From: Witold Kręcicki <wpk@culm.net>
Date: Thu, 21 Nov 2019 17:18:56 +0000 (+0100)
Subject: Fix a bug in trust anchors verification.
X-Git-Tag: v9.15.7~80^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58db2d1d181bf3a8f7a7d389028cabefb09e3e6f;p=thirdparty%2Fbind9.git

Fix a bug in trust anchors verification.

We were not reseting the keynode value when iterating over DNSKEYs in
RRSET, so we weren't checking all DNSKEYs against all trust anchors. This
commit fixes the issue by resetting keynode with every loop.
---

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f70b460177d..a548beeae06 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9911,9 +9911,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				break;
 			}
 		}
-
-		dns_keytable_detachkeynode(secroots, &keynode);
 		goto anchors_done;
+	} else {
+		dns_keytable_detachkeynode(secroots, &keynode);
 	}
 
 	/*
@@ -9924,6 +9924,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dnskeysigs))
 	{
+		result = dns_keytable_find(secroots, keyname, &keynode);
+		if (result != ISC_R_SUCCESS) {
+			goto anchors_done;
+		}
 		dns_rdata_reset(&sigrr);
 		dns_rdataset_current(dnskeysigs, &sigrr);
 		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
@@ -9971,7 +9975,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				keynode = nextnode;
 			}
 		}
-
+		dns_keytable_detachkeynode(secroots, &keynode);
 		if (secure) {
 			break;
 		}