rolling 9.5.2-P2

diff --git a/CHANGES b/CHANGES
index 43e1648bdc81d4bac37c14bbd27c2ae3ae0620fd..9700d132a6bbc0bb2b6054a26d48f17ac4e25fee 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+       --- 9.5.2-P2 released ---
+
+2828.  [security]      Cached CNAME or DNAME RR could be returned to clients
+                       without DNSSEC validation. [RT #20737]
+
+2827.  [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
        --- 9.5.2-P1 released ---
 
 2772.  [security]      When validating, track whether pending data was from

diff --git a/bin/named/query.c b/bin/named/query.c
index 9565eb6a0a27d17c79382e41affcad92dc7ec068..0365723c2999b6510e1ad894e2b413b6f47f556c 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.298.48.15.2.1 2009/11/18 23:41:17 marka Exp $ */
+/* $Id: query.c,v 1.298.48.15.2.2 2009/12/31 21:02:44 each Exp $ */
 
 /*! \file */
 
@@ -3389,8 +3389,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        dns_rdataset_t *noqname;
        isc_boolean_t resuming;
        int line = -1;
-       dns_rdataset_t tmprdataset;
-       unsigned int dboptions;
 
        CTRACE("query_find");
 
@@ -3607,49 +3605,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * Now look for an answer in the database.
         */
-       dboptions = client->query.dboptions;
-       if (sigrdataset == NULL && client->view->enablednssec) {
-               /*
-                * If the client doesn't want DNSSEC we still want to
-                * look for any data pending validation to save a remote
-                * lookup if possible.
-                */
-               dns_rdataset_init(&tmprdataset);
-               sigrdataset = &tmprdataset;
-               dboptions |= DNS_DBFIND_PENDINGOK;
-       }
- refind:
        result = dns_db_find(db, client->query.qname, version, type,
-                            dboptions, client->now, &node, fname,
-                            rdataset, sigrdataset);
-       /*
-        * If we have found pending data try to validate it.
-        * If the data does not validate as secure and we can't
-        * use the unvalidated data requery the database with
-        * pending disabled to prevent infinite looping.
-        */
-       if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
-               goto validation_done;
-       if (validate(client, db, fname, rdataset, sigrdataset))
-               goto validation_done;
-       if (rdataset->trust != dns_trust_pending_answer ||
-           !PENDINGOK(client->query.dboptions)) {
-               dns_rdataset_disassociate(rdataset);
-               if (sigrdataset != NULL &&
-                   dns_rdataset_isassociated(sigrdataset))
-                       dns_rdataset_disassociate(sigrdataset);
-               if (sigrdataset == &tmprdataset)
-                       sigrdataset = NULL;
-               dns_db_detachnode(db, &node);
-               dboptions &= ~DNS_DBFIND_PENDINGOK;
-               goto refind;
-       }
- validation_done:
-       if (sigrdataset == &tmprdataset) {
-               if (dns_rdataset_isassociated(sigrdataset))
-                       dns_rdataset_disassociate(sigrdataset);
-               sigrdataset = NULL;
-       }
+                            client->query.dboptions, client->now,
+                            &node, fname, rdataset, sigrdataset);
 
  resume:
        CTRACE("query_find: resume");

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 3739831d3128f5d3ed161be74b9ee147f4b12097..c059ade33128f74f97ed19ba7783f3de1fa8f46f 100644 (file)
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.37.128.2 2008/01/10 23:46:34 tbox Exp $
+# $Id: conf.sh.in,v 1.37.128.2.34.1 2009/12/31 21:02:44 each Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -44,7 +44,7 @@ CHECKCONF=$TOP/bin/check/named-checkconf
 # load on the machine to make it unusable to other users.
 # v6synth
 SUBDIRS="acl cacheclean checkconf checknames dnssec forward glue ixfr limits
-    lwresd masterfile masterformat notify nsupdate resolver rrsetorder
+    lwresd masterfile masterformat notify nsupdate pending resolver rrsetorder
     sortlist stub tkey unknown upforwd views xfer xferquota zonechecks"
 
 # PERL will be an empty string if no perl interpreter was found.

diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 531b3632dcf59a23d05ce9b311cb9ae9461ae973..cc4e112108124d935929a75650b111860dca16b9 100644 (file)
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.17 2007/06/19 23:47:02 tbox Exp $
+; $Id: example.db.in,v 1.17.288.1 2009/12/31 21:02:44 each Exp $
 
 $TTL 300       ; 5 minutes
 @                      IN SOA  mname1. . (
@@ -36,6 +36,9 @@ d                     A       10.0.0.4
 foo                    TXT     "testing"
 foo                    A       10.0.1.0
 
+bad-cname              CNAME   a
+bad-dname              DNAME   @
+
 ; Used for testing CNAME queries
 cname1                 CNAME   cname1-target
 cname1-target          TXT     "testing cname"

diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 61b0119f7ea3da560c28eca48307bedd1fb8247a..7acb8b56a32ffdcbadf7b1a31826156bc9fd9257 100644 (file)
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.28 2007/06/19 23:47:02 tbox Exp $
+# $Id: sign.sh,v 1.28.288.1 2009/12/31 21:02:44 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -42,6 +42,53 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
+#
+# lower/uppercase the signature bits with the exception of the last characters
+# changing the last 4 characters will lead to a bad base64 encoding.
+#
+$CHECKZONE -D -q -i local $zone $zonefile.signed |
+awk '
+tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
+       for (i = 1; i <= NF; i++ ) {
+               if (i <= 12) {
+                       printf("%s ", $i);
+                       continue;
+               }
+               prefix = substr($i, 1, length($i) - 4);
+               suffix = substr($i, length($i) - 4, 4);
+               if (i > 12 && tolower(prefix) != prefix)
+                       printf("%s%s", tolower(prefix), suffix);
+               else if (i > 12 && toupper(prefix) != prefix)
+                       printf("%s%s", toupper(prefix), suffix);
+               else
+                       printf("%s%s ", prefix, suffix);
+       }
+       printf("\n");
+       next;
+}
+
+tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
+       for (i = 1; i <= NF; i++ ) {
+               if (i <= 12) {
+                       printf("%s ", $i);
+                       continue;
+               }
+               prefix = substr($i, 1, length($i) - 4);
+               suffix = substr($i, length($i) - 4, 4);
+               if (i > 12 && tolower(prefix) != prefix)
+                       printf("%s%s", tolower(prefix), suffix);
+               else if (i > 12 && toupper(prefix) != prefix)
+                       printf("%s%s", toupper(prefix), suffix);
+               else
+                       printf("%s%s ", prefix, suffix);
+       }
+       printf("\n");
+       next;
+}
+
+{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
+
+
 # Sign the privately secure file
 
 privzone=private.secure.example.

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index e676cb01fbb605f71ebcfd6c2b707635e3996374..404f7c22ce57b342cedaa4f47ac4538a76878a97 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.51 2007/06/19 23:47:02 tbox Exp $
+# $Id: tests.sh,v 1.51.288.1 2009/12/31 21:02:44 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -177,6 +177,41 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD.  pending data should be returned even if it's bogus
+expect="a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD.  bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD.  pending data should be returned even if it's bogus
+expect="example.
+a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD.  bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Check the insecure.secure.example domain (insecurity proof)
 
 echo "I:checking 2-server insecurity proof ($n)"

diff --git a/bin/tests/system/pending/clean.sh b/bin/tests/system/pending/clean.sh
index b0c0f587154f551c864d19664c2410cfab4bee83..09d9427e002cf71626f91fd0ab11d7d832b3982e 100644 (file)
--- a/bin/tests/system/pending/clean.sh
+++ b/bin/tests/system/pending/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: clean.sh,v 1.4.6.1 2009/12/31 21:02:44 each Exp $
 
 rm -rf */*.signed
 rm -rf */*.jnl

diff --git a/bin/tests/system/pending/ns1/root.db.in b/bin/tests/system/pending/ns1/root.db.in
index 41d868142d228ac27fdcc7183c8f28cdf0b62649..2506714add41c54ce64f683cea36c8e0ad2169b7 100644 (file)
--- a/bin/tests/system/pending/ns1/root.db.in
+++ b/bin/tests/system/pending/ns1/root.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db.in,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+; $Id: root.db.in,v 1.4.6.1 2009/12/31 21:02:44 each Exp $
 
 $TTL 30
 .                      IN SOA  marka.isc.org. a.root.servers.nil. (

diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh
index 6a76323e09623f0b4e03373f9c76ae9ecc5cdd37..790477612c43bf4a4bdcbfa8a6e4f604112a40c5 100644 (file)
--- a/bin/tests/system/pending/ns1/sign.sh
+++ b/bin/tests/system/pending/ns1/sign.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.3 2009/12/30 08:02:22 jinmei Exp $
+# $Id: sign.sh,v 1.3.6.1 2009/12/31 21:02:44 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -30,8 +30,8 @@ zonefile=root.db
 cp ../ns2/dsset-example. .
 cp ../ns2/dsset-example.com. .
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 2048 -f KSK -n zone $zone`
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
 $SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null

diff --git a/bin/tests/system/pending/ns2/example.com.db.in b/bin/tests/system/pending/ns2/example.com.db.in
index 9cdb2fd9a910c055cf2ecde2227990644fc96bd4..3ff6ed50a4ccd9a77429f964956cc6eed7d4c01f 100644 (file)
--- a/bin/tests/system/pending/ns2/example.com.db.in
+++ b/bin/tests/system/pending/ns2/example.com.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.com.db.in,v 1.2 2009/12/30 08:02:22 jinmei Exp $
+; $Id: example.com.db.in,v 1.2.14.1 2009/12/31 21:02:44 each Exp $
 
 $TTL 30
 @                      IN SOA  mname1. . (

diff --git a/bin/tests/system/pending/ns2/named.conf b/bin/tests/system/pending/ns2/named.conf
index 7cc1ffbc632c3b3da28e89472413d4e815c9f5c7..0dd4ecebc140c129efd70a52e79bc962ad087233 100644 (file)
--- a/bin/tests/system/pending/ns2/named.conf
+++ b/bin/tests/system/pending/ns2/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4 2009/12/30 08:02:22 jinmei Exp $ */
+/* $Id: named.conf,v 1.4.6.1 2009/12/31 21:02:44 each Exp $ */
 
 // NS2
 

diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh
index 626927aa06b3f579f9b16dadc94252cf43a91c6a..ca41f5e5f3b8aebd941011a54b119b11ac8ed19b 100644 (file)
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: sign.sh,v 1.4.6.1 2009/12/31 21:02:44 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,10 +26,21 @@ for domain in example example.com; do
        infile=${domain}.db.in
        zonefile=${domain}.db
 
-       keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
-       keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+       keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+       keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
 
        cat $infile $keyname1.key $keyname2.key >$zonefile
 
        $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
 done
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null

diff --git a/bin/tests/system/pending/prereq.sh b/bin/tests/system/pending/prereq.sh
index b05b622ed7ee62014a0667f6de9367ac3edc6b4b..299f1ae98375a3ac94144994596b8628bb0044e3 100644 (file)
--- a/bin/tests/system/pending/prereq.sh
+++ b/bin/tests/system/pending/prereq.sh
@@ -14,11 +14,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.3 2009/11/18 23:48:06 tbox Exp $
+# $Id: prereq.sh,v 1.3.40.1 2009/12/31 21:02:44 each Exp $
 
-../../../tools/genrandom 400 random.data
-
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+../../genrandom 400 random.data
+if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else

diff --git a/bin/tests/system/pending/setup.sh b/bin/tests/system/pending/setup.sh
index 5332d36de6175861561a4520d42e034c4ecb1051..b6789d763f71fb85fd900086f8ed532275335b3e 100644 (file)
--- a/bin/tests/system/pending/setup.sh
+++ b/bin/tests/system/pending/setup.sh
@@ -14,8 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2 2009/11/17 23:55:18 marka Exp $
+# $Id: setup.sh,v 1.2.46.1 2009/12/31 21:02:44 each Exp $
 
-../../../tools/genrandom 400 random.data
+../../genrandom 400 random.data
 
 cd ns1 && sh -e sign.sh

diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh
index c27b072a01c995f18d72d2412b406a504e24dcdd..522558769599594c55a269ef96a684851af7ea4c 100644 (file)
--- a/bin/tests/system/pending/tests.sh
+++ b/bin/tests/system/pending/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: tests.sh,v 1.4.6.1 2009/12/31 21:02:44 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 4d873e48d45b39cc049a1fb739e25c9027843cc8..d2c530c44919017da842581bef27f8ca3b404186 100644 (file)
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.126.62.6.2.1 2009/11/18 23:41:18 marka Exp $ */
+/* $Id: types.h,v 1.126.62.6.2.2 2009/12/31 21:02:45 each Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -296,6 +296,8 @@ enum {
 
 #define DNS_TRUST_PENDING(x)           ((x) == dns_trust_pending_answer || \
                                         (x) == dns_trust_pending_additional)
+#define DNS_TRUST_ADDITIONAL(x)                ((x) == dns_trust_additional || \
+                                        (x) == dns_trust_pending_additional)
 #define DNS_TRUST_GLUE(x)              ((x) == dns_trust_glue)
 
 

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a0b66bea6e438ee20f37f6c75c981b345c55d82d..937da6688f4c8c6b4c5705d766d036ff8516b02d 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.155.52.14.2.1 2009/11/18 23:41:18 marka Exp $ */
+/* $Id: validator.c,v 1.155.52.14.2.2 2009/12/31 21:02:44 each Exp $ */
 
 #include <config.h>
 
@@ -2597,20 +2597,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
        if (val->havedlvsep)
                dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
        else {
+               unsigned int labels;
                dns_name_copy(val->event->name, secroot, NULL);
                /*
                 * If this is a response to a DS query, we need to look in
                 * the parent zone for the trust anchor.
                 */
-               if (val->event->type == dns_rdatatype_ds &&
-                   dns_name_countlabels(secroot) > 1U)
-                       dns_name_split(secroot, 1, NULL, secroot);
+
+               labels = dns_name_countlabels(secroot);
+               if (val->event->type == dns_rdatatype_ds && labels > 1U)
+                       dns_name_getlabelsequence(secroot, 1, labels - 1,
+                                                 secroot);
                result = dns_keytable_finddeepestmatch(val->keytable,
                                                       secroot, secroot);
-
                if (result == ISC_R_NOTFOUND) {
-                       validator_log(val, ISC_LOG_DEBUG(3),
-                                     "not beneath secure root");
                        if (val->mustbesecure) {
                                validator_log(val, ISC_LOG_WARNING,
                                              "must be secure failure");

diff --git a/version b/version
index d92600865d2883af89c3d90b4d65a9fea5eb0524..dadbc08b084103892a8ec689b8a8f1245b9d3f66 100644 (file)
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.39.18.13.2.1 2009/11/18 23:41:17 marka Exp $
+# $Id: version,v 1.39.18.13.2.2 2009/12/31 21:02:44 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=5
 PATCHVER=2
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2