diff options
| author |   sthen <sthen@openbsd.org> | 2017-08-23 11:23:33 +0000 |
|---|---|---|
| committer | sthen <sthen@openbsd.org> | 2017-08-23 11:23:33 +0000 |
| commit | 74775603e45e709814c37d6edce8e79e63ce7a38 (patch) | |
| tree | 0cb0ea4bacfb77961ba6a65371ede05b87d7adc9 | |
| parent | catch up with ASCII renderings in chars.c rev. 1.42 (diff) | |
| download | wireguard-openbsd-74775603e45e709814c37d6edce8e79e63ce7a38.tar.xz wireguard-openbsd-74775603e45e709814c37d6edce8e79e63ce7a38.zip | |
Fix trust anchor installation when two anchors are present. Concretely, fixes
root.key creation if unbound is installed between sep11 and oct11 2017. Looks
good to jca.
This is the only substantial change in Unbound 1.6.5; next commit will sync
ancillary files.
| -rw-r--r-- | usr.sbin/unbound/validator/autotrust.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/usr.sbin/unbound/validator/autotrust.c b/usr.sbin/unbound/validator/autotrust.c index a533733c7a6..5bf815b5ec1 100644 --- a/usr.sbin/unbound/validator/autotrust.c +++ b/usr.sbin/unbound/validator/autotrust.c @@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "DS match attempt failed"); continue; } + /* match of hash is sufficient for bootstrap of trust point */ + (void)reason; + (void)ve; + return 1; + /* no need to check RRSIG, DS hash already matched with source if(dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, key_idx, &reason) == sec_status_secure) { return 1; @@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "DS match failed because the key " "does not verify the keyset: %s", reason); } + */ } return 0; } |