Commit 8bedd964 authored by Mark Andrews's avatar Mark Andrews
Browse files

2245. [bug] Validating lack of DS records at trust anchors wasn't

                        working. [RT #17151]
parent 69f3cb5a
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151]
2244. [func] Allow the check of nameserver names against the
SOA MNAME field to be disabled by specifying
'notify-to-soa yes;'. [RT #17073]
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.h,v 1.38 2007/06/18 23:47:42 tbox Exp $ */
/* $Id: validator.h,v 1.39 2007/09/19 03:38:56 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
......@@ -81,11 +81,24 @@ typedef struct dns_validatorevent {
ISC_EVENT_COMMON(struct dns_validatorevent);
dns_validator_t * validator;
isc_result_t result;
/*
* Name and type of the response to be validated.
*/
dns_name_t * name;
dns_rdatatype_t type;
/*
* Rdata and RRSIG (if any) for positive responses.
*/
dns_rdataset_t * rdataset;
dns_rdataset_t * sigrdataset;
/*
* The full response. Required for negative responses.
* Also required for positive wildcard responses.
*/
dns_message_t * message;
/*
* Proofs to be cached.
*/
dns_name_t * proofs[3];
} dns_validatorevent_t;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.154 2007/09/14 05:43:05 marka Exp $ */
/* $Id: validator.c,v 1.155 2007/09/19 03:38:55 marka Exp $ */
#include <config.h>
......@@ -2390,6 +2390,10 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
dns_fixedname_init(&val->dlvsep);
dlvsep = dns_fixedname_name(&val->dlvsep);
dns_name_copy(val->event->name, dlvsep, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds) {
labels = dns_name_countlabels(dlvsep);
if (labels == 0)
......@@ -2492,9 +2496,16 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else {
dns_name_copy(val->event->name, secroot, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds &&
dns_name_countlabels(secroot) > 1U)
dns_name_split(secroot, 1, NULL, secroot);
result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
secroot);
secroot, secroot);
if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment