From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 14 Feb 2017 09:41:00 +0000 (+0100)
Subject: bugfix #1218: chase DS if owner is sub of signer
X-Git-Tag: release-1.7.1-rc1~82
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90ae2dd506ff91feeedd82354ce71b617e49dc7a;p=thirdparty%2Fldns.git

bugfix #1218: chase DS if owner is sub of signer
---

diff --git a/Changelog b/Changelog
index c7caf69f..bb4aaca4 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,8 @@
 	* ldns-notify can use all supported hash algorithms with -y.
 	* bugfix #1209: make install ldns.pc file
 	  Thanks Oleksandr Natalenko
+	* bugfix #1218: Only chase DS if signer is parent of owner.
+	  Thanks Emil Natan
 
 1.7.0	2016-12-20
 	* Fix lookup of relative names in ldns_resolver_search.
diff --git a/dnssec_verify.c b/dnssec_verify.c
index c554e4f4..b1f1fce8 100644
--- a/dnssec_verify.c
+++ b/dnssec_verify.c
@@ -415,14 +415,17 @@ ldns_dnssec_build_data_chain(ldns_resolver *res,
 		                                              new_chain);
 	}
 	if (type != LDNS_RR_TYPE_DNSKEY) {
-		ldns_dnssec_build_data_chain_dnskey(res,
-		                                    qflags,
-		                                    pkt,
-		                                    signatures,
-		                                    new_chain,
-		                                    key_name,
-		                                    c
-		                                   );
+		if (type != LDNS_RR_TYPE_DS ||
+				ldns_dname_is_subdomain(name, key_name)) {
+			ldns_dnssec_build_data_chain_dnskey(res,
+			                                    qflags,
+			                                    pkt,
+			                                    signatures,
+			                                    new_chain,
+			                                    key_name,
+			                                    c
+			                                   );
+		}
 	} else {
 		ldns_dnssec_build_data_chain_other(res,
 		                                   qflags,