From 8c87028d77231424b08562fa23d9dfe885dfb88a Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Tue, 28 Nov 2017 16:58:12 +0100 Subject: [PATCH] Only get root-anchors.xml when BOGUS root dnskey... did have signatures which did not validate --- src/dnssec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/dnssec.c b/src/dnssec.c index 57f0ed81..d4c6375b 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -3160,12 +3160,19 @@ static void check_chain_complete(chain_head *chain) _getdns_context_update_root_ksk(context,&node->dnskey); } else if (_getdns_bogus(dnsreq)) { + _getdns_rrsig_iter rrsig_spc; DEBUG_ANCHOR("Request was bogus!\n"); if ((head = chain) && (node = _to_the_root(head->parent)) + /* The root DNSKEY rrset */ && node->dnskey.name && *node->dnskey.name == 0 + /* We queried it and had a response */ && node->dnskey_req - && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS){ + /* The response was bogus */ + && node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS + /* The response was bogus, but not because it has no rrsigs */ + && _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey) + ){ DEBUG_ANCHOR("root DNSKEY set was bogus!\n"); if (!dnsreq->waiting_for_ta) {