Rec: don't go bogus on zero configured DSs

Fixes #4430

diff --git a/pdns/validate.cc b/pdns/validate.cc
index d1fdf4eef7188fd4be9afa22ce51bec7b2f8e66f..337b61252b53d759cb302f72c6ec6ba9428111a7 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -169,6 +169,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 {
   auto luaLocal = g_luaconfs.getLocal();
   auto anchors = luaLocal->dsAnchors;
+  if (anchors.empty()) // Nothing to do here
+    return Insecure;
+
   // Determine the lowest (i.e. with the most labels) Trust Anchor for zone
   DNSName lowestTA(".");
   for (auto const &anchor : anchors)

diff --git a/regression-tests.recursor-dnssec/test_NoDS.py b/regression-tests.recursor-dnssec/test_NoDS.py
new file mode 100644 (file)
index 0000000..5e9e913
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_NoDS.py
@@ -0,0 +1,21 @@
+import dns
+from recursortests import RecursorTest
+
+
+class testNoDS(RecursorTest):
+    _confdir = 'NoDS'
+
+    _config_template = """dnssec=validate"""
+    _lua_config_file = """clearDS(".")"""
+
+    def testNoDSInsecure(self):
+        """#4430 When the root DS is removed, the result must be Insecure"""
+
+        msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)