From cfef4ba047c55e851827bc5abd16cd3a2b804d75 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 20 Oct 2016 14:27:13 +0000
Subject: [PATCH] - Fix DNSSEC validation of query type ANY with DNAME answers.

git-svn-id: file:///svn/unbound/trunk@3898 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog         |  1 +
 validator/val_utils.c | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/doc/Changelog b/doc/Changelog
index ee839b6c0..8486fe90f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- suppress compile warning in lex files.
 	- init lzt variable, for older gcc compiler warnings.
 	- fix --enable-dsa to work, instead of copying ecdsa enable.
+	- Fix DNSSEC validation of query type ANY with DNAME answers.
 
 19 October 2016: Wouter
 	- Fix #1130: whitespace in example.conf.in more consistent.
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 94f00a7f7..ecf20f8e5 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -219,7 +219,7 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 {
 	size_t i;
 	
-	if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
+	if(subtype == VAL_CLASS_POSITIVE) {
 		/* check for the answer rrset */
 		for(i=skip; i<rep->an_numrrsets; i++) {
 			if(query_dname_compare(qinf->qname, 
@@ -271,6 +271,29 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 					signer_name, signer_len, &matchcount);
 			}
 		}
+	} else if(subtype == VAL_CLASS_ANY) {
+		/* check for one of the answer rrset that has signatures,
+		 * or potentially a DNAME is in use with a different qname */
+		for(i=skip; i<rep->an_numrrsets; i++) {
+			if(query_dname_compare(qinf->qname, 
+				rep->rrsets[i]->rk.dname) == 0) {
+				val_find_rrset_signer(rep->rrsets[i], 
+					signer_name, signer_len);
+				if(*signer_name)
+					return;
+			}
+		}
+		/* no answer RRSIGs with qname, try a DNAME */
+		if(skip < rep->an_numrrsets &&
+			ntohs(rep->rrsets[skip]->rk.type) ==
+			LDNS_RR_TYPE_DNAME) {
+			val_find_rrset_signer(rep->rrsets[skip], 
+				signer_name, signer_len);
+			if(*signer_name)
+				return;
+		}
+		*signer_name = NULL;
+		*signer_len = 0;
 	} else if(subtype == VAL_CLASS_REFERRAL) {
 		/* find keys for the item at skip */
 		if(skip < rep->rrset_count) {