From: Willem Toorop <willem@NLnetLabs.nl>
Date: Fri, 2 Sep 2011 20:25:59 +0000 (+0000)
Subject: ldns_fetch_valid_domain_keys should look deeper than just one level to look for keys... 
X-Git-Tag: release-1.6.11rc1~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81a43c3d1093939b93d67561424eb3383a4f4e25;p=thirdparty%2Fldns.git

ldns_fetch_valid_domain_keys should look deeper than just one level to look for keys that have signed a domain's DS.
For example the DS for 224.154.213.in-addr.arpa is signed with a key from 213.in-addr.arpa. Two levels deeper.
---

diff --git a/dnssec_verify.c b/dnssec_verify.c
index 90aa719d..9413266d 100644
--- a/dnssec_verify.c
+++ b/dnssec_verify.c
@@ -1090,11 +1090,13 @@ ldns_fetch_valid_domain_keys(const ldns_resolver *res,
 		} else {
 			/* No trusted keys in this domain, we'll have to find some in the parent domain */
 			*status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DNSKEY;
+
+			ldns_rdf * parent_domain = ldns_dname_left_chop(domain);
+			ldns_rdf * prev_parent_domain;
+			ldns_rr_list * parent_keys = NULL;
       
-			if (ldns_rdf_size(domain) > 1) {
+			while (ldns_rdf_size(parent_domain) > 0) {
 				/* Fail if we are at the root */
-				ldns_rr_list * parent_keys;
-				ldns_rdf * parent_domain = ldns_dname_left_chop(domain);
 	
 				if ((parent_keys = 
 					ldns_fetch_valid_domain_keys(res,
@@ -1117,9 +1119,16 @@ ldns_fetch_valid_domain_keys(const ldns_resolver *res,
 						*status = LDNS_STATUS_CRYPTO_NO_TRUSTED_DS ;
 					}
 					ldns_rr_list_deep_free(parent_keys);
+					break;
+				} else {
+					parent_domain = ldns_dname_left_chop((
+						prev_parent_domain 
+							= parent_domain
+						));
+					ldns_rdf_deep_free(prev_parent_domain);
 				}
-				ldns_rdf_deep_free(parent_domain);
 			}
+			ldns_rdf_deep_free(parent_domain);
 		}
 	}
 	return trusted_keys;