From 6b5a8f361c1df586e7ceb386dd864bc5c7c21174 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 6 Sep 2016 16:58:14 +0200
Subject: [PATCH] Rec: don't go bogus on zero configured DSs

Fixes #4430
---
 pdns/validate.cc                              |  3 +++
 regression-tests.recursor-dnssec/test_NoDS.py | 21 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 regression-tests.recursor-dnssec/test_NoDS.py

diff --git a/pdns/validate.cc b/pdns/validate.cc
index d1fdf4eef7..337b61252b 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -169,6 +169,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 {
   auto luaLocal = g_luaconfs.getLocal();
   auto anchors = luaLocal->dsAnchors;
+  if (anchors.empty()) // Nothing to do here
+    return Insecure;
+
   // Determine the lowest (i.e. with the most labels) Trust Anchor for zone
   DNSName lowestTA(".");
   for (auto const &anchor : anchors)
diff --git a/regression-tests.recursor-dnssec/test_NoDS.py b/regression-tests.recursor-dnssec/test_NoDS.py
new file mode 100644
index 0000000000..5e9e9131e1
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_NoDS.py
@@ -0,0 +1,21 @@
+import dns
+from recursortests import RecursorTest
+
+
+class testNoDS(RecursorTest):
+    _confdir = 'NoDS'
+
+    _config_template = """dnssec=validate"""
+    _lua_config_file = """clearDS(".")"""
+
+    def testNoDSInsecure(self):
+        """#4430 When the root DS is removed, the result must be Insecure"""
+
+        msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
-- 
2.47.2