Recursor: implement Negative Trust Anchor management and runtime Trust Anchor management #3910

merged 8 commits into from Jun 7, 2016


None yet

3 participants


This implementation might be a bit blunt, but it works. Please review.

Closes #3902

@rgacogne rgacogne and 1 other commented on an outdated diff May 27, 2016
@@ -341,6 +342,62 @@ string doSetCarbonServer(T begin, T end)
return ret;
+template<typename T>
+string doAddNTA(T begin, T end)
+ if(begin == end)
+ return "No NTA specified, doing nothing\n";
+ auto luaconf = g_luaconfs.getLocal();
rgacogne May 27, 2016 Member

It looks like luaconf is unused.

pieterlexis May 27, 2016 Member

a leftover of an earlier incantation, removed

@rgacogne rgacogne commented on an outdated diff May 30, 2016
@@ -165,6 +165,19 @@ cspmap_t harvestCSPFromRecs(const vector<DNSRecord>& recs)
vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
+ auto luaLocal = g_luaconfs.getLocal();
+ /* shortcut to insecure if there is negative trust anchor somewhere up in the
+ * tree
+ */
+ auto negAnchors = luaLocal->negAnchors;
+ if (!negAnchors.empty())
+ for (auto negAnchor : negAnchors)
+ if (zone.isPartOf(negAnchor.first)) {
+ LOG("Found a Negative Trust Anchor for "<<negAnchor.first<<", which was added with the message '"<<negAnchor.second<<"'. Returning Insecure."<<endl);
+ return NTA;
+ }
rgacogne May 30, 2016 Member

Shouldn't we check whether there is a (positive) trust anchor below? If I understand correctly section 1.1 of rfc7646, we would be expected to resume validation starting with this trust anchor, right?


Fixed @rgacogne's comments and added a bugfix that ensures the use of the correct, configured trust anchor (we only used the root trust anchor before)


an addition on the bugfix regarding positive trust anchors: this makes the Recursor behave as specified in RFC 6840 §C.1. i.e. using the closest encounter when validating responses.

@pieterlexis pieterlexis changed the title from Recursor: implement Negative Trust Anchor management to Recursor: implement Negative Trust Anchor management and runtime Trust Anchor management Jun 3, 2016

Updated to also add runtime trust anchor management

@Habbie Habbie commented on an outdated diff Jun 7, 2016
: Shows the currently active queries.
+clear-nta [*DOMAIN*]...
+: Remove Negative Trust Anchor for one or more *DOMAIN*s. If *DOMAIN* is
+ empty, remove all configured Negative Trust Anchors.
Habbie Jun 7, 2016 Member

'empty' or 'no domain specified'? I think we might want to be explicit here, use '*' or something. If somebody automates setting/clearing of NTAs it's pretty easy to accidentally pass an empty list

Habbie commented Jun 7, 2016

I approve of this PR!

Habbie commented Jun 7, 2016

(one nit)

@pieterlexis pieterlexis merged commit 669f297 into PowerDNS:master Jun 7, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
@pieterlexis pieterlexis deleted the pieterlexis:recursor-NTA branch Jun 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment