[v9_9] correctly validate 5011 trust anchors

3976.	[bug]		When refreshing managed-key trust anchors, clear
			any cached trust so that they will always be
			revalidated with the current set of secure
			roots. [RT #37506]

(cherry picked from commit eb6d61d5e0)
(cherry picked from commit 5c409ba290)
This commit is contained in:
Evan Hunt 2014-10-17 15:42:02 -07:00
parent bff9e4ff82
commit d1d6b9c1b3
2 changed files with 13 additions and 1 deletions

View file

@ -1,3 +1,8 @@
3976. [bug] When refreshing managed-key trust anchors, clear
any cached trust so that they will always be
revalidated with the current set of secure
roots. [RT #37506]
3974. [bug] handle DH_compute_key() failure correctly in
openssldh_link.c. [RT #37477]

View file

@ -8270,6 +8270,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
goto done;
}
/*
* Clear any cached trust level, as we need to run validation
* over again; trusted keys might have changed.
*/
kfetch->dnskeyset.trust = kfetch->dnskeysigset.trust = dns_trust_none;
/*
* Validate the dnskeyset against the current trusted keys.
*/
@ -8303,7 +8309,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_zone_log(zone, ISC_LOG_DEBUG(3),
"Verifying DNSKEY set for zone "
"'%s': %s", namebuf,
"'%s' using key %d/%d: %s",
namebuf, sig.keyid, sig.algorithm,
dns_result_totext(result));
if (result == ISC_R_SUCCESS) {