zonemd, review comments, add comments to unit test, scope verbose output.

diff --git a/services/authzone.c b/services/authzone.c
index 6ddf524f8541e1adc0042de2f1c9b67132f7fdb3..0495958d3f32d2c5a0abb2c3c22d8b57f03e34ba 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -1879,7 +1879,6 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
        size_t i;
        struct regional* region = NULL;
        struct sldns_buffer* buf = NULL;
-       char zstr[255+1];
        uint32_t soa_serial = 0;
        region = env->scratch;
        regional_free_all(region);
@@ -1930,6 +1929,7 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
                        hash, hashlen, region, buf, reason)) {
                        /* success */
                        if(verbosity >= VERB_ALGO) {
+                               char zstr[255+1];
                                dname_str(z->name, zstr);
                                verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
                        }
@@ -1940,8 +1940,11 @@ static int auth_zone_zonemd_check_hash(struct auth_zone* z,
        /* fail, we may have reason */
        if(!*reason)
                *reason = "no ZONEMD records found";
-       dname_str(z->name, zstr);
-       verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason);
+       if(verbosity >= VERB_ALGO) {
+               char zstr[255+1];
+               dname_str(z->name, zstr);
+               verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason);
+       }
        return 0;
 }
 

diff --git a/testcode/unitzonemd.c b/testcode/unitzonemd.c
index 544d032f2b674fa78a0abfcc13feed38984d35ef..a8949a8c4ffeaf6956f1dc40c8df4e075665667b 100644 (file)
--- a/testcode/unitzonemd.c
+++ b/testcode/unitzonemd.c
@@ -332,17 +332,19 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
 static void zonemd_verify_tests(void)
 {
        unit_show_func("services/authzone.c", "auth_zone_verify_zonemd");
+       /* give trustanchor for unsigned zone, should fail */
        zonemd_verify_test("example.org",
                "testdata/zonemd.example1.zone",
                "example.org. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
                "20180302005009",
                "verify DNSKEY RRset with trust anchor failed: have trust anchor, but zone has no DNSKEY");
+       /* unsigned zone without ZONEMD in it */
        zonemd_verify_test("example.org",
                "testdata/zonemd.example1.zone",
                NULL,
                "20180302005009",
                "no ZONEMD present");
-       /* no trust anchor, so it succeeds */
+       /* no trust anchor, so it succeeds for zone with a correct ZONEMD */
        zonemd_verify_test("example.com",
                "testdata/zonemd.example2.zone",
                NULL,
@@ -356,18 +358,24 @@ static void zonemd_verify_tests(void)
                "ZONEMD verification successful");
 
        /* load a DNSSEC signed zone, but no trust anchor */
+       /* this zonefile has an incorrect ZONEMD digest, with correct
+        * DNSSEC signature. */
        zonemd_verify_test("example.com",
                "testdata/zonemd.example3.zone",
                NULL,
                "20180302005009",
                "incorrect digest");
        /* load a DNSSEC zone with NSEC3, but no trust anchor */
+       /* this zonefile has an incorrect ZONEMD digest, with correct
+        * DNSSEC signature. */
        zonemd_verify_test("example.com",
                "testdata/zonemd.example4.zone",
                NULL,
                "20180302005009",
                "incorrect digest");
        /* valid zonemd, in dnssec signed zone, no trust anchor*/
+       /* this zonefile has a correct ZONEMD digest and
+        * correct DNSSEC signature */
        zonemd_verify_test("example.com",
                "testdata/zonemd.example5.zone",
                NULL,