From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 12 Feb 2021 07:33:03 +0000 (+0100)
Subject: zonemd, review comments, stop null dnskey, skip dnssec for insecure islands.
X-Git-Tag: release-1.13.2rc1~269^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=849050855968a0199f4a65c0ec6345f34f00fc1b;p=thirdparty%2Funbound.git

zonemd, review comments, stop null dnskey, skip dnssec for insecure islands.
---

diff --git a/services/authzone.c b/services/authzone.c
index 196c4653c..60a05d4bb 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -7923,14 +7923,15 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 		}
 	}
 
-	/* if no ZONEMD, and no DNSSEC, done. */
+	/* if no DNSSEC, done. */
 	/* if no ZONEMD, and DNSSEC, use DNSKEY to verify NSEC or NSEC3 for
 	 * zone apex.  Check ZONEMD bit is turned off or else fail */
 	/* if ZONEMD, and DNSSEC, check DNSSEC signature on SOA and ZONEMD,
 	 * or else fail */
-	if(!zonemd_rrset && is_insecure) {
-		/* success, zonemd is absent */
-	} else if(!zonemd_rrset) {
+	if(!dnskey && !is_insecure) {
+		auth_zone_zonemd_fail(z, env, "DNSKEY missing", NULL, result);
+		return;
+	} else if(!zonemd_rrset && dnskey && !is_insecure) {
 		/* fetch, DNSSEC verify, and check NSEC/NSEC3 */
 		if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
 			&reason, &why_bogus)) {
@@ -7938,7 +7939,7 @@ auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
 			return;
 		}
 		zonemd_absence_dnssecok = 1;
-	} else if(zonemd_rrset && dnskey) {
+	} else if(zonemd_rrset && dnskey && !is_insecure) {
 		/* check DNSSEC verify of SOA and ZONEMD */
 		if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
 			zonemd_rrset, &reason, &why_bogus)) {