Fix validate_dnskey_dsset when KSK is not signing

When there is a secure chain of trust with a KSK that is not actively
signing the DNSKEY RRset, the code for validating the DNSKEY RRset
against the DS RRset could potentially skip DS records, thinking the
chain of trust is broken while there is a valid DS with corresponding
DNSKEY record present.

This is because we pass the result ISC_R_NOMORE on when we are done
checking for signatures, but then treat it as "no more DS records".

Chaning the return value to something else (DNS_R_NOVALIDSIG seems the
most appropriate here) fixes the issue.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 38d0b62e5ae1f2f79c79393294ff4dd5d26757b2..5681c89a367408b92b34301bf632f6b1c333ed80 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1976,7 +1976,7 @@ validate_dnskey_dsset(dns_validator_t *val) {
                validator_log(val, ISC_LOG_DEBUG(3),
                              "no RRSIG matching DS key");
 
-               return (result);
+               return (DNS_R_NOVALIDSIG);
        }
 
        return (ISC_R_SUCCESS);