Fix check for signatures.

git-svn-id: file:///svn/unbound/trunk@1864 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index ef50c5823c30c34a50ffe3272f21b9998bb12b33..b8b4065f4fc83f0e2a37a4173fe3a1d70909bf02 100644 (file)
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1237,6 +1237,27 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
        return sec_status_secure;
 }
 
+/** test if list is all secure */
+static int
+list_is_secure(struct module_env* env, struct val_env* ve, 
+       struct ub_packed_rrset_key** list, size_t num,
+       struct key_entry_key* kkey)
+{
+       size_t i;
+       enum sec_status sec;
+       char* reason = NULL;
+       for(i=0; i<num; i++) {
+               if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
+                       continue;
+               sec = val_verify_rrset_entry(env, ve, list[i], kkey, &reason);
+               if(sec != sec_status_secure) {
+                       verbose(VERB_ALGO, "NSEC3 did not verify");
+                       return 0;
+               }
+       }
+       return 1;
+}
+
 enum sec_status
 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
        struct ub_packed_rrset_key** list, size_t num,
@@ -1251,6 +1272,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 
        if(!list || num == 0 || !kkey || !key_entry_isgood(kkey))
                return sec_status_bogus; /* no valid NSEC3s, bogus */
+       if(!list_is_secure(env, ve, list, num, kkey))
+               return sec_status_bogus; /* not all NSEC3 records secure */
        rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
        filter_init(&flt, list, num, qinfo); /* init RR iterator */
        if(!flt.zone)