From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 22 Feb 2021 16:32:40 +0000 (+0100)
Subject: - Fix for zonemd, that nxdomain for the chain of trust is allowed
X-Git-Tag: release-1.13.2rc1~264
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=131d38f8f208bfd99b7c517ea9ff9abfe25f1ce5;p=thirdparty%2Funbound.git

- Fix for zonemd, that nxdomain for the chain of trust is allowed
  for island zones, it is treates as an insecure zone for verification.
---

diff --git a/doc/Changelog b/doc/Changelog
index c051a49ae..4d14f49f5 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 22 February 2021: Wouter
 	- Fix #431: Squelch permission denied errors for tcp connect
 	  and udp connect from the logs, unless at high verbosity.
+	- Fix for zonemd, that nxdomain for the chain of trust is allowed
+	  for island zones, it is treates as an insecure zone for verification.
 
 18 February 2021: Wouter
 	- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
diff --git a/services/authzone.c b/services/authzone.c
index 9818ab344..87a405c71 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -8117,6 +8117,32 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 					"zonemd lookup of DNSKEY has nodata");
 				reason = "lookup of DNSKEY has nodata";
 			}
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_secure) {
+			/* secure nxdomain, so the zone is like some RPZ zone
+			 * that does not exist in the wider internet, with
+			 * a secure nxdomain answer outside of it. So we
+			 * treat the zonemd zone without a dnssec chain of
+			 * trust, as insecure. */
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_insecure) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_indeterminate) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
 		} else {
 			auth_zone_log(z->name, VERB_ALGO,
 				"zonemd lookup of DNSKEY has no answer");