rec: We can't validate a record signed by a DNSKEY we are retrieving

author Remi Gacogne <remi.gacogne@powerdns.com>

Fri, 5 Mar 2021 16:18:09 +0000 (17:18 +0100)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Fri, 5 Mar 2021 16:23:53 +0000 (17:23 +0100)
author Remi Gacogne <remi.gacogne@powerdns.com>
Fri, 5 Mar 2021 16:18:09 +0000 (17:18 +0100)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Fri, 5 Mar 2021 16:23:53 +0000 (17:23 +0100)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index 3694571d8970c075af49add11b60e3fd82ceac62..ef093d0a277817cd1f36fb3e4a7bd59d0c930f0e 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2752,6 +2752,12 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
            LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl);
            return vState::BogusSelfSignedDS;
          }
+        if (qtype == QType::DNSKEY && signer == qname) {
+          /* that actually does happen when a server returns NS records in authority
+             along with the DNSKEY, leading us to trying to validate the RRSIGs for
+             the NS with the DNSKEY that we are about to process. */
+          return vState::Indeterminate;
+        }
        }
        vState state = getDNSKeys(signer, keys, depth);
        if (state != vState::Secure) {
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Fri, 5 Mar 2021 16:18:09 +0000 (17:18 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Fri, 5 Mar 2021 16:23:53 +0000 (17:23 +0100)