- Fix install of trust anchor when two anchors are present, makes both

valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017. git-svn-id: file:///svn/unbound/trunk@4302 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 14:47:09 +00:00 · 2017-08-21 08:57:44 +00:00 · 2017-08-21 08:57:44 +00:00 · 8d1e4b3648
commit 8d1e4b3648
parent 6e23e40a2f
2 changed files with 13 additions and 0 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,10 @@
+22 August 2017: Wouter
+	- Fix install of trust anchor when two anchors are present, makes both
+	  valid.  Checks hash of DS but not signature of new key.  This fixes
+	  installs between sep11 and oct11 2017.
+	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
+	- trunk version 1.6.6 in development.
+
 10 August 2017: Wouter
 	- Patch to show DNSCrypt status in help output, from Carsten
 	  Strotmann.
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match attempt failed");
 			continue;
 		}
+		/* match of hash is sufficient for bootstrap of trust point */
+		(void)reason;
+		(void)ve;
+		return 1;
+		/* no need to check RRSIG, DS hash already matched with source
 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
 			return 1;
@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
 			verbose(VERB_ALGO, "DS match failed because the key "
 				"does not verify the keyset: %s", reason);
 		}
+		*/
 	}
 	return 0;
 }