- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is

set for stub zone.  It no longer searches for DNSSEC information.


git-svn-id: file:///svn/unbound/trunk@4404 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,7 @@
+14 November 2017: Wouter 
+	- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
+	  set for stub zone.  It no longer searches for DNSSEC information.
+
 13 November 2017: Wouter 
 	- Fix #2801: Install libunbound.pc.
 	- Fix qname minimisation to send AAAA queries at zonecut like type A.

iterator/iter_utils.c

@@ -656,6 +656,11 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 	/* a trust anchor exists with this name, RRSIGs expected */
 	if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen,
 		dclass))) {
+		if(a->numDS == 0 && a->numDNSKEY == 0) {
+			/* insecure trust point */
+			lock_basic_unlock(&a->lock);
+			return 0;
+		}
 		lock_basic_unlock(&a->lock);
 		return 1;
 	}

iterator/iter_utils.h

@@ -193,7 +193,7 @@ int iter_indicates_dnssec_fwd(struct module_env* env,
  * @param dp: delegation point.
  * @param msg: delegation message, with DS if a secure referral.
  * @param dclass: class of query.
- * @return 1 if dnssec is expected, 0 if not.
+ * @return 1 if dnssec is expected, 0 if not or insecure point above qname.
  */
 int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 	struct dns_msg* msg, uint16_t dclass);