Commit d36b7f86 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] improve debugging output from dnssec-cds

4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]

Patch submitted by Tony Finch (dot@dotat.at)
parent ffac3109
4883. [cleanup] Improved debugging output from dnssec-cds. [RT #47026]
4882. [bug] Address potential memory leak in
dns_update_signaturesinc. [RT #47084]
 
......
......@@ -85,7 +85,7 @@ static dns_rdataclass_t rdclass = dns_rdataclass_in;
*/
static isc_uint8_t dtype[8];
static const char *startstr = NULL; /* from which we derive notbefore */
static const char *startstr = NULL; /* from which we derive notbefore */
static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
static dns_rdata_rrsig_t oldestsig; /* for recording inception time */
......@@ -521,6 +521,13 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
}
}
vbprintf(1, "no matching %s for %s %d %d\n",
dsset->type == dns_rdatatype_cds
? "CDS" : "DS",
ki->rdata.type == dns_rdatatype_cdnskey
? "CDNSKEY" : "DNSKEY",
ki->tag, ki->algo);
return (ISC_FALSE);
}
......@@ -647,17 +654,25 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
for (i = 0; i < nkey; i++) {
keyinfo_t *ki = &keytbl[i];
if (ki->dst == NULL ||
sig.keyid != ki->tag ||
if (sig.keyid != ki->tag ||
sig.algorithm != ki->algo ||
!dns_name_equal(&sig.signer, name))
{
continue;
}
if (ki->dst == NULL) {
vbprintf(1, "skip RRSIG by key %d:"
" no matching (C)DS\n",
sig.keyid);
continue;
}
result = dns_dnssec_verify(name, rdataset, ki->dst,
ISC_FALSE, mctx, &sigrdata);
if (result != ISC_R_SUCCESS) {
vbprintf(1, "skip RRSIG by key %d:"
" verification failed: %s\n",
sig.keyid, isc_result_totext(result));
continue;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment