From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 11 Jul 2019 12:43:22 +0000 (+0200)
Subject: Bugfix #4248 drill -DT fails for CNAME domain
X-Git-Tag: release-1.7.1-rc1~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05134f5259b6810481724856a0eb1bfdaf188bb5;p=thirdparty%2Fldns.git

Bugfix #4248 drill -DT fails for CNAME domain
---

diff --git a/Changelog b/Changelog
index b3ce4a2c..2ed9909d 100644
--- a/Changelog
+++ b/Changelog
@@ -44,6 +44,8 @@
 	* Allow -T flag to be used together with drill -x
 	* Python bindings compile with swig 4.0
 	  Thanks Jitka Plesníková
+	* bugfix #4248: drill -DT fails for CNAME domain
+	  Thanks Thom Wiggers
 
 1.7.0	2016-12-20
 	* Fix lookup of relative names in ldns_resolver_search.
diff --git a/drill/securetrace.c b/drill/securetrace.c
index 863875e1..b58d86ee 100644
--- a/drill/securetrace.c
+++ b/drill/securetrace.c
@@ -497,12 +497,43 @@ do_secure_trace(ldns_resolver *local_res, ldns_rdf *name, ldns_rr_type t,
 			p = get_dnssec_pkt(res, labels[i-1], LDNS_RR_TYPE_DS);
 			(void) get_ds(p, labels[i-1], &ds_list, &ds_sig_list);
 			if (!ds_list) {
-				ldns_pkt_free(p);
-				if (ds_sig_list) {
+				ldns_rr_list_deep_free(ds_sig_list);
+				(void) get_dnssec_rr( p, labels[i-1]
+				                    , LDNS_RR_TYPE_CNAME
+				                    , &ds_list, &ds_sig_list);
+				if (ds_list) {
+					st = ldns_verify( ds_list, ds_sig_list
+					                , correct_key_list
+					                , current_correct_keys);
+
+					if (st == LDNS_STATUS_OK) {
+						printf(";; No DS record found "
+						       "for ");
+						ldns_rdf_print(stdout,
+							labels[i-1]);
+						printf(", but valid CNAME");
+					} else {
+						printf("[B] Unable to verify de"
+						       "nial of existence for ");
+						ldns_rdf_print(stdout,
+							labels[i-1]);
+						printf(", because of BOGUS CNAME");
+					}
+					printf("\n");
 					ldns_rr_list_deep_free(ds_sig_list);
+					ldns_pkt_free(p);
+					ldns_rr_list_deep_free(ds_list);
+					ds_list = NULL;
+					ds_sig_list = NULL;
+					p = NULL;
+				} else {
+					ldns_rr_list_deep_free(ds_sig_list);
+					ldns_pkt_free(p);
+					p = get_dnssec_pkt(res, name,
+							LDNS_RR_TYPE_DNSKEY);
+					(void) get_ds(p, NULL
+					             , &ds_list, &ds_sig_list); 
 				}
-				p = get_dnssec_pkt(res, name, LDNS_RR_TYPE_DNSKEY);
-				(void) get_ds(p, NULL, &ds_list, &ds_sig_list); 
 			}
 			if (ds_sig_list) {
 				if (ds_list) {