Skip to content

Fix validate_dnskey_dsset when KSK is not signing

When there is a secure chain of trust with a KSK that is not actively signing the DNSKEY RRset, the code for validating the DNSKEY RRset against the DS RRset could potentially skip DS records, thinking the chain of trust is broken while there is a valid DS with corresponding DNSKEY record present.

This is because we pass the result ISC_R_NOMORE on when we are done checking for signatures, but then treat it as "no more DS records".

Changing the return value to something else (DNS_R_NOVALIDSIG seems the most appropriate here) fixes the issue.

Closes #4625 (closed)

Edited by Mark Andrews

Merge request reports