Fix a bug in trust anchors verification.

We were not reseting the keynode value when iterating over DNSKEYs in RRSET, so we weren't checking all DNSKEYs against all trust anchors. This commit fixes the issue by resetting keynode with every loop.
2025-08-31 14:35:26 +00:00 · 2019-11-21 18:18:56 +01:00
parent cadbc158f0
commit 58db2d1d18
1 changed files with 7 additions and 3 deletions
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9911,9 +9911,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				break;
 			}
 		}
-
-		dns_keytable_detachkeynode(secroots, &keynode);
 		goto anchors_done;
+	} else {
+		dns_keytable_detachkeynode(secroots, &keynode);
 	}

 	/*
@@ -9924,6 +9924,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(dnskeysigs))
 	{
+		result = dns_keytable_find(secroots, keyname, &keynode);
+		if (result != ISC_R_SUCCESS) {
+			goto anchors_done;
+		}
 		dns_rdata_reset(&sigrr);
 		dns_rdataset_current(dnskeysigs, &sigrr);
 		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
@@ -9971,7 +9975,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				keynode = nextnode;
 			}
 		}
-
+		dns_keytable_detachkeynode(secroots, &keynode);
 		if (secure) {
 			break;
 		}