diff options
Diffstat (limited to 'usr.sbin/unbound/validator/val_utils.c')
-rw-r--r-- | usr.sbin/unbound/validator/val_utils.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/unbound/validator/val_utils.c b/usr.sbin/unbound/validator/val_utils.c index d4a64464d80..73e7dbd9020 100644 --- a/usr.sbin/unbound/validator/val_utils.c +++ b/usr.sbin/unbound/validator/val_utils.c @@ -486,7 +486,7 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, /* Once we see a single DS with a known digestID and * algorithm, we cannot return INSECURE (with a * "null" KeyEntry). */ - has_useful_ds = true; + has_useful_ds = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, ds_rrset, i, reason); @@ -596,7 +596,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, /* Once we see a single DS with a known digestID and * algorithm, we cannot return INSECURE (with a * "null" KeyEntry). */ - has_useful_ta = true; + has_useful_ta = 1; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, ta_ds, i, reason); @@ -622,7 +622,7 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, continue; /* we saw a useful TA */ - has_useful_ta = true; + has_useful_ta = 1; sec = dnskey_verify_rrset(env, ve, dnskey_rrset, ta_dnskey, i, reason); @@ -773,6 +773,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len) for(i = d->count; i< d->count+d->rrsig_count; i++) { if(d->rr_len[i] > 2+18+len) { /* at least rdatalen + signature + signame (+1 sig)*/ + if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18)) + continue; if(query_dname_compare(name, d->rr_data[i]+2+18) == 0) { return 1; |