- Fix for zonemd, that domain-insecure zones work without dnssec.

diff --git a/doc/Changelog b/doc/Changelog
index cf61361e3e1461d82ad4cd87208a555a8cdd1b96..c7fecffddf9a937ed2099d1c2ed372395d32019f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+23 February 2021: Wouter
+       - Fix for zonemd, that domain-insecure zones work without dnssec.
+
 22 February 2021: Wouter
        - Fix #431: Squelch permission denied errors for tcp connect
          and udp connect from the logs, unless at high verbosity.

diff --git a/services/authzone.c b/services/authzone.c
index 87a405c713b5ccb7349c6982ae526b67cd33b76a..c1f3d69784fde1362b5c0dce395b4318813a13f2 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -8243,7 +8243,14 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
        if(env->anchors)
                anchor = anchors_lookup(env->anchors, z->name, z->namelen,
                        z->dclass);
-       if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
+       if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) {
+               /* domain-insecure trust anchor for unsigned zones */
+               lock_basic_unlock(&anchor->lock);
+               if(only_online)
+                       return;
+               dnskey = NULL;
+               is_insecure = 1;
+       } else if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
                if(only_online) {
                        lock_basic_unlock(&anchor->lock);
                        return;