interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Only get root-anchors.xml when BOGUS root dnskey... 

did have signatures which did not validate
This commit is contained in:
Willem Toorop 2017-11-28 16:58:12 +01:00
parent 2a39b6e2e8
commit 8c87028d77
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/dnssec.c
View File

@ -3160,12 +3160,19 @@ static void check_chain_complete(chain_head *chain)
_getdns_context_update_root_ksk(context,&node->dnskey); _getdns_context_update_root_ksk(context,&node->dnskey);
} else if (_getdns_bogus(dnsreq)) { } else if (_getdns_bogus(dnsreq)) {
_getdns_rrsig_iter rrsig_spc;
DEBUG_ANCHOR("Request was bogus!\n"); DEBUG_ANCHOR("Request was bogus!\n");
if ((head = chain) && (node = _to_the_root(head->parent)) if ((head = chain) && (node = _to_the_root(head->parent))
/* The root DNSKEY rrset */
&& node->dnskey.name && *node->dnskey.name == 0 && node->dnskey.name && *node->dnskey.name == 0
/* We queried it and had a response */
&& node->dnskey_req && node->dnskey_req
&& node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS){ /* The response was bogus */
&& node->dnskey_req->dnssec_status == GETDNS_DNSSEC_BOGUS
/* The response was bogus, but not because it has no rrsigs */
&& _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey)
){
DEBUG_ANCHOR("root DNSKEY set was bogus!\n"); DEBUG_ANCHOR("root DNSKEY set was bogus!\n");
if (!dnsreq->waiting_for_ta) { if (!dnsreq->waiting_for_ta) {