From 65663e6da86ce3e4383cdfdadb9e4f2fcebcacdd Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Fri, 2 Oct 2015 12:45:32 +0200
Subject: [PATCH] DNSSEC zonecut finding issues

Thanks Theogene Bucuti
---
 ChangeLog    |  2 ++
 src/dnssec.c | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index ea8f4524..f31cb691 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 * 2015-10-??: Version 0.3.4
   * Native crypto.  No ldns dependency anymore.
     (ldns still necessary to be able to run tests though)
+  * Bugfix: DNSSEC code finding zone cut with redirects + pursuing unsigned
+    DS answers close to the root.  Thanks Theogene Bucuti!
 
 * 2015-09-09: Version 0.3.3
   * Fix clearing upstream events on shutdown
diff --git a/src/dnssec.c b/src/dnssec.c
index a02401a4..780ac6de 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1269,6 +1269,7 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 	rrset_iter *i, i_spc;
 	getdns_rrset *rrset;
 	rrsig_iter  *rrsig, rrsig_spc;
+	size_t n_signers;
 
 	_getdns_context_clear_outbound_request(dnsreq);
 	switch (netreq->request_type) {
@@ -1280,6 +1281,7 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 	default                  : check_chain_complete(node->chains);
 				   return;
 	}
+	n_signers = 0;
 	for ( i = rrset_iter_init(&i_spc,netreq->response,netreq->response_len)
 	    ; i
 	    ; i = rrset_iter_next(i)) {
@@ -1292,10 +1294,18 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 			continue;
 
 		for ( rrsig = rrsig_iter_init(&rrsig_spc, rrset)
-		    ; rrsig; rrsig = rrsig_iter_next(rrsig))
+		    ; rrsig; rrsig = rrsig_iter_next(rrsig)) {
 
 			val_chain_sched_signer_node(node, rrsig);
+			n_signers++;
+		}
 	}
+	if (netreq->request_type == GETDNS_RRTYPE_DS && n_signers == 0)
+		/* No signed DS and no signed proof of non-existance.
+		 * Search further up the tree...
+		 */
+		val_chain_sched_soa_node(node->parent);
+
 	check_chain_complete(node->chains);
 }
 
@@ -1317,6 +1327,11 @@ static void val_chain_node_soa_cb(getdns_dns_req *dnsreq)
 
 		if (node)
 			val_chain_sched_ds_node(node);
+		else {
+			/* SOA for a different name */
+			node = (chain_node *)dnsreq->user_pointer;
+			val_chain_sched_soa_node(node->parent);
+		}
 
 	} else if (node->parent)
 		val_chain_sched_soa_node(node->parent);