From d1d6b9c1b3c8ddabe435192cfe227e5500fd16da Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 17 Oct 2014 15:42:02 -0700 Subject: [PATCH] [v9_9] correctly validate 5011 trust anchors 3976. [bug] When refreshing managed-key trust anchors, clear any cached trust so that they will always be revalidated with the current set of secure roots. [RT #37506] (cherry picked from commit eb6d61d5e02946e1a7a959bac37eae9dbbc2051b) (cherry picked from commit 5c409ba29026ccef7ffe55f510e5df19e025b27d) --- CHANGES | 5 +++++ lib/dns/zone.c | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9a002f5fc8..631629d7a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3976. [bug] When refreshing managed-key trust anchors, clear + any cached trust so that they will always be + revalidated with the current set of secure + roots. [RT #37506] + 3974. [bug] handle DH_compute_key() failure correctly in openssldh_link.c. [RT #37477] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index e2cac62d86..af58755fc5 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8270,6 +8270,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { goto done; } + /* + * Clear any cached trust level, as we need to run validation + * over again; trusted keys might have changed. + */ + kfetch->dnskeyset.trust = kfetch->dnskeysigset.trust = dns_trust_none; + /* * Validate the dnskeyset against the current trusted keys. */ @@ -8303,7 +8309,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) { dns_zone_log(zone, ISC_LOG_DEBUG(3), "Verifying DNSKEY set for zone " - "'%s': %s", namebuf, + "'%s' using key %d/%d: %s", + namebuf, sig.keyid, sig.algorithm, dns_result_totext(result)); if (result == ISC_R_SUCCESS) {