From: Pieter Lexis Date: Mon, 30 May 2016 16:36:35 +0000 (+0200) Subject: Use configured trust anchors other than root X-Git-Tag: rec-4.0.0-rc1~9^2~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b2e3fc030479c1cc099cf07210f0cdf78422a557;p=pdns Use configured trust anchors other than root --- diff --git a/pdns/validate.cc b/pdns/validate.cc index 222c8947d..8e322fbd6 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -167,22 +167,23 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset) { auto luaLocal = g_luaconfs.getLocal(); auto anchors = luaLocal->dsAnchors; + // Determine the lowest (i.e. with the most labels) Trust Anchor for zone + DNSName lowestTA("."); + for (auto const &anchor : anchors) + if (zone.isPartOf(anchor.first) && lowestTA.countLabels() < anchor.first.countLabels()) + lowestTA = anchor.first; // Before searching for the keys, see if we have a Negative Trust Anchor. If // so, test if the NTA is valid and return an NTA state auto negAnchors = luaLocal->negAnchors; if (!negAnchors.empty()) { - DNSName lowestNTA, lowestTA; + DNSName lowestNTA; for (auto const &negAnchor : negAnchors) if (zone.isPartOf(negAnchor.first) && lowestNTA.countLabels() < negAnchor.first.countLabels()) lowestNTA = negAnchor.first; - for (auto const &anchor : anchors) - if (zone.isPartOf(anchor.first) && lowestTA.countLabels() < anchor.first.countLabels()) - lowestTA = anchor.first; - if(!lowestNTA.empty()) { LOG("Found a Negative Trust Anchor for "<dsAnchors, qname))