From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 21 Oct 2020 09:56:41 +0000 (+0200)
Subject: zonemd, fix that zonemd absence in unsigned zone does not invalidate zone.
X-Git-Tag: release-1.13.2rc1~269^2~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=124545796753139f0cc8e335909584f4fef24e52;p=thirdparty%2Funbound.git

zonemd, fix that zonemd absence in unsigned zone does not invalidate zone.
---

diff --git a/services/authzone.c b/services/authzone.c
index b17fe81c3..e05a5d81d 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -7792,9 +7792,17 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 		return;
 	}
 	if(zonemd_absent && zonemd_absence_dnssecok) {
-		auth_zone_log(z->name, VERB_ALGO, "ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
+		auth_zone_log(z->name, VERB_ALGO, "DNSSEC verified nonexistence of ZONEMD");
 		if(result) {
-			*result = strdup("ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
+			*result = strdup("DNSSEC verified nonexistence of ZONEMD");
+			if(!*result) log_err("out of memory");
+		}
+		return;
+	}
+	if(zonemd_absent) {
+		auth_zone_log(z->name, VERB_ALGO, "no ZONEMD present");
+		if(result) {
+			*result = strdup("no ZONEMD present");
 			if(!*result) log_err("out of memory");
 		}
 		return;
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index 3c198e567..ba2d33fc4 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -1099,7 +1099,8 @@ static void zonemd_verify_test(char* zname, char* zfile, char* tastr,
 		fatal_exit("out of memory");
 	unit_assert(strcmp(result, result_wanted) == 0);
 	if(strcmp(result, "ZONEMD verification successful") == 0 ||
-		strcmp(result, "ZONEMD successful, DNSSEC verified nonexistence of ZONEMD") == 0) {
+		strcmp(result, "DNSSEC verified nonexistence of ZONEMD") == 0 ||
+		strcmp(result, "no ZONEMD present") == 0) {
 		lock_rw_rdlock(&z->lock);
 		unit_assert(!z->zone_expired);
 		lock_rw_unlock(&z->lock);
@@ -1137,7 +1138,7 @@ static void zonemd_verify_tests(void)
 		"testdata/zonemd.example1.zone",
 		NULL,
 		"20180302005009",
-		"zone has no ZONEMD");
+		"no ZONEMD present");
 	/* no trust anchor, so it succeeds */
 	zonemd_verify_test("example.com",
 		"testdata/zonemd.example2.zone",
@@ -1194,13 +1195,13 @@ static void zonemd_verify_tests(void)
 		"testdata/zonemd.example7.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
+		"DNSSEC verified nonexistence of ZONEMD");
 	/* load a DNSSEC NSEC3 zone without ZONEMD */
 	zonemd_verify_test("example.com",
 		"testdata/zonemd.example8.zone",
 		"example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af",
 		"20201020135527",
-		"ZONEMD successful, DNSSEC verified nonexistence of ZONEMD");
+		"DNSSEC verified nonexistence of ZONEMD");
 }
 
 /** zonemd unit tests */