[PR #3075] [MERGED] DNSSEC validation: find zone cut with NS queries #3544

New issue

Closed

opened 2026-03-16 11:49:21 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:49:21 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3075
Author: @divergentdave
Created: 6/20/2025
Status: ✅ Merged
Merged: 6/25/2025
Merged by: @djc

Base: main ← Head: david/ns-find-zone-cut

📝 Commits (2)

6f84843 Rename argument to find_ds_records()
8a4f402 Find zone cut with NS queries

📊 Changes

1 file changed (+44 additions, -20 deletions)

View changed files

📝 crates/proto/src/dnssec/dnssec_dns_handle/mod.rs (+44 -20)

📄 Description

This implements the idea from #3042, rewriting find_ds_records() to first find the zone cut with NS queries, without trying to verify the answers, and then requesting the DS RRset at the zone cut, performing DNSSEC validation on that response.

I tried running tests again with a change hacked in to include records from other sections in recursive responses, and the infinite recursion was not a problem. I did see some test failures because of responses wtih glue A records, but no accompanying RRSIG records, failing to validate. This is related to #3041.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3075 **Author:** [@divergentdave](https://github.com/divergentdave) **Created:** 6/20/2025 **Status:** ✅ Merged **Merged:** 6/25/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `david/ns-find-zone-cut` --- ### 📝 Commits (2) - [`6f84843`](https://github.com/hickory-dns/hickory-dns/commit/6f84843c41f7661fdb33ff0617a7ba1c9fd21c8b) Rename argument to find_ds_records() - [`8a4f402`](https://github.com/hickory-dns/hickory-dns/commit/8a4f40271904d624e456d93b5fc6648504f0dc8e) Find zone cut with NS queries ### 📊 Changes **1 file changed** (+44 additions, -20 deletions) <details> <summary>View changed files</summary> 📝 `crates/proto/src/dnssec/dnssec_dns_handle/mod.rs` (+44 -20) </details> ### 📄 Description This implements the idea from #3042, rewriting `find_ds_records()` to first find the zone cut with NS queries, without trying to verify the answers, and then requesting the DS RRset at the zone cut, performing DNSSEC validation on that response. I tried running tests again with a change hacked in to include records from other sections in recursive responses, and the infinite recursion was not a problem. I did see some test failures because of responses wtih glue A records, but no accompanying RRSIG records, failing to validate. This is related to #3041. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>