From c802298fca455cc798b5a875ef9df74531c9ded4 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 23 Feb 2021 17:03:23 +0100
Subject: [PATCH] - Fix for zonemd, that domain-insecure zones work without
 dnssec.

---
 doc/Changelog       | 3 +++
 services/authzone.c | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/doc/Changelog b/doc/Changelog
index cf61361e3..c7fecffdd 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+23 February 2021: Wouter
+	- Fix for zonemd, that domain-insecure zones work without dnssec.
+
 22 February 2021: Wouter
 	- Fix #431: Squelch permission denied errors for tcp connect
 	  and udp connect from the logs, unless at high verbosity.
diff --git a/services/authzone.c b/services/authzone.c
index 87a405c71..c1f3d6978 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -8243,7 +8243,14 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 	if(env->anchors)
 		anchor = anchors_lookup(env->anchors, z->name, z->namelen,
 			z->dclass);
-	if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
+	if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) {
+		/* domain-insecure trust anchor for unsigned zones */
+		lock_basic_unlock(&anchor->lock);
+		if(only_online)
+			return;
+		dnskey = NULL;
+		is_insecure = 1;
+	} else if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
 		if(only_online) {
 			lock_basic_unlock(&anchor->lock);
 			return;
-- 
2.47.2