From d36b7f86fb1ba7471cf390f5a5afcf5e6ee8353c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 31 Jan 2018 10:23:01 -0800
Subject: [PATCH] [master] improve debugging output from dnssec-cds

4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]

Patch submitted by Tony Finch (dot@dotat.at)
---
 CHANGES                 |  2 ++
 bin/dnssec/dnssec-cds.c | 21 ++++++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7132d34c58..a00f7e4f1e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
+
 4882.	[bug]		Address potential memory leak in
 			dns_update_signaturesinc. [RT #47084]
 
diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c
index 56237823c1..fdb20d09f8 100644
--- a/bin/dnssec/dnssec-cds.c
+++ b/bin/dnssec/dnssec-cds.c
@@ -85,7 +85,7 @@ static dns_rdataclass_t rdclass = dns_rdataclass_in;
  */
 static isc_uint8_t dtype[8];
 
-static const char *startstr  = NULL;  	/* from which we derive notbefore */
+static const char *startstr  = NULL;	/* from which we derive notbefore */
 static isc_stdtime_t notbefore = 0;	/* restrict sig inception times */
 static dns_rdata_rrsig_t oldestsig;	/* for recording inception time */
 
@@ -521,6 +521,13 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		}
 	}
 
+	vbprintf(1, "no matching %s for %s %d %d\n",
+		 dsset->type == dns_rdatatype_cds
+		 ? "CDS" : "DS",
+		 ki->rdata.type == dns_rdatatype_cdnskey
+		 ? "CDNSKEY" : "DNSKEY",
+		 ki->tag, ki->algo);
+
 	return (ISC_FALSE);
 }
 
@@ -647,17 +654,25 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 
 		for (i = 0; i < nkey; i++) {
 			keyinfo_t *ki = &keytbl[i];
-			if (ki->dst == NULL ||
-			    sig.keyid != ki->tag ||
+			if (sig.keyid != ki->tag ||
 			    sig.algorithm != ki->algo ||
 			    !dns_name_equal(&sig.signer, name))
 			{
 				continue;
 			}
+			if (ki->dst == NULL) {
+				vbprintf(1, "skip RRSIG by key %d:"
+					 " no matching (C)DS\n",
+					 sig.keyid);
+				continue;
+			}
 
 			result = dns_dnssec_verify(name, rdataset, ki->dst,
 						   ISC_FALSE, mctx, &sigrdata);
 			if (result != ISC_R_SUCCESS) {
+				vbprintf(1, "skip RRSIG by key %d:"
+					 " verification failed: %s\n",
+					 sig.keyid, isc_result_totext(result));
 				continue;
 			}