From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 23 Oct 2020 09:20:08 +0000 (+0200)
Subject: zonemd, zonemds are checked when a zone is auth_zone_reload from file,
X-Git-Tag: release-1.13.2rc1~269^2~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb5f3f076dab106e6b2730b58105c481f53450dc;p=thirdparty%2Funbound.git

zonemd, zonemds are checked when a zone is auth_zone_reload from file,
or reload with unbound-control.
---

diff --git a/daemon/remote.c b/daemon/remote.c
index 8324e1901..498eb2495 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2510,6 +2510,8 @@ do_auth_zone_reload(RES* ssl, struct worker* worker, char* arg)
 	uint8_t* nm = NULL;
 	struct auth_zones* az = worker->env.auth_zones;
 	struct auth_zone* z = NULL;
+	char* reason = NULL;
+	int oldexpired = 0;
 	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
 		return;
 	if(az) {
@@ -2530,6 +2532,17 @@ do_auth_zone_reload(RES* ssl, struct worker* worker, char* arg)
 		(void)ssl_printf(ssl, "error failed to read %s\n", arg);
 		return;
 	}
+	oldexpired = z->zone_expired;
+	auth_zone_verify_zonemd(z, &worker->env, &worker->env.mesh->mods,
+		&reason, 0, 0);
+	if(reason && !oldexpired && z->zone_expired) {
+		(void)ssl_printf(ssl, "error zonemd for %s failed: %s\n",
+			arg, reason);
+	} else if(reason && strcmp(reason, "ZONEMD verification successful")
+		==0) {
+		(void)ssl_printf(ssl, "%s: %s\n", arg, reason);
+	}
+	free(reason);
 	lock_rw_unlock(&z->lock);
 	send_ok(ssl);
 }