No offtree signing.

git-svn-id: file:///svn/unbound/trunk@554 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index b093782e7b2f012d281935f7024fee8263962047..00ecadefd6a8f4cdbf700cf1a44c69eb9b6ec5a6 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
          and stores the rrsets in the cache. Further referral (nonRD queries)
          replies are made from the rrset cache directly. Unless unchecked
          rrsets are encountered, there are then validated.
+       - enforce that signing is done by a parent domain (or same domain).
 
 27 August 2007: Wouter
        - do not garble the edns if a cache answer fails.

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 7da9356ed305ae75f8aff4b34513ee98c797347b..a180be57f8f6998167a3bd1d04035fad7f992760 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -1329,6 +1329,10 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve,
                verbose(VERB_ALGO, "verify: malformed signer name");
                return sec_status_bogus; /* signer name invalid */
        }
+       if(!dname_subdomain_c(rrset->rk.dname, signer)) {
+               verbose(VERB_ALGO, "verify: signer name is off-tree");
+               return sec_status_bogus; /* signer name offtree */
+       }
        sigblock = (unsigned char*)signer+signer_len;
        if(siglen < 2+18+signer_len+1) {
                verbose(VERB_ALGO, "verify: too short, no signature data");