DNSSEC: Handle non-root trust anchors, and check we have a root trust anchor.

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 8032fc7b29943796e987071bf16f853b7ff7578d..e9936297bfac992086ada057150e49d5807ee2ef 100644 (file)
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -169,8 +169,16 @@ int main (int argc, char **argv)
   if (option_bool(OPT_DNSSEC_VALID))
     {
 #ifdef HAVE_DNSSEC
-      if (!daemon->ds)
-       die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
+      struct ds_config *ds;
+
+      /* Must have at least a root trust anchor, or the DNSSEC code
+        can loop forever. */
+      for (ds = daemon->ds; ds; ds = ds->next)
+       if (ds->name[0] == 0)
+         break;
+
+      if (!ds)
+       die(_("no root trust anchor provided for DNSSEC"), NULL, EC_BADCONF);
       
       if (daemon->cachesize < CACHESIZ)
        die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);

diff --git a/src/dnssec.c b/src/dnssec.c
index a432ebf7d0e8a93b3c1dd06daa3c66dee74ff0df..18efa5978d268aa288fef5d40190fd2c4e0592fe 100644 (file)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1873,10 +1873,27 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
 */
 static int zone_status(char *name, int class, char *keyname, time_t now)
 {
-  int name_start = strlen(name);
+  int name_start = strlen(name); /* for when TA is root */
   struct crec *crecp;
   char *p;
+
+  /* First, work towards the root, looking for a trust anchor.
+     This can either be one configured, or one previously cached.
+     We can assume, if we don't find one first, that there is
+     a trust anchor at the root. */
+  for (p = name; p; p = strchr(p, '.'))
+    {
+      if (*p == '.')
+       p++;
+
+      if (cache_find_by_name(NULL, p, now, F_DS))
+       {
+         name_start = p - name;
+         break;
+       }
+    }
   
+  /* Now work away from the trust anchor */
   while (1)
     {
       strcpy(keyname, &name[name_start]);