From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 26 Mar 2021 14:56:11 +0000 (+0100)
Subject: rec: Don't override a Bogus state, handle NSEC3s for unpublished DNSKEY
X-Git-Tag: dnsdist-1.6.0-rc1~43^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6333113aabaaba9d4a0895653bba7b8bad005d5;p=thirdparty%2Fpdns.git

rec: Don't override a Bogus state, handle NSEC3s for unpublished DNSKEY
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3f05c592f2..a2272726db 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2770,19 +2770,18 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
           /* that actually does happen when a server returns NS records in authority
              along with the DNSKEY, leading us to trying to validate the RRSIGs for
              the NS with the DNSKEY that we are about to process. */
-          if (name == signer && (type == QType::NSEC || type == QType::NSEC3)) {
+          if ((name == signer && type == QType::NSEC) || type == QType::NSEC3) {
             /* if we are trying to validate the DNSKEY (should not happen here),
                or more likely NSEC(3)s proving that it does not exist, we have a problem.
                In that case let's see if the DS does exist, and if it does let's go Bogus
             */
             dsmap_t results;
             vState dsState = getDSRecords(signer, results, false, depth, true);
-            if (dsState == vState::Insecure) {
+            if (vStateIsBogus(dsState) || dsState == vState::Insecure) {
               return dsState;
             }
             return vState::BogusUnableToGetDNSKEYs;
           }
-
           return vState::Indeterminate;
         }
       }