From 921c869f28d38e8cc197dd52aa50ed8c6aced64a Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 10 Apr 2014 10:54:21 +0000
Subject: [PATCH] - Fix #567: unbound lists if forward zone is secure or
 insecure with   +i annotation in output of list_forwards, also for list_stubs
   (for NetworkManager integration.)

git-svn-id: file:///svn/unbound/trunk@3109 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/remote.c | 36 ++++++++++++++++++++++++++++++++----
 doc/Changelog   |  3 +++
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index 93f1862a5..421604e0d 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1948,10 +1948,23 @@ do_list_forwards(SSL* ssl, struct worker* worker)
 	/* since its a per-worker structure no locks needed */
 	struct iter_forwards* fwds = worker->env.fwds;
 	struct iter_forward_zone* z;
+	struct trust_anchor* a;
+	int insecure;
 	RBTREE_FOR(z, struct iter_forward_zone*, fwds->tree) {
 		if(!z->dp) continue; /* skip empty marker for stub */
-		if(!ssl_print_name_dp(ssl, "forward", z->name, z->dclass,
-			z->dp))
+
+		/* see if it is insecure */
+		insecure = 0;
+		if(worker->env.anchors &&
+			(a=anchor_find(worker->env.anchors, z->name,
+			z->namelabs, z->namelen,  z->dclass))) {
+			if(!a->keylist && !a->numDS && !a->numDNSKEY)
+				insecure = 1;
+			lock_basic_unlock(&a->lock);
+		}
+
+		if(!ssl_print_name_dp(ssl, (insecure?"forward +i":"forward"),
+			z->name, z->dclass, z->dp))
 			return;
 	}
 }
@@ -1961,9 +1974,24 @@ static void
 do_list_stubs(SSL* ssl, struct worker* worker)
 {
 	struct iter_hints_stub* z;
+	struct trust_anchor* a;
+	int insecure;
+	char str[32];
 	RBTREE_FOR(z, struct iter_hints_stub*, &worker->env.hints->tree) {
-		if(!ssl_print_name_dp(ssl, 
-			z->noprime?"stub noprime":"stub prime", z->node.name,
+
+		/* see if it is insecure */
+		insecure = 0;
+		if(worker->env.anchors &&
+			(a=anchor_find(worker->env.anchors, z->node.name,
+			z->node.labs, z->node.len,  z->node.dclass))) {
+			if(!a->keylist && !a->numDS && !a->numDNSKEY)
+				insecure = 1;
+			lock_basic_unlock(&a->lock);
+		}
+
+		snprintf(str, sizeof(str), "stub %sprime%s",
+			(z->noprime?"no":""), (insecure?" +i":""));
+		if(!ssl_print_name_dp(ssl, str, z->node.name,
 			z->node.dclass, z->dp))
 			return;
 	}
diff --git a/doc/Changelog b/doc/Changelog
index a8e99a077..50a3c8829 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,9 @@
 	- Document that dump_requestlist only prints queries from thread 0.
 	- unbound-control stats prints num.query.tcpout with number of TCP
 	  outgoing queries made in the previous statistics interval.
+	- Fix #567: unbound lists if forward zone is secure or insecure with
+	  +i annotation in output of list_forwards, also for list_stubs
+	  (for NetworkManager integration.)
 
 8 April 2014: Wouter
 	- Fix #574: make test fails on Ubuntu 14.04.  Disabled remote-control
-- 
2.47.2