upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-17 09:38:03 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

zonemd, fix that zonemd absence in unsigned zone does not invalidate zone.

Browse source
This commit is contained in:
W.C.A. Wijngaards 2020-10-21 11:56:41 +02:00
parent e8d29f973d
commit 1245457967
2 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
services/authzone.c
View file

@ -7792,9 +7792,17 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
return;
}
if(zonemd_absent && zonemd_absence_dnssecok) {
auth_zone_log(z->name, VERB_ALGO, "ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
auth_zone_log(z->name, VERB_ALGO, "DNSSEC verified nonexistence of ZONEMD");
if(result) {
*result = strdup("ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
*result = strdup("DNSSEC verified nonexistence of ZONEMD");
if(!*result) log_err("out of memory");
}
return;
}
if(zonemd_absent) {
auth_zone_log(z->name, VERB_ALGO, "no ZONEMD present");
if(result) {
*result = strdup("no ZONEMD present");
if(!*result) log_err("out of memory");
}
return;

9
testcode/unitmain.c
View file

@ -1099,7 +1099,8 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
fatal_exit("out of memory");
unit_assert(strcmp(result, result_wanted) == 0);
if(strcmp(result, "ZONEMD verification successful") == 0 ||
strcmp(result, "ZONEMD successful, DNSSEC verified nonexistence of ZONEMD") == 0) {
strcmp(result, "DNSSEC verified nonexistence of ZONEMD") == 0 ||
strcmp(result, "no ZONEMD present") == 0) {
lock_rw_rdlock(&z->lock);
unit_assert(!z->zone_expired);
lock_rw_unlock(&z->lock);
@ -1137,7 +1138,7 @@ static void zonemd_verify_tests(void)
"testdata/zonemd.example1.zone",
NULL,
"20180302005009",
"zone has no ZONEMD");
"no ZONEMD present");
/* no trust anchor, so it succeeds */
zonemd_verify_test("example.com",
"testdata/zonemd.example2.zone",
@ -1194,13 +1195,13 @@ static void zonemd_verify_tests(void)
"testdata/zonemd.example7.zone",
"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
"20201020135527",
"ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
"DNSSEC verified nonexistence of ZONEMD");
/* load a DNSSEC NSEC3 zone without ZONEMD */
zonemd_verify_test("example.com",
"testdata/zonemd.example8.zone",
"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
"20201020135527",
"ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
"DNSSEC verified nonexistence of ZONEMD");
}
/** zonemd unit tests */