From e27d55e3ee06b6edcf625b8920a5c809da7f0b98 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 26 May 2010 06:28:00 +0000
Subject: [PATCH] 2904.   [bug]           When using DLV, sub-zones of the
 zones in the DLV,                         could be incorrectly marked as
 insecure instead of                         secure leading to negative proofs
 failing.  This was                         a unintended outcome from change
 2890. [RT# 21392]

---
 CHANGES                              |   5 +
 bin/tests/system/conf.sh.in          |   6 +-
 bin/tests/system/dlv/clean.sh        |   9 +-
 bin/tests/system/dlv/ns3/child.db.in |   4 +-
 bin/tests/system/dlv/ns3/sign.sh     |  66 +++++++------
 bin/tests/system/dlv/ns6/child.db.in |  22 +++++
 bin/tests/system/dlv/ns6/hints       |  18 ++++
 bin/tests/system/dlv/ns6/named.conf  |  42 ++++++++
 bin/tests/system/dlv/ns6/sign.sh     | 139 +++++++++++++++++++++++++++
 bin/tests/system/dlv/tests.sh        |  31 +++++-
 lib/dns/validator.c                  |  53 ++++++----
 11 files changed, 335 insertions(+), 60 deletions(-)
 create mode 100644 bin/tests/system/dlv/ns6/child.db.in
 create mode 100644 bin/tests/system/dlv/ns6/hints
 create mode 100644 bin/tests/system/dlv/ns6/named.conf
 create mode 100755 bin/tests/system/dlv/ns6/sign.sh

diff --git a/CHANGES b/CHANGES
index c4af457090..fbb4ebceb7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2904.   [bug]           When using DLV, sub-zones of the zones in the DLV,
+			could be incorrectly marked as insecure instead of
+			secure leading to negative proofs failing.  This was
+			a unintended outcome from change 2890. [RT# 21392]
+
 2903.	[bug]		managed-keys-directory missing from namedconf.c.
 			[RT #21370]
 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 89def37559..5eb94c9a8f 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.45 2010/01/18 23:48:39 tbox Exp $
+# $Id: conf.sh.in,v 1.46 2010/05/26 06:28:00 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -47,8 +47,8 @@ CHECKCONF=$TOP/bin/check/named-checkconf
 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.
 # v6synth
-SUBDIRS="acl autosign cacheclean checkconf checknames dnssec forward glue ixfr
-    limits lwresd masterfile masterformat metadata notify nsupdate pending 
+SUBDIRS="acl autosign cacheclean checkconf checknames dlv dnssec forward glue
+    ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending 
     resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
     xfer xferquota zonechecks"
 
diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh
index 872b14f592..1c205bdbe3 100644
--- a/bin/tests/system/dlv/clean.sh
+++ b/bin/tests/system/dlv/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.5 2007/09/26 03:22:43 marka Exp $
+# $Id: clean.sh,v 1.6 2010/05/26 06:28:00 marka Exp $
 
 rm -f random.data
 rm -f ns*/named.run
@@ -25,4 +25,11 @@ rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
 rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns3/signer.err
+rm -f ns6/K*
+rm -f ns6/*.db
+rm -f ns6/*.signed
+rm -f ns6/dsset-*
+rm -f ns6/signer.err
 rm -f */named.memstats
+rm -f dig.out.ns*.test*
diff --git a/bin/tests/system/dlv/ns3/child.db.in b/bin/tests/system/dlv/ns3/child.db.in
index 9411c689f8..a89c7f5f57 100644
--- a/bin/tests/system/dlv/ns3/child.db.in
+++ b/bin/tests/system/dlv/ns3/child.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: child.db.in,v 1.4 2007/06/19 23:47:02 tbox Exp $
+; $Id: child.db.in,v 1.5 2010/05/26 06:28:00 marka Exp $
 
 $TTL	120
 @		SOA	ns hostmaster.ns 1 3600 1200 604800 60
@@ -20,3 +20,5 @@ $TTL	120
 ns		A	10.53.0.3
 foo		TXT	foo
 bar		TXT	bar
+grand		NS	ns.grand
+ns.grand	A	10.53.0.6
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index e7a832aa2b..b3990366c4 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -14,7 +14,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.6 2009/10/27 23:47:44 tbox Exp $
+# $Id: sign.sh,v 1.7 2010/05/26 06:28:00 marka Exp $
+
+(cd ../ns6; ./sign.sh)
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -29,12 +31,12 @@ outfile=child1.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -45,12 +47,12 @@ outfile=child3.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -61,12 +63,12 @@ outfile=child4.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -77,12 +79,12 @@ outfile=child5.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -92,12 +94,12 @@ zonefile=child7.utld.db
 outfile=child7.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
-cat $infile $keyname1.key $keyname2.key >$zonefile
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -107,12 +109,12 @@ zonefile=child8.utld.db
 outfile=child8.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -123,12 +125,12 @@ outfile=child9.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 zone=child10.utld.
@@ -138,12 +140,12 @@ outfile=child10.signed
 dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
@@ -153,12 +155,12 @@ zonefile=dlv.utld.db
 outfile=dlv.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
 
diff --git a/bin/tests/system/dlv/ns6/child.db.in b/bin/tests/system/dlv/ns6/child.db.in
new file mode 100644
index 0000000000..591b8eb38e
--- /dev/null
+++ b/bin/tests/system/dlv/ns6/child.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db.in,v 1.2 2010/05/26 06:28:00 marka Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns6 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.6
+foo		TXT	foo
+bar		TXT	bar
diff --git a/bin/tests/system/dlv/ns6/hints b/bin/tests/system/dlv/ns6/hints
new file mode 100644
index 0000000000..ecf0aac236
--- /dev/null
+++ b/bin/tests/system/dlv/ns6/hints
@@ -0,0 +1,18 @@
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2 2010/05/26 06:28:00 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/dlv/ns6/named.conf b/bin/tests/system/dlv/ns6/named.conf
new file mode 100644
index 0000000000..8cc0d11411
--- /dev/null
+++ b/bin/tests/system/dlv/ns6/named.conf
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2010/05/26 06:28:00 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	dnssec-enable yes;
+};
+
+zone "." { type hint; file "hints"; };
+zone "grand.child1.utld" { type master; file "grand.child1.signed"; };
+zone "grand.child3.utld" { type master; file "grand.child3.signed"; };
+zone "grand.child4.utld" { type master; file "grand.child4.signed"; };
+zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
+zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
+zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
+zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
+zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
new file mode 100755
index 0000000000..9713f6217e
--- /dev/null
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -0,0 +1,139 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2 2010/05/26 06:28:00 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=grand.child1.utld.
+infile=child.db.in
+zonefile=grand.child1.utld.db
+outfile=grand.child1.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.utld.
+infile=child.db.in
+zonefile=grand.child3.utld.db
+outfile=grand.child3.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.utld.
+infile=child.db.in
+zonefile=grand.child4.utld.db
+outfile=grand.child4.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.utld.
+infile=child.db.in
+zonefile=grand.child5.utld.db
+outfile=grand.child5.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.utld.
+infile=child.db.in
+zonefile=grand.child7.utld.db
+outfile=grand.child7.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.utld.
+infile=child.db.in
+zonefile=grand.child8.utld.db
+outfile=grand.child8.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.utld.
+infile=child.db.in
+zonefile=grand.child9.utld.db
+outfile=grand.child9.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.utld.
+infile=child.db.in
+zonefile=grand.child10.utld.db
+outfile=grand.child10.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh
index 8b595a7fa8..4b0c1d1de3 100644
--- a/bin/tests/system/dlv/tests.sh
+++ b/bin/tests/system/dlv/tests.sh
@@ -14,6 +14,33 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4 2007/06/19 23:47:02 tbox Exp $
+# $Id: tests.sh,v 1.5 2010/05/26 06:28:00 marka Exp $
 
-exit 0
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+echo "I:checking that DNSKEY reference by DLV validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child DNSKEY reference by DLV validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.utld dnskey @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 7fc3688e7c..3f6e3ebd1a 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.193 2010/05/14 23:50:39 tbox Exp $ */
+/* $Id: validator.c,v 1.194 2010/05/26 06:27:59 marka Exp $ */
 
 #include <config.h>
 
@@ -2264,6 +2264,17 @@ validatezonekey(dns_validator_t *val) {
 		return (dlv_validatezonekey(val));
 
 	if (val->dsset == NULL) {
+
+		/*
+		 * We have a dlv sep.  Skip looking up the SEP from
+		 * {trusted,managed}-keys.  If the dlv sep is for the
+		 * root then it will have been handled above so we don't
+		 * need to check whether val->event->name is "." prior to
+		 * looking up the DS.
+		 */
+		if (val->havedlvsep)
+			goto find_ds;
+
 		/*
 		 * First, see if this key was signed by a trusted key.
 		 */
@@ -2295,13 +2306,13 @@ validatezonekey(dns_validator_t *val) {
 				  val->event->name, found) != ISC_R_SUCCESS) {
 				if (val->mustbesecure) {
 					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure, "
-						      "not beneath secure root");
+						     "must be secure failure, "
+						     "not beneath secure root");
 					return (DNS_R_MUSTBESECURE);
 				} else
 					validator_log(val, ISC_LOG_DEBUG(3),
-						      "not beneath secure root");
-				if (val->view->dlv == NULL || DLVTRIED(val)) {
+						     "not beneath secure root");
+				if (val->view->dlv == NULL) {
 					markanswer(val, "validatezonekey (1)");
 					return (ISC_R_SUCCESS);
 				}
@@ -2344,22 +2355,6 @@ validatezonekey(dns_validator_t *val) {
 			}
 		}
 
-		/*
-		 * If this is the root name and there was no trusted key,
-		 * give up, since there's no DS at the root.
-		 */
-		if (dns_name_equal(event->name, dns_rootname)) {
-			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "root key failed to validate");
-				return (DNS_R_NOVALIDSIG);
-			} else {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "no trusted root key");
-				return (DNS_R_NOVALIDDS);
-			}
-		}
-
 		if (atsep) {
 			/*
 			 * We have not found a key to verify this DNSKEY
@@ -2379,6 +2374,22 @@ validatezonekey(dns_validator_t *val) {
 			return (DNS_R_NOVALIDKEY);
 		}
 
+		/*
+		 * If this is the root name and there was no trusted key,
+		 * give up, since there's no DS at the root.
+		 */
+		if (dns_name_equal(event->name, dns_rootname)) {
+			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "root key failed to validate");
+				return (DNS_R_NOVALIDSIG);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "no trusted root key");
+				return (DNS_R_NOVALIDDS);
+			}
+		}
+ find_ds:
 		/*
 		 * Otherwise, try to find the DS record.
 		 */
-- 
GitLab