Allow CDS/CDNSKEY DELETE records in unsigned zone

author Matthijs Mekking <matthijs@isc.org>

Wed, 17 Mar 2021 09:02:22 +0000 (10:02 +0100)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 22 Mar 2021 09:25:30 +0000 (10:25 +0100)
author Matthijs Mekking <matthijs@isc.org>
Wed, 17 Mar 2021 09:02:22 +0000 (10:02 +0100)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 22 Mar 2021 09:25:30 +0000 (10:25 +0100)
diff --git a/bin/tests/system/checkzone/zones/good-cds-unsigned.db b/bin/tests/system/checkzone/zones/good-cds-unsigned.db

new file mode 100644 (file)

index 0000000..affb600
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/good-cds-unsigned.db
@@ -0,0 +1,5 @@
+example.       0       SOA     . . 0 0 0 0 0
+example.       0       NS      .
+example.       0       CDS     0 0 0 00
+example.       0       CDNSKEY 0 3 0 AA==
+
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index 782959b62a54900921e67368dade8dc0a2dd1cc0..6083b058e6bed0e166380a47f83cc1568a15ff41 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20524,6 +20524,7 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
         unsigned char buffer[DNS_DS_BUFFERSIZE];
         unsigned char algorithms[256];
         unsigned int i;
+       bool empty = false;
  
         enum { notexpected = 0, expected = 1, found = 2 };
  
@@ -20559,14 +20560,8 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
         result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
                                      dns_rdatatype_none, 0, &dnskey, NULL);
         if (result == ISC_R_NOTFOUND) {
-               if (dns_rdataset_isassociated(&cds)) {
-                       result = DNS_R_BADCDS;
-               } else {
-                       result = DNS_R_BADCDNSKEY;
-               }
-               goto failure;
-       }
-       if (result != ISC_R_SUCCESS) {
+               empty = true;
+       } else if (result != ISC_R_SUCCESS) {
                 goto failure;
         }
  
@@ -20596,6 +20591,12 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                                 delete = true;
                                 continue;
                         }
+
+                       if (empty) {
+                               result = DNS_R_BADCDS;
+                               goto failure;
+                       }
+
                         CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
                         if (algorithms[structcds.algorithm] == 0) {
                                 algorithms[structcds.algorithm] = expected;
@@ -20663,6 +20664,12 @@ dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
                                 delete = true;
                                 continue;
                         }
+
+                       if (empty) {
+                               result = DNS_R_BADCDNSKEY;
+                               goto failure;
+                       }
+
                         CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
                                                  NULL));
                         if (algorithms[structcdnskey.algorithm] == 0) {
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 17 Mar 2021 09:02:22 +0000 (10:02 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 22 Mar 2021 09:25:30 +0000 (10:25 +0100)
bin/tests/system/checkzone/zones/good-cds-unsigned.db	[new file with mode: 0644]	patch \| blob
lib/dns/zone.c		patch \| blob \| blame \| history