From 8d1e4b36484517e845f01b8964b7ed45db4bc278 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Mon, 21 Aug 2017 08:57:44 +0000 Subject: [PATCH] - Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes installs between sep11 and oct11 2017. git-svn-id: file:///svn/unbound/trunk@4302 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 7 +++++++ validator/autotrust.c | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 12af05557..5b0bc0115 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +22 August 2017: Wouter + - Fix install of trust anchor when two anchors are present, makes both + valid. Checks hash of DS but not signature of new key. This fixes + installs between sep11 and oct11 2017. + - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix). + - trunk version 1.6.6 in development. + 10 August 2017: Wouter - Patch to show DNSCrypt status in help output, from Carsten Strotmann. diff --git a/validator/autotrust.c b/validator/autotrust.c index a533733c7..5bf815b5e 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "DS match attempt failed"); continue; } + /* match of hash is sufficient for bootstrap of trust point */ + (void)reason; + (void)ve; + return 1; + /* no need to check RRSIG, DS hash already matched with source if(dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, key_idx, &reason) == sec_status_secure) { return 1; @@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "DS match failed because the key " "does not verify the keyset: %s", reason); } + */ } return 0; }