diff options
author | Casey Deccio <casey@deccio.net> | 2020-12-30 09:10:08 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2020-12-30 09:10:08 +0300 |
commit | 26a8b7e24c3c2bdeb2e4f80899ad3fa25872042d (patch) | |
tree | 767e683cdc23e95e80f4db4db7a833a2ac844586 | |
parent | 69d4a44c6fb2b966733e5621f610e7cae41d0251 (diff) |
Don't print DNSKEY negative response unless there is a response error
-rw-r--r-- | dnsviz/analysis/offline.py | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/dnsviz/analysis/offline.py b/dnsviz/analysis/offline.py index a9ff6cf..7eaf669 100644 --- a/dnsviz/analysis/offline.py +++ b/dnsviz/analysis/offline.py @@ -458,7 +458,10 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): warnings = [] errors = [] rdata_tup.append((None, [], [], '%s' % (info.terse_description))) + elif info in self.nodata_status: + if rdtype == dns.rdatatype.DNSKEY: + return () warnings = [w.terse_description for w in response_info.name_obj.nodata_warnings[info]] errors = [e.terse_description for e in response_info.name_obj.nodata_errors[info]] @@ -470,6 +473,8 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): children.extend(self._serialize_nsec_set_simple(info, response_info.name_obj.nodata_status, response_info)) elif info in self.nxdomain_status: + if rdtype == dns.rdatatype.DNSKEY: + return () warnings = [w.terse_description for w in response_info.name_obj.nxdomain_warnings[info]] errors = [e.terse_description for e in response_info.name_obj.nxdomain_errors[info]] @@ -2563,21 +2568,6 @@ class OfflineDomainNameAnalysis(OnlineDomainNameAnalysis): if G.secure_nsec_nodes_covering_node(node_str): response_component_status[obj] = Status.RRSET_STATUS_SECURE - # A negative response to a DNSKEY query is a special case. - elif obj.rdtype == dns.rdatatype.DNSKEY: - # If the "node" was found to be secure, then there must be - # a secure entry point into the zone, indicating that there - # were other, positive responses to the query (i.e., from - # other servers). That makes this negative response bogus. - if status == Status.RRSET_STATUS_SECURE: - response_component_status[obj] = Status.RRSET_STATUS_BOGUS - - # Since the accompanying SOA is not drawn on the graph, we - # simply apply the same status to the SOA as is associated - # with the negative response. - for soa_rrset in obj.soa_rrset_info: - response_component_status[soa_rrset] = response_component_status[obj] - # for non-DNSKEY responses, verify that the negative # response is secure by checking that the SOA is also # secure (the fact that it is marked "secure" indicates |