2171. [bug] Handle breaks in DNSSEC trust chains where the parent

                        servers are not DS aware (DS queries to the parent
                        return a referral to the child).

diff --git a/CHANGES b/CHANGES
index 469488b7455cbade7f4070ec2b01a039e88f9e34..0900af98c1d53b34477e950be9e7c3790783fc69 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2171.  [bug]           Handle breaks in DNSSEC trust chains where the parent
+                       servers are not DS aware (DS queries to the parent
+                       return a referral to the child).
+
 2170.  [func]          Add acache processing to test suite. [RT #16711]
 
 2169.  [bug]           host, nslookup: when reporting NXDOMAIN report the

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index ac2a6f0b94cec2b31523ce21ae5f2354a4cebd8e..8e614c970b4faa0a1418149f1356e7baf709257e 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.150 2007/02/26 01:20:43 marka Exp $ */
+/* $Id: validator.c,v 1.151 2007/04/27 06:13:29 marka Exp $ */
 
 #include <config.h>
 
@@ -350,10 +350,12 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
                if (result != DNS_R_WAIT)
                        validator_done(val, result);
        } else if (eresult == DNS_R_NXRRSET ||
-                  eresult == DNS_R_NCACHENXRRSET)
+                  eresult == DNS_R_NCACHENXRRSET ||
+                  eresult == DNS_R_SERVFAIL)   /* RFC 1034 parent? */
        {
                validator_log(val, ISC_LOG_DEBUG(3),
-                             "falling back to insecurity proof");
+                             "falling back to insecurity proof (%s)",
+                             dns_result_totext(eresult));
                val->attributes |= VALATTR_INSECURITY;
                result = proveunsecure(val, ISC_FALSE);
                if (result != DNS_R_WAIT)