1 valid RRSIG per RRset is sufficient

with ldns-verify-zone.

diff --git a/Changelog b/Changelog
index dbe45c3006d63d173427427266e816ef6dc59ba8..e9682c0fa1ef853de95b5f4eba56ebe50719ad21 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,6 @@
 1.7.1  ????-??-??
+       * bugfix: Only one signature per RRset needs to be valid with
+         ldns-verify-zone.  Thanks Emil Natan.
        * ldns-notify can use all supported hash algorithms with -y.
        * bugfix #1209: make install ldns.pc file
          Thanks Oleksandr Natalenko

diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index 8a438cef9251bc5fdb4c121fd9a8c6aac339f3db..233c64d062aa7aa48ec6f3516fb8b63a45face58 100644 (file)
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -170,6 +170,10 @@ verify_rrs(ldns_rr_list* rrset_rrs, ldns_dnssec_rrs* cur_sig,
 {
        ldns_rr_list* good_keys;
        ldns_status status, result = LDNS_STATUS_OK;
+       int one_signature_verified = 0;
+       ldns_dnssec_rrs *cur_sig_bak = cur_sig;
+       int is_dnskey_rrset = ldns_rr_list_rr_count(rrset_rrs) > 0 &&
+           ldns_rr_get_type(ldns_rr_list_rr(rrset_rrs, 0)) == LDNS_RR_TYPE_DNSKEY;
 
        while (cur_sig) {
                good_keys = ldns_rr_list_new();
@@ -177,16 +181,41 @@ verify_rrs(ldns_rr_list* rrset_rrs, ldns_dnssec_rrs* cur_sig,
                                keys, check_time, good_keys);
                status = status ? status 
                                : rrsig_check_time_margins(cur_sig->rr);
-               if (status != LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY ||
-                               !no_nomatch_msg) {
+               if (status == LDNS_STATUS_OK) {
+                       one_signature_verified += 1;
+
+               } else if (!is_dnskey_rrset && (!no_nomatch_msg ||
+                   status != LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY)) {
 
                        print_rrs_status_error(myerr, rrset_rrs, status,
                                        cur_sig);
-               }
+               } 
                update_error(&result, status);
                ldns_rr_list_free(good_keys);
                cur_sig = cur_sig->next;
        }
+       if (one_signature_verified)
+               return LDNS_STATUS_OK;
+
+       else if (is_dnskey_rrset &&
+           result == LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY) {
+
+               /* Without any valid signature, do print all errors
+                * with DNSKEYs too.
+                */
+               for (cur_sig = cur_sig_bak; cur_sig; cur_sig = cur_sig->next) {
+                       good_keys = ldns_rr_list_new();
+                       status = ldns_verify_rrsig_keylist_time(rrset_rrs,
+                           cur_sig->rr, keys, check_time, good_keys);
+                       status = status ? status 
+                              : rrsig_check_time_margins(cur_sig->rr);
+                       if (!no_nomatch_msg || status !=
+                           LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY)
+                               print_rrs_status_error(
+                                   myerr, rrset_rrs, status, cur_sig);
+                       ldns_rr_list_free(good_keys);
+               }
+       }
        return result;
 }