fix up arpa/com.co insecure delegations

author bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)

committer bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)
author bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)
committer bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)
diff --git a/pdns/validate.cc b/pdns/validate.cc

index b5e126d5f7d1ef70b0a279fc0d294c9d1ddc979d..38a7be2577ad86619d37fd23964881ad39e4b389 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -388,8 +388,12 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
                if(nsec) {
                  if(v.first.first == qname && !nsec->d_set.count(QType::DS))
                    return Insecure;
+                else if(v.first.first < qname && qname < nsec->d_next ) {
+                  LOG("Did not find DS for this level, trying one lower"<<endl);
+                  goto skipLevel;
+                }
                  else {
-                  LOG("Did not deny existence of DS, "<<v.first.first<<"?="<<qname<<", "<<nsec->d_set.count(QType::DS)<<endl);
+                  LOG("Did not deny existence of DS, "<<v.first.first<<"?="<<qname<<", "<<nsec->d_set.count(QType::DS)<<", next: "<<nsec->d_next<<endl);
                  }
                }
              }
@@ -442,6 +446,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
          dState dres = getDenial(validrrsets, qname, QType::DS);
          if(dres == INSECURE) return Insecure;
        }
+    skipLevel:;
      } while(!dsmap.size() && labels.size());
  
      // break;
author	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)
committer	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 13:50:03 +0000 (15:50 +0200)