zonemd, review comments, stop null dnskey, skip dnssec for insecure islands.

diff --git a/services/authzone.c b/services/authzone.c
index 196c4653cd0b04450f2d1d77db1e80be35413866..60a05d4bb78474b6aff172d8b47aabe2bff3e9a7 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -7923,14 +7923,15 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
                }
        }
 
-       /* if no ZONEMD, and no DNSSEC, done. */
+       /* if no DNSSEC, done. */
        /* if no ZONEMD, and DNSSEC, use DNSKEY to verify NSEC or NSEC3 for
         * zone apex.  Check ZONEMD bit is turned off or else fail */
        /* if ZONEMD, and DNSSEC, check DNSSEC signature on SOA and ZONEMD,
         * or else fail */
-       if(!zonemd_rrset && is_insecure) {
-               /* success, zonemd is absent */
-       } else if(!zonemd_rrset) {
+       if(!dnskey && !is_insecure) {
+               auth_zone_zonemd_fail(z, env, "DNSKEY missing", NULL, result);
+               return;
+       } else if(!zonemd_rrset && dnskey && !is_insecure) {
                /* fetch, DNSSEC verify, and check NSEC/NSEC3 */
                if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
                        &reason, &why_bogus)) {
@@ -7938,7 +7939,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
                        return;
                }
                zonemd_absence_dnssecok = 1;
-       } else if(zonemd_rrset && dnskey) {
+       } else if(zonemd_rrset && dnskey && !is_insecure) {
                /* check DNSSEC verify of SOA and ZONEMD */
                if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
                        zonemd_rrset, &reason, &why_bogus)) {