From 52aeaf4924ec3f6689e6aafedbe41473d2bda992 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 14 Nov 2017 10:01:44 +0000 Subject: [PATCH] - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is set for stub zone. It no longer searches for DNSSEC information. git-svn-id: file:///svn/unbound/trunk@4404 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 4 ++++ iterator/iter_utils.c | 5 +++++ iterator/iter_utils.h | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index f494e181e..4510765d4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +14 November 2017: Wouter + - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is + set for stub zone. It no longer searches for DNSSEC information. + 13 November 2017: Wouter - Fix #2801: Install libunbound.pc. - Fix qname minimisation to send AAAA queries at zonecut like type A. diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c index 0b1b45611..70cab40fa 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c @@ -656,6 +656,11 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp, /* a trust anchor exists with this name, RRSIGs expected */ if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen, dclass))) { + if(a->numDS == 0 && a->numDNSKEY == 0) { + /* insecure trust point */ + lock_basic_unlock(&a->lock); + return 0; + } lock_basic_unlock(&a->lock); return 1; } diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h index d0629a83e..602fa6db3 100644 --- a/iterator/iter_utils.h +++ b/iterator/iter_utils.h @@ -193,7 +193,7 @@ int iter_indicates_dnssec_fwd(struct module_env* env, * @param dp: delegation point. * @param msg: delegation message, with DS if a secure referral. * @param dclass: class of query. - * @return 1 if dnssec is expected, 0 if not. + * @return 1 if dnssec is expected, 0 if not or insecure point above qname. */ int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp, struct dns_msg* msg, uint16_t dclass);