From 884f6ddc5eea377bcb2d6c2250db70ec8700464c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sun, 10 Jun 2018 16:57:40 +0200
Subject: [PATCH] DS is always a delegation and never at the apex

---
 src/dnssec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 437b250e..fd8ac932 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2720,13 +2720,18 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 	debug_sec_print_rrset("Validating ", &head->rrset);
 	debug_sec_print_rrset("\twith trust anchor ", ta);
 
+	/* A DS is never at the apex */
+	if (   head->rrset.rr_type == GETDNS_RRTYPE_DS
+	    && head->parent->parent)
+		parent = head->parent->parent;
+
 	/* Only at the apex, a NSEC is signed with a DNSKEY with the same
 	 * owner name.  All other are signed by the parent domain or higher.
 	 * Besides a shortcut, choosing to search for a trusted key from the
 	 * parent is essential for NSECs at a delagation point! (which would
 	 * otherwise turn out BOGUS).
 	 */
-	if (    head->rrset.rr_type == GETDNS_RRTYPE_NSEC
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC
 	    &&  head->parent->parent
 	    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, &head->rrset))
 	    && (bitmap = _getdns_rdf_iter_init_at(
@@ -2739,8 +2744,7 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 	 *   so a search for a trusted key at that name gives either INSECURE
 	 *   (with opt-out) or BOGUS! )
 	 */
-	else
-		if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
 	    && head->parent->parent)
 		parent = head->parent->parent;
 	else