- Fix for zonemd, do not reject insecure result from trust anchor

author W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)

committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>

Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)
author W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)
committer W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)
diff --git a/doc/Changelog b/doc/Changelog

index c7fecffddf9a937ed2099d1c2ed372395d32019f..2b8475efb7bdd96cbb984ca25d573bb436cd0372 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,7 @@
  23 February 2021: Wouter
         - Fix for zonemd, that domain-insecure zones work without dnssec.
+       - Fix for zonemd, do not reject insecure result from trust anchor
+         validation step in dnssec chain of trust.
  
  22 February 2021: Wouter
         - Fix #431: Squelch permission denied errors for tcp connect
diff --git a/services/authzone.c b/services/authzone.c

index c1f3d69784fde1362b5c0dce395b4318813a13f2..196fe6693d958277d6e6ffb3a447769544d3eeb2 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -8259,7 +8259,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
                 dnskey = zonemd_get_dnskey_from_anchor(z, env, mods, anchor,
                         &is_insecure, &why_bogus, &keystorage);
                 lock_basic_unlock(&anchor->lock);
-               if(!dnskey && !reason) {
+               if(!dnskey && !reason && !is_insecure) {
                         reason = "verify DNSKEY RRset with trust anchor failed";
                 }
         } else if(anchor) {
author	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)
committer	W.C.A. Wijngaards <wouter@nlnetlabs.nl>
	Tue, 23 Feb 2021 16:09:40 +0000 (17:09 +0100)
doc/Changelog		patch \| blob \| blame \| history
services/authzone.c		patch \| blob \| blame \| history