From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 21 Aug 2017 08:57:44 +0000 (+0000)
Subject: - Fix install of trust anchor when two anchors are present, makes both
X-Git-Tag: release-1.6.6rc1~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d1e4b36484517e845f01b8964b7ed45db4bc278;p=thirdparty%2Funbound.git

- Fix install of trust anchor when two anchors are present, makes both
  valid.  Checks hash of DS but not signature of new key.  This fixes
  installs between sep11 and oct11 2017.


git-svn-id: file:///svn/unbound/trunk@4302 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 12af05557..5b0bc0115 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+22 August 2017: Wouter
+	- Fix install of trust anchor when two anchors are present, makes both
+	  valid.  Checks hash of DS but not signature of new key.  This fixes
+	  installs between sep11 and oct11 2017.
+	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
+	- trunk version 1.6.6 in development.
+
 10 August 2017: Wouter
 	- Patch to show DNSCrypt status in help output, from Carsten
 	  Strotmann.
diff --git a/validator/autotrust.c b/validator/autotrust.c
index a533733c7..5bf815b5e 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match attempt failed");
 			continue;
 		}
+		/* match of hash is sufficient for bootstrap of trust point */
+		(void)reason;
+		(void)ve;
+		return 1;
+		/* no need to check RRSIG, DS hash already matched with source
 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
 			return 1;
@@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match failed because the key "
 				"does not verify the keyset: %s", reason);
 		}
+		*/
 	}
 	return 0;
 }