRset when validating keys

📊 Changes

5 files changed (+54 additions, -43 deletions)

View changed files

📝 Cargo.lock (+0 -1)
📝 crates/proto/Cargo.toml (+0 -1)
📝 crates/proto/src/dnssec/dnssec_dns_handle/mod.rs (+46 -29)
📝 crates/proto/src/dnssec/proof.rs (+8 -0)
📝 fuzz/Cargo.lock (+0 -12)

📄 Description

This splits find_ds_records() into two separate functions, one that just fetches a specific DS RRset, and one that walks up ancestor names if a DS RRset is not found. verify_dnskey_rrset() now uses the new function that just fetches one RRset, and verify_default_rrset() still uses the original function that walks up parent names, and calls it when no RRSIGs are present for an RRset. See also https://github.com/hickory-dns/hickory-dns/issues/2889#issuecomment-2806667970. I rewrote find_ds_records() to use the newly extracted function, changed it from recursive to iterative, and changed the return type to Result<(), ProofError>.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2936 **Author:** [@divergentdave](https://github.com/divergentdave) **Created:** 4/16/2025 **Status:** ✅ Merged **Merged:** 4/24/2025 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `david/split-ds-function` --- ### 📝 Commits (2) - [`7e4b271`](https://github.com/hickory-dns/hickory-dns/commit/7e4b27167565740d8dfad575070a5b6955fc70d9) Add convenience constructor for ProofError - [`f6f02cd`](https://github.com/hickory-dns/hickory-dns/commit/f6f02cd9094310d498e8e3d83c783c7788c26067) Only fetch signer's DS RRset when validating keys ### 📊 Changes **5 files changed** (+54 additions, -43 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+0 -1) 📝 `crates/proto/Cargo.toml` (+0 -1) 📝 `crates/proto/src/dnssec/dnssec_dns_handle/mod.rs` (+46 -29) 📝 `crates/proto/src/dnssec/proof.rs` (+8 -0) 📝 `fuzz/Cargo.lock` (+0 -12) </details> ### 📄 Description This splits `find_ds_records()` into two separate functions, one that just fetches a specific DS RRset, and one that walks up ancestor names if a DS RRset is not found. `verify_dnskey_rrset()` now uses the new function that just fetches one RRset, and `verify_default_rrset()` still uses the original function that walks up parent names, and calls it when no RRSIGs are present for an RRset. See also https://github.com/hickory-dns/hickory-dns/issues/2889#issuecomment-2806667970. I rewrote `find_ds_records()` to use the newly extracted function, changed it from recursive to iterative, and changed the return type to `Result<(), ProofError>`. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>