+2720. [bug] RFC 5011 trust anchor updates could trigger an
+ assert if the DNSKEY record was unsigned. [RT #20406]
+
2719. [func] Skip trusted/managed keys for unsupported algorithms.
[RT #20392]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.c,v 1.518 2009/10/20 02:45:06 marka Exp $ */
+/* $Id: zone.c,v 1.519 2009/10/20 04:13:38 each Exp $ */
/*! \file */
dns_diff_init(zone->mctx, &diff);
/* Fetch failed */
- if (eresult != ISC_R_SUCCESS) {
+ if (eresult != ISC_R_SUCCESS ||
+ !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"Unable to fetch DNSKEY set "
"'%s': %s", namebuf, dns_result_totext(eresult));
goto failure;
}
+ /* No RRSIGs found */
+ if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+ dns_zone_log(zone, ISC_LOG_WARNING,
+ "No DNSKEY RRSIGs found for "
+ "'%s': %s", namebuf, dns_result_totext(eresult));
+ CHECK(minimal_update(kfetch, ver, &diff));
+ goto failure;
+ }
+
/*
* Validate the dnskeyset against the current trusted keys.
* (Note, if a key has been revoked and isn't RSAMD5, then
projects / thirdparty / bind9.git / commitdiff
