From 77d7ab7070db4fc25ee2ebf0aee56a7e7c1b321c Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 26 Jan 2022 10:32:08 +0100
Subject: [PATCH] If no supported algo was found, we still can have ZONEMD
 records This fixes: Jan 26 09:57:19 msg="No ZONEMD record, but NSEC(3) record
 does not deny it" subsystem="ztc" level=0 ts="1643187439.807" zone="."

---
 pdns/zonemd.cc | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/pdns/zonemd.cc b/pdns/zonemd.cc
index c357e911ef..9424478373 100644
--- a/pdns/zonemd.cc
+++ b/pdns/zonemd.cc
@@ -164,7 +164,7 @@ void pdns::ZoneMD::verify(bool& validationDone, bool& validationOK)
   // Determine which digests to compute based on accepted zonemd records present
   unique_ptr<pdns::SHADigest> sha384digest{nullptr}, sha512digest{nullptr};
 
-  for (auto it = d_zonemdRecords.begin(); it != d_zonemdRecords.end();) {
+  for (const auto& it : d_zonemdRecords) {
     // The SOA Serial field MUST exactly match the ZONEMD Serial
     // field. If the fields do not match, digest verification MUST
     // NOT be considered successful with this ZONEMD RR.
@@ -176,8 +176,8 @@ void pdns::ZoneMD::verify(bool& validationDone, bool& validationOK)
     // The Hash Algorithm field MUST be checked. If the verifier does
     // not support the given hash algorithm, verification MUST NOT be
     // considered successful with this ZONEMD RR.
-    const auto duplicate = it->second.duplicate;
-    const auto& r = it->second.record;
+    const auto duplicate = it.second.duplicate;
+    const auto& r = it.second.record;
     if (!duplicate && r->d_serial == d_soaRecordContent->d_st.serial && r->d_scheme == 1 && (r->d_hashalgo == 1 || r->d_hashalgo == 2)) {
       // A supported ZONEMD record
       if (r->d_hashalgo == 1) {
@@ -186,13 +186,14 @@ void pdns::ZoneMD::verify(bool& validationDone, bool& validationOK)
       else if (r->d_hashalgo == 2) {
         sha512digest = make_unique<pdns::SHADigest>(512);
       }
-      ++it;
-    }
-    else {
-      it = d_zonemdRecords.erase(it);
     }
   }
 
+  if (!sha384digest && !sha512digest) {
+    // No supported ZONEMD algo found, mismatch in SOA, mismatch in scheme or duplicate
+    return;
+  }
+
   // A little helper
   auto hash = [&sha384digest, &sha512digest](const std::string& msg) {
     if (sha384digest) {
@@ -247,7 +248,7 @@ void pdns::ZoneMD::verify(bool& validationDone, bool& validationOK)
     }
   }
 
-  // Final verify, we know we only have supported candidate ZONEDMD records
+  // Final verify
   for (const auto& [k, v] : d_zonemdRecords) {
     auto [zonemd, duplicate] = v;
     if (zonemd->d_hashalgo == 1) {
-- 
2.47.2