From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 6 Sep 2016 14:58:14 +0000 (+0200)
Subject: Rec: don't go bogus on zero configured DSs
X-Git-Tag: rec-4.0.4~25^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6b5a8f361c1df586e7ceb386dd864bc5c7c21174;p=pdns

Rec: don't go bogus on zero configured DSs

Fixes #4430
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index d1fdf4eef..337b61252 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -169,6 +169,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
 {
   auto luaLocal = g_luaconfs.getLocal();
   auto anchors = luaLocal->dsAnchors;
+  if (anchors.empty()) // Nothing to do here
+    return Insecure;
+
   // Determine the lowest (i.e. with the most labels) Trust Anchor for zone
   DNSName lowestTA(".");
   for (auto const &anchor : anchors)
diff --git a/regression-tests.recursor-dnssec/test_NoDS.py b/regression-tests.recursor-dnssec/test_NoDS.py
new file mode 100644
index 000000000..5e9e9131e
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_NoDS.py
@@ -0,0 +1,21 @@
+import dns
+from recursortests import RecursorTest
+
+
+class testNoDS(RecursorTest):
+    _confdir = 'NoDS'
+
+    _config_template = """dnssec=validate"""
+    _lua_config_file = """clearDS(".")"""
+
+    def testNoDSInsecure(self):
+        """#4430 When the root DS is removed, the result must be Insecure"""
+
+        msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)