add support for EDE 9

author Colin Vidal <colin@isc.org>

Wed, 3 Dec 2025 13:20:20 +0000 (14:20 +0100)

committer Colin Vidal <colin@isc.org>

Wed, 17 Dec 2025 08:43:13 +0000 (09:43 +0100)
author Colin Vidal <colin@isc.org>
Wed, 3 Dec 2025 13:20:20 +0000 (14:20 +0100)
committer Colin Vidal <colin@isc.org>
Wed, 17 Dec 2025 08:43:13 +0000 (09:43 +0100)
diff --git a/lib/dns/validator.c b/lib/dns/validator.c

index 1721f671c7fe5e843e1cd77c5e62cdf5f4443f59..b3a0b0513ddda8b3e4b0f360deb023c509d7b046 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2112,6 +2112,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
                                        &keyrdata);
         if (result != ISC_R_SUCCESS) {
                 validator_log(val, ISC_LOG_DEBUG(3), "no DNSKEY matching DS");
+               validator_addede(val, DNS_EDE_DNSKEYMISSING,
+                                "DNSKEY found but not matching DS");
                 return DNS_R_NOKEYMATCH;
         }
  
@@ -3522,6 +3524,11 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool have_dnskey,
         /* Couldn't complete insecurity proof. */
         validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed: %s",
                       isc_result_totext(result));
+
+       if (val->type == dns_rdatatype_dnskey && val->rdataset == NULL) {
+               validator_addede(val, DNS_EDE_DNSKEYMISSING, "no DNSKEY found");
+       }
+
         return DNS_R_NOTINSECURE;
  
  out:
author	Colin Vidal <colin@isc.org>
	Wed, 3 Dec 2025 13:20:20 +0000 (14:20 +0100)
committer	Colin Vidal <colin@isc.org>
	Wed, 17 Dec 2025 08:43:13 +0000 (09:43 +0100)