omitted some test files

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]

3120.	[bug]		Named could fail to validate zones listed in a DLV
			that validated insecure without using DLV and had
			DS records in the parent zone. [RT #24631]

CHANGES

@@ -1,3 +1,14 @@
+	--- 9.4-ESV-R4-P1 released ---
+
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
+
+3120.	[bug]		Named could fail to validate zones listed in a DLV
+			that validated insecure without using DLV and had
+			DS records in the parent zone. [RT #24631]
+
 	--- 9.4-ESV-R4 released ---
 
 2970.	[security]	Adding a NO DATA negative cache entry failed to clear

RELEASE-NOTES-BIND-9.4-ESV.html

@@ -1,123 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!--
- - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: RELEASE-NOTES-BIND-9.4-ESV.html,v 1.1.2.2 2010/11/29 01:15:44 tbox Exp $ -->
-
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111797"></a>Introduction</h2></div></div></div>
-    
-    <p>
-			BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
-		</p>
-    <p>
-			This document summarizes changes from BIND 9.4-ESV-R3 to BIND 9.4-ESV-R4.
-			Please see the CHANGES file in the source code release for a
-			complete list of all changes.
-		</p>
-  </div>
-
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111880"></a>Download</h2></div></div></div>
-    
-    <p>
-			The latest release of BIND 9 software can always be found
-	 		on our web site at
-      <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>.
-  		There you will find additional information about each release,
- 			source code, and some pre-compiled versions for certain operating
- 			systems.
-		</p>
-  </div>
-
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111815"></a>Support</h2></div></div></div>
-    
-    <p>Product support information is available on
-      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
-      for paid support options.  Free support is provided by our user
- 			community via a mailing list.  Information on all public email
- 			lists is available at
-      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
-    </p>
-  </div>
-
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111957"></a>New Features</h2></div></div></div>
-    
-		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111972"></a>9.4-ESV-R4</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-  </div>
-
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111905"></a>Feature Changes</h2></div></div></div>
-    
-		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36111988"></a>9.4-ESV-R4</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-  </div>
-
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36111999"></a>Security Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112004"></a>9.4-ESV-R4</h3></div></div></div>
-			
-			<div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-				 	Adding a NO DATA signed negative response to cache failed to clear
-				  any matching RRSIG records already in cache. A subsequent lookup
-				  of the cached NO DATA entry could crash named (INSIST) when the
-				  unexpected RRSIG was also returned with the NO DATA cache entry.
-				  [RT #22288] [CVE-2010-3613] [VU#706148]
-				</li><li class="listitem">
-					BIND, acting as a DNSSEC validator, was determining if the NS RRset
-				  is insecure based on a value that could mean either that the RRset
-				  is actually insecure or that there wasn't a matching key for the RRSIG
-				  in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
-				  This can happen when in the middle of a DNSKEY algorithm rollover,
-				  when two different algorithms were used to sign a zone but only the
-				  new set of keys are in the zone DNSKEY RRset.
-					[RT #22309] [CVE-2010-3614] [VU#837744]
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112029"></a>Bug Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.4-ESV-R4"><div class="titlepage"><div><div><h3 class="title"><a id="id36112035"></a>9.4-ESV-R4</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-          isc_print_vsnprintf() failed to check if there was
-					space available in the buffer when adding a left
-					justified character with a non zero width,
-					(e.g. "%-1c").
-					[RT #22270]
-				</li><li class="listitem">
-          win32: add more dependencies to BINDBuild.dsw.
-          [RT #22062]
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112054"></a>Thank You</h2></div></div></div>
-    
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to make
-      quality open source software, please visit our donations page at
-      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
-    </p>
-  </div>
-</div></body></html>

RELEASE-NOTES-BIND-9.4-ESV.txt

@@ -1,70 +0,0 @@
-     __________________________________________________________________
-
-Introduction
-
-   BIND 9.3-ESV-R4 is a maintenance release for BIND 9.4-ESV.
-
-   This document summarizes changes from BIND 9.4-ESV-R3 to BIND
-   9.4-ESV-R4. Please see the CHANGES file in the source code release for
-   a complete list of all changes.
-
-Download
-
-   The latest release of BIND 9 software can always be found on our web
-   site at http://www.isc.org/software/bind. There you will find
-   additional information about each release, source code, and some
-   pre-compiled versions for certain operating systems.
-
-Support
-
-   Product support information is available on
-   http://www.isc.org/services/support for paid support options. Free
-   support is provided by our user community via a mailing list.
-   Information on all public email lists is available at
-   https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.4-ESV-R4
-
-   None.
-
-Feature Changes
-
-9.4-ESV-R4
-
-   None.
-
-Security Fixes
-
-9.4-ESV-R4
-
-     * Adding a NO DATA signed negative response to cache failed to clear
-       any matching RRSIG records already in cache. A subsequent lookup of
-       the cached NO DATA entry could crash named (INSIST) when the
-       unexpected RRSIG was also returned with the NO DATA cache entry.
-       [RT #22288] [CVE-2010-3613] [VU#706148]
-     * BIND, acting as a DNSSEC validator, was determining if the NS RRset
-       is insecure based on a value that could mean either that the RRset
-       is actually insecure or that there wasn't a matching key for the
-       RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
-       RRset. This can happen when in the middle of a DNSKEY algorithm
-       rollover, when two different algorithms were used to sign a zone
-       but only the new set of keys are in the zone DNSKEY RRset. [RT
-       #22309] [CVE-2010-3614] [VU#837744]
-
-Bug Fixes
-
-9.4-ESV-R4
-
-     * isc_print_vsnprintf() failed to check if there was space available
-       in the buffer when adding a left justified character with a non
-       zero width, (e.g. "%-1c"). [RT #22270]
-     * win32: add more dependencies to BINDBuild.dsw. [RT #22062]
-
-Thank You
-
-   Thank you to everyone who assisted us in making this release possible.
-   If you would like to contribute to ISC to assist us in continuing to
-   make quality open source software, please visit our donations page at
-   http://www.isc.org/supportisc.

bin/tests/system/dlv/clean.sh

@@ -14,17 +14,30 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $
+# $Id: clean.sh,v 1.2.2.3.10.1 2011/05/26 23:56:25 each Exp $
 
 rm -f random.data
 rm -f ns*/named.run
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/root.db
+rm -f ns2/K*
+rm -f ns2/dlvset-*
+rm -f ns2/dsset-*
+rm -f ns2/*.signed
+rm -f ns2/*.pre
+rm -f ns2/signer.err
+rm -f ns2/druz.db
 rm -f ns3/K*
 rm -f ns3/*.db
 rm -f ns3/*.signed
 rm -f ns3/dlvset-*
 rm -f ns3/dsset-*
 rm -f ns3/keyset-*
-rm -f ns3/trusted.conf ns5/trusted.conf
+rm -f ns1/trusted.conf ns5/trusted.conf
+rm -f ns3/trusted-dlv.conf ns5/trusted-dlv.conf
 rm -f ns3/signer.err
 rm -f ns6/K*
 rm -f ns6/*.db

bin/tests/system/dlv/ns1/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2004/05/14 04:58:20 marka Exp $ */
+/* $Id: named.conf,v 1.2.2.1.82.1 2011/05/26 23:56:26 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,8 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
-zone "." { type master; file "root.db"; };
+zone "." { type master; file "root.signed"; };
 zone "rootservers.utld" { type master; file "rootservers.utld.db"; };

bin/tests/system/dlv/ns1/root.db.in

@@ -1,6 +1,6 @@
-; Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 ;
-; Permission to use, copy, modify, and distribute this software for any
+; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
 ; copyright notice and this permission notice appear in all copies.
 ;
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.2 2004/05/14 04:58:20 marka Exp $
+; $Id: root.db.in,v 1.3.12.2 2011/05/27 04:03:45 each Exp $
 
 $TTL	120
 @		SOA	ns.rootservers.utld hostmaster.ns.rootservers.utld (
@@ -22,3 +22,5 @@ ns		A	10.53.0.1
 ;
 utld		NS	ns.utld
 ns.utld		A	10.53.0.2
+druz		NS	ns.druz
+ns.druz		A	10.53.0.2

bin/tests/system/dlv/ns1/sign.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.12.2 2011/05/27 04:03:45 each Exp $
+
+(cd ../ns2 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns1/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+outfile=root.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+echo "I: signed $zone"
+
+grep -v '^;' $keyname2.key | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5
+

bin/tests/system/dlv/ns2/druz.db.in

@@ -0,0 +1,54 @@
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: druz.db.in,v 1.4.12.2 2011/05/27 04:03:46 each Exp $
+
+$TTL	120
+@		SOA	ns hostmaster.ns 1 3600 1200 604800 60
+@		NS	ns
+ns		A	10.53.0.2
+;
+rootservers	NS	ns.rootservers
+ns.rootservers	A	10.53.0.1
+;
+;
+child1		NS	ns.child1
+ns.child1	A	10.53.0.3
+;
+child2		NS	ns.child2
+ns.child2	A	10.53.0.4
+;
+child3		NS	ns.child3
+ns.child3	A	10.53.0.3
+;
+child4		NS	ns.child4
+ns.child4	A	10.53.0.3
+;
+child5		NS	ns.child5
+ns.child5	A	10.53.0.3
+;
+child6		NS	ns.child6
+ns.child6	A	10.53.0.4
+;
+child7		NS	ns.child7
+ns.child7	A	10.53.0.3
+;
+child8		NS	ns.child8
+ns.child8	A	10.53.0.3
+;
+child9		NS	ns.child9
+ns.child9	A	10.53.0.3
+;
+child10		NS	ns.child10
+ns.child10	A	10.53.0.3

bin/tests/system/dlv/ns2/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2004/05/14 04:58:21 marka Exp $ */
+/* $Id: named.conf,v 1.2.2.1.82.1 2011/05/26 23:56:26 each Exp $ */
 
 controls { /* empty */ };
 
@@ -28,8 +28,9 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
-	dnssec-enable no;
+	dnssec-enable yes;
 };
 
 zone "." { type hint; file "hints"; };
 zone "utld" { type master; file "utld.db"; };
+zone "druz" { type master; file "druz.signed"; };

bin/tests/system/dlv/ns2/sign.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.12.2 2011/05/27 04:03:46 each Exp $
+
+(cd ../ns3 && sh -e ./sign.sh || exit 1)
+
+echo "I:dlv/ns2/sign.sh"
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=druz.
+infile=druz.db.in
+zonefile=druz.db
+outfile=druz.pre
+dlvzone=utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+
+$CHECKZONE -q -D -i none druz druz.pre |
+sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
+
+echo "I: signed $zone"

bin/tests/system/dlv/ns3/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2 2004/05/14 04:58:22 marka Exp $ */
+/* $Id: named.conf,v 1.2.2.1.82.1 2011/05/26 23:56:26 each Exp $ */
 
 controls { /* empty */ };
 
@@ -41,3 +41,11 @@ zone "child7.utld" { type master; file "child7.signed"; };	// no dlv
 zone "child8.utld" { type master; file "child8.signed"; };	// no dlv
 zone "child9.utld" { type master; file "child9.signed"; };	// dlv
 zone "child10.utld" { type master; file "child.db.in"; }; 	// dlv unsigned
+zone "child1.druz" { type master; file "child1.druz.signed"; };	// dlv
+zone "child3.druz" { type master; file "child3.druz.signed"; };	// dlv
+zone "child4.druz" { type master; file "child4.druz.signed"; };	// dlv
+zone "child5.druz" { type master; file "child5.druz.signed"; };	// dlv
+zone "child7.druz" { type master; file "child7.druz.signed"; };	// no dlv
+zone "child8.druz" { type master; file "child8.druz.signed"; };	// no dlv
+zone "child9.druz" { type master; file "child9.druz.signed"; };	// dlv
+zone "child10.druz" { type master; file "child.db.in"; }; 	// dlv unsigned

bin/tests/system/dlv/ns3/sign.sh

@@ -14,21 +14,24 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $
+# $Id: sign.sh,v 1.2.2.3.10.1 2011/05/26 23:56:26 each Exp $
 
 (cd ../ns6 && sh -e sign.sh)
 
+echo "I:dlv/ns3/sign.sh"
+
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
 RANDFILE=../random.data
+dlvzone=dlv.utld.
 dlvsets=
+dssets=
 
 zone=child1.utld.
 infile=child.db.in
 zonefile=child1.utld.db
 outfile=child1.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
@@ -44,7 +47,6 @@ zone=child3.utld.
 infile=child.db.in
 zonefile=child3.utld.db
 outfile=child3.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -60,7 +62,6 @@ zone=child4.utld.
 infile=child.db.in
 zonefile=child4.utld.db
 outfile=child4.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -76,7 +77,6 @@ zone=child5.utld.
 infile=child.db.in
 zonefile=child5.utld.db
 outfile=child5.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -92,7 +92,6 @@ zone=child7.utld.
 infile=child.db.in
 zonefile=child7.utld.db
 outfile=child7.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -107,7 +106,6 @@ zone=child8.utld.
 infile=child.db.in
 zonefile=child8.utld.db
 outfile=child8.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -122,7 +120,6 @@ zone=child9.utld.
 infile=child.db.in
 zonefile=child9.utld.db
 outfile=child9.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -137,7 +134,6 @@ zone=child10.utld.
 infile=child.db.in
 zonefile=child10.utld.db
 outfile=child10.signed
-dlvzone=dlv.utld.
 dlvsets="$dlvsets dlvset-$zone"
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -148,12 +144,133 @@ cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
 $SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
 
+zone=child1.druz.
+infile=child.db.in
+zonefile=child1.druz.db
+outfile=child1.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child3.druz.
+infile=child.db.in
+zonefile=child3.druz.db
+outfile=child3.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child4.druz.
+infile=child.db.in
+zonefile=child4.druz.db
+outfile=child4.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child5.druz.
+infile=child.db.in
+zonefile=child5.druz.db
+outfile=child5.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child7.druz.
+infile=child.db.in
+zonefile=child7.druz.db
+outfile=child7.druz.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key ../ns6/dsset-grand.$zone >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child8.druz.
+infile=child.db.in
+zonefile=child8.druz.db
+outfile=child8.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=child9.druz.
+infile=child.db.in
+zonefile=child9.druz.db
+outfile=child9.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=child10.druz.
+infile=child.db.in
+zonefile=child10.druz.db
+outfile=child10.druz.signed
+dlvsets="$dlvsets dlvset-$zone"
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
 
 zone=dlv.utld.
 infile=dlv.db.in
 zonefile=dlv.utld.db
 outfile=dlv.signed
-dlvzone=dlv.utld.
 
 keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
 keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
@@ -172,5 +289,7 @@ trusted-keys {
     "$dn" $flags $proto $alg "$key";
 };
 EOF
-' > trusted.conf
-cp trusted.conf ../ns5
+' > trusted-dlv.conf
+cp trusted-dlv.conf ../ns5
+
+cp $dssets ../ns2

bin/tests/system/dlv/ns5/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.7 2007/08/28 07:20:02 tbox Exp $ */
+/* $Id: named.conf,v 1.2.2.7.42.1 2011/05/26 23:56:26 each Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
@@ -46,6 +46,7 @@ controls {
 };
 
 include "trusted.conf";
+include "trusted-dlv.conf";
 
 options {
 	query-source address 10.53.0.5;

bin/tests/system/dlv/ns6/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.10.2 2010/06/04 23:46:02 tbox Exp $ */
+/* $Id: named.conf,v 1.3.10.2.10.1 2011/05/26 23:56:26 each Exp $ */
 
 controls { /* empty */ };
 
@@ -40,3 +40,11 @@ zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
 zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
 zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
 zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
+zone "grand.child1.druz" { type master; file "grand.child1.druz.signed"; };
+zone "grand.child3.druz" { type master; file "grand.child3.druz.signed"; };
+zone "grand.child4.druz" { type master; file "grand.child4.druz.signed"; };
+zone "grand.child5.druz" { type master; file "grand.child5.druz.signed"; };
+zone "grand.child7.druz" { type master; file "grand.child7.druz.signed"; };
+zone "grand.child8.druz" { type master; file "grand.child8.druz.signed"; };
+zone "grand.child9.druz" { type master; file "grand.child9.druz.signed"; };
+zone "grand.child10.druz" { type master; file "grand.child10.druz.signed"; };

bin/tests/system/dlv/ns6/sign.sh

@@ -14,11 +14,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.3.10.2 2010/06/04 23:46:02 tbox Exp $
+# $Id: sign.sh,v 1.3.10.2.10.1 2011/05/26 23:56:26 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
+echo "I:dlv/ns6/sign.sh"
+
 RANDFILE=../random.data
 
 zone=grand.child1.utld.
@@ -137,3 +139,120 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo "I: signed $zone"
+
+zone=grand.child1.druz.
+infile=child.db.in
+zonefile=grand.child1.druz.db
+outfile=grand.child1.druz.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.druz.
+infile=child.db.in
+zonefile=grand.child3.druz.db
+outfile=grand.child3.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.druz.
+infile=child.db.in
+zonefile=grand.child4.druz.db
+outfile=grand.child4.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.druz.
+infile=child.db.in
+zonefile=grand.child5.druz.db
+outfile=grand.child5.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.druz.
+infile=child.db.in
+zonefile=grand.child7.druz.db
+outfile=grand.child7.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.druz.
+infile=child.db.in
+zonefile=grand.child8.druz.db
+outfile=grand.child8.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.druz.
+infile=child.db.in
+zonefile=grand.child9.druz.db
+outfile=grand.child9.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.druz.
+infile=child.db.in
+zonefile=grand.child10.druz.db
+outfile=grand.child10.druz.signed
+dlvzone=dlv.druz.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"

bin/tests/system/dlv/setup.sh

@@ -14,8 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
+# $Id: setup.sh,v 1.2.2.1.82.1 2011/05/26 23:56:26 each Exp $
 
 ../../genrandom 400 random.data
 
-(cd ns3 && sh -e sign.sh)
+(cd ns1 && sh -e sign.sh)

bin/tests/system/dlv/tests.sh

@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.3 2010/06/04 23:46:02 tbox Exp $
+# $Id: tests.sh,v 1.2.2.3.10.1 2011/05/26 23:56:26 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -42,5 +42,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that child SOA reference by DLV in a DRUZ with DS validates as secure ($n)"
+ret=0
+$DIG $DIGOPTS grand.child1.druz soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

lib/dns/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 39
-LIBREVISION = 1
+LIBREVISION = 3
 LIBAGE = 1

lib/dns/include/dns/rdataset.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.51.18.11 2010/02/26 23:46:37 tbox Exp $ */
+/* $Id: rdataset.h,v 1.51.18.11.10.1 2011/05/26 23:56:27 each Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -608,6 +608,12 @@ dns_rdataset_expire(dns_rdataset_t *rdataset);
  * Mark the rdataset to be expired in the backing database.
  */
 
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*
+ *  * Display trust in textual form.
+ *   */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATASET_H */

lib/dns/ncache.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.36.18.8 2010/06/03 23:46:10 tbox Exp $ */
+/* $Id: ncache.c,v 1.36.18.8.10.1 2011/05/26 23:56:27 each Exp $ */
 
 /*! \file */
 
@@ -175,7 +175,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);

lib/dns/rdataset.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.72.18.9 2010/02/26 23:46:36 tbox Exp $ */
+/* $Id: rdataset.c,v 1.72.18.9.10.1 2011/05/26 23:56:27 each Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,26 @@
 #include <dns/rdataset.h>
 #include <dns/compress.h>
 
+static const char *trustnames[] = {
+	"none",
+	"pending-additional",
+	"pending-answer",
+	"additional",
+	"glue",
+	"answer",
+	"authauthority",
+	"authanswer",
+	"secure",
+	"local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+		return ("bad");
+	return (trustnames[trust]);
+}
+
 void
 dns_rdataset_init(dns_rdataset_t *rdataset) {
 

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.60 2010/11/16 04:17:44 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.60.6.1 2011/05/26 23:56:27 each Exp $ */
 
 /*! \file */
 
@@ -331,7 +331,8 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", rdataset->trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(rdataset->trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -408,7 +409,8 @@ dsfetched(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %d", rdataset->trust);
+			      "dsset with trust %s",
+			       dns_trust_totext(rdataset->trust));
 		val->dsset = &val->frdataset;
 		result = validatezonekey(val);
 		if (result != DNS_R_WAIT)
@@ -562,7 +564,8 @@ keyvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", val->frdataset.trust);
+			      "keyset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		/*
 		 * Only extract the dst key if the keyset is secure.
 		 */
@@ -633,10 +636,10 @@ dsvalidated(isc_task_t *task, isc_event_t *event) {
 		isc_boolean_t have_dsset;
 		dns_name_t *name;
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "%s with trust %d",
+			      "%s with trust %s",
 			      val->frdataset.type == dns_rdatatype_ds ?
 			      "dsset" : "ds non-existance",
-			      val->frdataset.trust);
+			      dns_trust_totext(val->frdataset.trust));
 		have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
 		name = dns_fixedname_name(&val->fname);
 		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
@@ -993,8 +996,8 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
 		INSIST(type == dns_rdatatype_dlv);
 		if (val->frdataset.trust != dns_trust_secure) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: trust %u",
-				      val->frdataset.trust);
+				      "covering nsec: trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			goto notfound;
 		}
 		result = dns_rdataset_first(&val->frdataset);
@@ -1311,8 +1314,8 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 			 * See if we've got the key used in the signature.
 			 */
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "keyset with trust %d",
-				      val->frdataset.trust);
+				      "keyset with trust %s",
+				      dns_trust_totext(val->frdataset.trust));
 			result = get_dst_key(val, siginfo, val->keyset);
 			if (result != ISC_R_SUCCESS) {
 				/*
@@ -2016,8 +2019,11 @@ validatezonekey(dns_validator_t *val) {
 				      "must be secure failure");
 			return (DNS_R_MUSTBESECURE);
 		}
-		markanswer(val, "validatezonekey (2)");
-		return (ISC_R_SUCCESS);
+		if (val->view->dlv == NULL || DLVTRIED(val)) {
+			markanswer(val, "validatezonekey (2)");
+			return (ISC_R_SUCCESS);
+		}
+		return (startfinddlvsep(val, val->event->name));
 	}
 
 	/*
@@ -2625,7 +2631,8 @@ dlvvalidated(isc_task_t *task, isc_event_t *event) {
 		validator_done(val, ISC_R_CANCELED);
 	} else if (eresult == ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dlvset with trust %d", val->frdataset.trust);
+			      "dlvset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
 		dns_rdataset_clone(&val->frdataset, &val->dlv);
 		val->havedlvsep = ISC_TRUE;
 		if (dlv_algorithm_supported(val))

lib/dns/win32/libdns.def

@@ -573,6 +573,7 @@ dns_tkey_processgssresponse
 dns_tkey_processquery
 dns_tkeyctx_create
 dns_tkeyctx_destroy
+dns_trust_totext
 dns_tsig_sign
 dns_tsig_verify
 dns_tsigkey_attach

version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.32 2010/11/18 01:34:50 marka Exp $
+# $Id: version,v 1.29.134.32.10.1 2011/05/26 23:56:25 each Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=4
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R4
+RELEASEVER=-R4-P1