From owner-svn-src-all@freebsd.org Thu Aug 31 12:02:15 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 729DFE1D405; Thu, 31 Aug 2017 12:02:15 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3FD72754E0; Thu, 31 Aug 2017 12:02:15 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v7VC2EDF000519; Thu, 31 Aug 2017 12:02:14 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v7VC2E0U000518; Thu, 31 Aug 2017 12:02:14 GMT (envelope-from des@FreeBSD.org) Message-Id: <201708311202.v7VC2E0U000518@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Thu, 31 Aug 2017 12:02:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r323049 - head/contrib/unbound/validator X-SVN-Group: head X-SVN-Commit-Author: des X-SVN-Commit-Paths: head/contrib/unbound/validator X-SVN-Commit-Revision: 323049 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2017 12:02:15 -0000 Author: des Date: Thu Aug 31 12:02:14 2017 New Revision: 323049 URL: https://svnweb.freebsd.org/changeset/base/323049 Log: Merge upstream r4302 to support multiple concurrently valid anchors. If an unpatched unbound-anchor is run without a preexisting root anchor between 2017-09-11 and 2017-10-11, it will fail and Unbound will not be able to start unless the validator is disabled. An EN will be issued with patches for existing systems and information on how to work around the issue on new installations. Modified: head/contrib/unbound/validator/autotrust.c Directory Properties: head/contrib/unbound/ (props changed) Modified: head/contrib/unbound/validator/autotrust.c ============================================================================== --- head/contrib/unbound/validator/autotrust.c Thu Aug 31 11:43:21 2017 (r323048) +++ head/contrib/unbound/validator/autotrust.c Thu Aug 31 12:02:14 2017 (r323049) @@ -1571,6 +1571,11 @@ key_matches_a_ds(struct module_env* env, struct val_en verbose(VERB_ALGO, "DS match attempt failed"); continue; } + /* match of hash is sufficient for bootstrap of trust point */ + (void)reason; + (void)ve; + return 1; + /* no need to check RRSIG, DS hash already matched with source if(dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, key_idx, &reason) == sec_status_secure) { return 1; @@ -1578,6 +1583,7 @@ key_matches_a_ds(struct module_env* env, struct val_en verbose(VERB_ALGO, "DS match failed because the key " "does not verify the keyset: %s", reason); } + */ } return 0; }