fix mirror zone trust anchor check

author Evan Hunt <each@isc.org>

Fri, 20 Sep 2019 00:43:14 +0000 (17:43 -0700)

committer Evan Hunt <each@isc.org>

Wed, 2 Oct 2019 05:36:44 +0000 (22:36 -0700)
author Evan Hunt <each@isc.org>
Fri, 20 Sep 2019 00:43:14 +0000 (17:43 -0700)
committer Evan Hunt <each@isc.org>
Wed, 2 Oct 2019 05:36:44 +0000 (22:36 -0700)
diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c

index f2abd9fa608119ede72c4af830eed761e6a55185..267f0bf50ce6a5da4a0ebd6cb68a7a7bbef70bb8 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -1503,9 +1503,9 @@ static isc_result_t
  check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
                   dns_rdata_t *rdata, bool is_ksk)
  {
-       unsigned char *active_keys, *standby_keys;
+       unsigned char *active_keys = NULL, *standby_keys = NULL;
         dns_keynode_t *keynode = NULL;
-       bool *goodkey;
+       bool *goodkey = NULL;
         dst_key_t *key = NULL;
         isc_result_t result;
  
@@ -1551,42 +1551,48 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
         if (result != ISC_R_SUCCESS) {
                 return (result);
         }
+
         result = dns_keytable_findkeynode(vctx->secroots, vctx->origin,
                                           dst_key_alg(key), dst_key_id(key),
                                           &keynode);
-       switch (result) {
-       case ISC_R_SUCCESS:
-               /*
-                * The supplied key is a trust anchor.
-                */
-               dns_keytable_detachkeynode(vctx->secroots, &keynode);
-               dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
-               dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
-               *goodkey = true;
-               break;
-       case DNS_R_PARTIALMATCH:
-       case ISC_R_NOTFOUND:
-               /*
-                * The supplied key is not present in the trust anchor table,
-                * but other keys signing the DNSKEY RRset may be, so this is
-                * not an error, we just do not set 'vctx->good[kz]sk'.
-                */
-               result = ISC_R_SUCCESS;
-               break;
-       default:
-               /*
-                * An error occurred while searching the trust anchor table,
-                * return it to the caller.
-                */
-               break;
-       }
  
         /*
-        * Clean up.
+        * No such trust anchor.
          */
-       dst_key_free(&key);
+       if (result != ISC_R_SUCCESS) {
+               if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+                       result = ISC_R_SUCCESS;
+               }
  
-       return (result);
+               goto cleanup;
+       }
+
+       while (result == ISC_R_SUCCESS) {
+               dns_keynode_t *nextnode = NULL;
+
+               if (dst_key_compare(key, dns_keynode_key(keynode))) {
+                       dns_keytable_detachkeynode(vctx->secroots, &keynode);
+                       dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
+                       dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
+                       *goodkey = true;
+
+                       goto cleanup;
+               }
+
+               result = dns_keytable_findnextkeynode(vctx->secroots,
+                                                     keynode, &nextnode);
+               dns_keytable_detachkeynode(vctx->secroots, &keynode);
+               keynode = nextnode;
+       }
+
+ cleanup:
+       if (keynode != NULL) {
+               dns_keytable_detachkeynode(vctx->secroots, &keynode);
+       }
+       if (key != NULL) {
+               dst_key_free(&key);
+       }
+       return (ISC_R_SUCCESS);
  }
  
  /*%
author	Evan Hunt <each@isc.org>
	Fri, 20 Sep 2019 00:43:14 +0000 (17:43 -0700)
committer	Evan Hunt <each@isc.org>
	Wed, 2 Oct 2019 05:36:44 +0000 (22:36 -0700)