diff --git a/bin/tests/system/mirror/tests.sh b/bin/tests/system/mirror/tests.sh index dfadcf05c6..e95f97122c 100644 --- a/bin/tests/system/mirror/tests.sh +++ b/bin/tests/system/mirror/tests.sh @@ -250,12 +250,24 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking flags set in a response sourced from a mirror zone ($n)" +echo_i "checking flags set in a DNSKEY response sourced from a mirror zone ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 . DNSKEY > dig.out.ns3.test$n 2>&1 || ret=1 # Check response code and flags in the answer. grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking flags set in a SOA response sourced from a mirror zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.3 . SOA > dig.out.ns3.test$n 2>&1 || ret=1 +# Check response code and flags in the answer. +grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1 +grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/lib/dns/include/dns/zoneverify.h b/lib/dns/include/dns/zoneverify.h index 594c6ecc08..46865ce900 100644 --- a/lib/dns/include/dns/zoneverify.h +++ b/lib/dns/include/dns/zoneverify.h @@ -30,6 +30,12 @@ ISC_LANG_BEGINDECLS * * The rest of the zone was signed with at least one of the ZSKs * present in the DNSKEY RRSET. + * + * Mark all RRsets correctly signed by one of the keys in the DNSKEY RRset at + * zone apex as secure. + * + * If 'secroots' is not NULL, mark the DNSKEY RRset as secure if it is + * correctly signed by at least one key present in 'secroots'. */ isc_result_t dns_zoneverify_dnssec(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index cf130963e8..3cf5790cdd 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name, continue; } if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) { + dns_rdataset_settrust(rdataset, dns_trust_secure); + dns_rdataset_settrust(&sigrdataset, dns_trust_secure); set_algorithms[sig.algorithm] = 1; } } @@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey, * The supplied key is a trust anchor. */ dns_keytable_detachkeynode(vctx->secroots, &keynode); + dns_rdataset_settrust(&vctx->keyset, dns_trust_secure); + dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure); *goodkey = ISC_TRUE; break; case DNS_R_PARTIALMATCH: