From 131d38f8f208bfd99b7c517ea9ff9abfe25f1ce5 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 22 Feb 2021 17:32:40 +0100
Subject: [PATCH] - Fix for zonemd, that nxdomain for the chain of trust is
 allowed   for island zones, it is treates as an insecure zone for
 verification.

---
 doc/Changelog       |  2 ++
 services/authzone.c | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index c051a49ae..4d14f49f5 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 22 February 2021: Wouter
 	- Fix #431: Squelch permission denied errors for tcp connect
 	  and udp connect from the logs, unless at high verbosity.
+	- Fix for zonemd, that nxdomain for the chain of trust is allowed
+	  for island zones, it is treates as an insecure zone for verification.
 
 18 February 2021: Wouter
 	- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
diff --git a/services/authzone.c b/services/authzone.c
index 9818ab344..87a405c71 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -8117,6 +8117,32 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 					"zonemd lookup of DNSKEY has nodata");
 				reason = "lookup of DNSKEY has nodata";
 			}
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_secure) {
+			/* secure nxdomain, so the zone is like some RPZ zone
+			 * that does not exist in the wider internet, with
+			 * a secure nxdomain answer outside of it. So we
+			 * treat the zonemd zone without a dnssec chain of
+			 * trust, as insecure. */
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_insecure) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_indeterminate) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
 		} else {
 			auth_zone_log(z->name, VERB_ALGO,
 				"zonemd lookup of DNSKEY has no answer");
-- 
2.47.2