[master] improve debugging output from dnssec-cds

4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]

Patch submitted by Tony Finch (dot@dotat.at)

CHANGES

@@ -1,3 +1,5 @@
+4883.	[cleanup]	Improved debugging output from dnssec-cds. [RT #47026]
+
 4882.	[bug]		Address potential memory leak in
 			dns_update_signaturesinc. [RT #47084]
 

bin/dnssec/dnssec-cds.c

@@ -521,6 +521,13 @@ match_key_dsset(keyinfo_t *ki, dns_rdataset_t *dsset, strictness_t strictness)
 		}
 	}
 
+	vbprintf(1, "no matching %s for %s %d %d\n",
+		 dsset->type == dns_rdatatype_cds
+		 ? "CDS" : "DS",
+		 ki->rdata.type == dns_rdatatype_cdnskey
+		 ? "CDNSKEY" : "DNSKEY",
+		 ki->tag, ki->algo);
+
 	return (ISC_FALSE);
 }
 
@@ -647,17 +654,25 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
 
 		for (i = 0; i < nkey; i++) {
 			keyinfo_t *ki = &keytbl[i];
-			if (ki->dst == NULL ||
+			if (sig.keyid != ki->tag ||
-			    sig.keyid != ki->tag ||
 			    sig.algorithm != ki->algo ||
 			    !dns_name_equal(&sig.signer, name))
 			{
 				continue;
 			}
+			if (ki->dst == NULL) {
+				vbprintf(1, "skip RRSIG by key %d:"
+					 " no matching (C)DS\n",
+					 sig.keyid);
+				continue;
+			}
 
 			result = dns_dnssec_verify(name, rdataset, ki->dst,
 						   ISC_FALSE, mctx, &sigrdata);
 			if (result != ISC_R_SUCCESS) {
+				vbprintf(1, "skip RRSIG by key %d:"
+					 " verification failed: %s\n",
+					 sig.keyid, isc_result_totext(result));
 				continue;
 			}