- Fix DNSSEC validation of query type ANY with DNAME answers.

git-svn-id: file:///svn/unbound/trunk@3898 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -2,6 +2,7 @@
 	- suppress compile warning in lex files.
 	- init lzt variable, for older gcc compiler warnings.
 	- fix --enable-dsa to work, instead of copying ecdsa enable.
+	- Fix DNSSEC validation of query type ANY with DNAME answers.
 
 19 October 2016: Wouter
 	- Fix #1130: whitespace in example.conf.in more consistent.

validator/val_utils.c

@@ -219,7 +219,7 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 {
 	size_t i;
 	
-	if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
+	if(subtype == VAL_CLASS_POSITIVE) {
 		/* check for the answer rrset */
 		for(i=skip; i<rep->an_numrrsets; i++) {
 			if(query_dname_compare(qinf->qname, 
@@ -271,6 +271,29 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 					signer_name, signer_len, &matchcount);
 			}
 		}
+	} else if(subtype == VAL_CLASS_ANY) {
+		/* check for one of the answer rrset that has signatures,
+		 * or potentially a DNAME is in use with a different qname */
+		for(i=skip; i<rep->an_numrrsets; i++) {
+			if(query_dname_compare(qinf->qname, 
+				rep->rrsets[i]->rk.dname) == 0) {
+				val_find_rrset_signer(rep->rrsets[i], 
+					signer_name, signer_len);
+				if(*signer_name)
+					return;
+			}
+		}
+		/* no answer RRSIGs with qname, try a DNAME */
+		if(skip < rep->an_numrrsets &&
+			ntohs(rep->rrsets[skip]->rk.type) ==
+			LDNS_RR_TYPE_DNAME) {
+			val_find_rrset_signer(rep->rrsets[skip], 
+				signer_name, signer_len);
+			if(*signer_name)
+				return;
+		}
+		*signer_name = NULL;
+		*signer_len = 0;
 	} else if(subtype == VAL_CLASS_REFERRAL) {
 		/* find keys for the item at skip */
 		if(skip < rep->rrset_count) {