upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '1209-dns_r_mustbesecure-failures' into 'master'

Browse source 
Resolve "DNS_R_MUSTBESECURE failures"

Closes #1209

See merge request isc-projects/bind9!2307
This commit is contained in:
Mark Andrews 2019-09-04 16:39:04 -04:00
commit 6639288d9c
2 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
5288. [bug] dnssec-must-be-secure was not always honoured.
[GL #1209]
5287. [placeholder]
5286. [contrib] Address potential NULL pointer dereferences in

22
lib/dns/validator.c
View file

@ -531,9 +531,10 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
"must be secure failure, no DS"
" and this is a delegation");
validator_done(val, DNS_R_MUSTBESECURE);
} else {
markanswer(val, "dsfetched2");
validator_done(val, ISC_R_SUCCESS);
}
markanswer(val, "dsfetched2");
validator_done(val, ISC_R_SUCCESS);
} else {
result = proveunsecure(val, false, true);
if (result != DNS_R_WAIT)
@ -686,9 +687,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
"must be secure failure, no DS "
"and this is a delegation");
result = DNS_R_MUSTBESECURE;
} else {
markanswer(val, "dsvalidated");
result = ISC_R_SUCCESS;;
}
markanswer(val, "dsvalidated");
result = ISC_R_SUCCESS;;
} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
result = proveunsecure(val, have_dsset, true);
} else
@ -1707,9 +1709,9 @@ validatezonekey(dns_validator_t *val) {
"must be secure failure, "
"not beneath secure root");
return (DNS_R_MUSTBESECURE);
} else
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
}
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
markanswer(val, "validatezonekey (1)");
return (ISC_R_SUCCESS);
}
@ -2651,9 +2653,9 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
"not beneath secure root");
result = DNS_R_MUSTBESECURE;
goto out;
} else
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
}
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
markanswer(val, "proveunsecure (1)");
return (ISC_R_SUCCESS);
} else if (result != ISC_R_SUCCESS) {