Commit 58db2d1d authored by Witold Kręcicki's avatar Witold Kręcicki
Browse files

Fix a bug in trust anchors verification.

We were not reseting the keynode value when iterating over DNSKEYs in
RRSET, so we weren't checking all DNSKEYs against all trust anchors. This
commit fixes the issue by resetting keynode with every loop.
parent cadbc158
Pipeline #26070 passed with stages
in 31 minutes and 18 seconds
......@@ -9911,9 +9911,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
break;
}
}
dns_keytable_detachkeynode(secroots, &keynode);
goto anchors_done;
} else {
dns_keytable_detachkeynode(secroots, &keynode);
}
 
/*
......@@ -9924,6 +9924,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
result == ISC_R_SUCCESS;
result = dns_rdataset_next(dnskeysigs))
{
result = dns_keytable_find(secroots, keyname, &keynode);
if (result != ISC_R_SUCCESS) {
goto anchors_done;
}
dns_rdata_reset(&sigrr);
dns_rdataset_current(dnskeysigs, &sigrr);
result = dns_rdata_tostruct(&sigrr, &sig, NULL);
......@@ -9971,7 +9975,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
keynode = nextnode;
}
}
dns_keytable_detachkeynode(secroots, &keynode);
if (secure) {
break;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment