Permalink
Browse files

Rec: don't go bogus on zero configured DSs

Fixes #4430
  • Loading branch information...
1 parent 9e7120f commit 6b5a8f361c1df586e7ceb386dd864bc5c7c21174 @pieterlexis pieterlexis committed Sep 6, 2016
Showing with 24 additions and 0 deletions.
  1. +3 −0 pdns/validate.cc
  2. +21 −0 regression-tests.recursor-dnssec/test_NoDS.py
View
@@ -169,6 +169,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
{
auto luaLocal = g_luaconfs.getLocal();
auto anchors = luaLocal->dsAnchors;
+ if (anchors.empty()) // Nothing to do here
+ return Insecure;
+
// Determine the lowest (i.e. with the most labels) Trust Anchor for zone
DNSName lowestTA(".");
for (auto const &anchor : anchors)
@@ -0,0 +1,21 @@
+import dns
+from recursortests import RecursorTest
+
+
+class testNoDS(RecursorTest):
+ _confdir = 'NoDS'
+
+ _config_template = """dnssec=validate"""
+ _lua_config_file = """clearDS(".")"""
+
+ def testNoDSInsecure(self):
+ """#4430 When the root DS is removed, the result must be Insecure"""
+
+ msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
+ msg.flags = dns.flags.from_text('AD RD')
+ msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+ res = self.sendUDPQuery(msg)
+
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)

0 comments on commit 6b5a8f3

Please sign in to comment.