mirror of
https://github.com/isc-projects/bind9.git
synced 2026-07-04 23:06:26 -04:00
[v9_9] correctly validate 5011 trust anchors
3976. [bug] When refreshing managed-key trust anchors, clear any cached trust so that they will always be revalidated with the current set of secure roots. [RT #37506] (cherry picked from commiteb6d61d5e0) (cherry picked from commit5c409ba290)
This commit is contained in:
parent
bff9e4ff82
commit
d1d6b9c1b3
2 changed files with 13 additions and 1 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
3976. [bug] When refreshing managed-key trust anchors, clear
|
||||
any cached trust so that they will always be
|
||||
revalidated with the current set of secure
|
||||
roots. [RT #37506]
|
||||
|
||||
3974. [bug] handle DH_compute_key() failure correctly in
|
||||
openssldh_link.c. [RT #37477]
|
||||
|
||||
|
|
|
|||
|
|
@ -8270,6 +8270,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
|
|||
goto done;
|
||||
}
|
||||
|
||||
/*
|
||||
* Clear any cached trust level, as we need to run validation
|
||||
* over again; trusted keys might have changed.
|
||||
*/
|
||||
kfetch->dnskeyset.trust = kfetch->dnskeysigset.trust = dns_trust_none;
|
||||
|
||||
/*
|
||||
* Validate the dnskeyset against the current trusted keys.
|
||||
*/
|
||||
|
|
@ -8303,7 +8309,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
|
|||
|
||||
dns_zone_log(zone, ISC_LOG_DEBUG(3),
|
||||
"Verifying DNSKEY set for zone "
|
||||
"'%s': %s", namebuf,
|
||||
"'%s' using key %d/%d: %s",
|
||||
namebuf, sig.keyid, sig.algorithm,
|
||||
dns_result_totext(result));
|
||||
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue