Date: Thu, 31 Aug 2017 12:02:14 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r323049 - head/contrib/unbound/validator Message-ID: <201708311202.v7VC2E0U000518@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Thu Aug 31 12:02:14 2017 New Revision: 323049 URL: https://svnweb.freebsd.org/changeset/base/323049 Log: Merge upstream r4302 to support multiple concurrently valid anchors. If an unpatched unbound-anchor is run without a preexisting root anchor between 2017-09-11 and 2017-10-11, it will fail and Unbound will not be able to start unless the validator is disabled. An EN will be issued with patches for existing systems and information on how to work around the issue on new installations. Modified: head/contrib/unbound/validator/autotrust.c Directory Properties: head/contrib/unbound/ (props changed) Modified: head/contrib/unbound/validator/autotrust.c ============================================================================== --- head/contrib/unbound/validator/autotrust.c Thu Aug 31 11:43:21 2017 (r323048) +++ head/contrib/unbound/validator/autotrust.c Thu Aug 31 12:02:14 2017 (r323049) @@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_en verbose(VERB_ALGO, "DS match attempt failed"); continue; } + /* match of hash is sufficient for bootstrap of trust point */ + (void)reason; + (void)ve; + return 1; + /* no need to check RRSIG, DS hash already matched with source if(dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, key_idx, &reason) == sec_status_secure) { return 1; @@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_en verbose(VERB_ALGO, "DS match failed because the key " "does not verify the keyset: %s", reason); } + */ } return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708311202.v7VC2E0U000518>