8 files changed, 56 insertions, 6 deletions
diff --git a/validator/autotrust.c b/validator/autotrust.c
index da8829cebf25..a2fcc871e7b1 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -2328,6 +2328,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp)
 	qinfo.qname_len = tp->namelen;
 	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
 	qinfo.qclass = tp->dclass;
+	qinfo.local_alias = NULL;
 	log_query_info(VERB_ALGO, "autotrust probe", &qinfo);
 	verbose(VERB_ALGO, "retry probe set in %d seconds", 
 		(int)tp->autr->next_probe_time - (int)*env->now);
diff --git a/validator/val_neg.c b/validator/val_neg.c
index a5e687fdc417..272c5e027ac7 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -1007,6 +1007,7 @@ int val_neg_dlvlookup(struct val_neg_cache* neg, uint8_t* qname, size_t len,
 	qinfo.qname = qname;
 	qinfo.qtype = LDNS_RR_TYPE_DLV;
 	qinfo.qclass = qclass;
+	qinfo.local_alias = NULL;
 	if(!nsec_proves_nodata(nsec, &qinfo, &wc) &&
 		!val_nsec_proves_name_error(nsec, qname)) {
 		/* the NSEC is not a denial for the DLV */
diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index f104a347c786..1e4f440ffc09 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -343,7 +343,7 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
 		} else {
 			/* See if the next owner name covers a wildcard
 			 * empty non-terminal. */
-			while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+			while (dname_canonical_compare(nsec->rk.dname, nm) < 0) {
 				/* wildcard does not apply if qname below
 				 * the name that exists under the '*' */
 				if (dname_subdomain_c(qinfo->qname, nm))
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 22867d170d7d..cd850c098248 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1180,7 +1180,7 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 			nsec3_has_type(rrset, rr, LDNS_RR_TYPE_NS) &&
 			!nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
 			verbose(VERB_ALGO, "nsec3 nodata proof: matching "
-				"wilcard is a delegation, bogus");
+				"wildcard is a delegation, bogus");
 			return sec_status_bogus;
 		}
 		/* everything is peachy keen, except for optout spans */
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index e3a1555257f6..f117f7f7336a 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -72,6 +72,9 @@
 #include <openssl/engine.h>
 #endif
 
+/** fake DSA support for unit tests */
+int fake_dsa = 0;
+
 /* return size of digest if supported, or 0 otherwise */
 size_t
 nsec3_hash_algo_size_supported(int id)
@@ -192,9 +195,13 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_RSAMD5:
 		/* RFC 6725 deprecates RSAMD5 */
 		return 0;
-#ifdef USE_DSA
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
+#ifdef USE_DSA
+		return 1;
+#else
+		if(fake_dsa) return 1;
+		return 0;
 #endif
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
@@ -264,8 +271,12 @@ setup_dsa_sig(unsigned char** sig, unsigned int* len)
 	dsasig = DSA_SIG_new();
 	if(!dsasig) return 0;
 
+#ifdef HAVE_DSA_SIG_SET0
+	if(!DSA_SIG_set0(dsasig, R, S)) return 0;
+#else
 	dsasig->r = R;
 	dsasig->s = S;
+#endif
 	*sig = NULL;
 	newlen = i2d_DSA_SIG(dsasig, sig);
 	if(newlen < 0) {
@@ -406,7 +417,11 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 					"EVP_PKEY_assign_DSA failed");
 				return 0;
 			}
+#ifdef HAVE_EVP_DSS1
 			*digest_type = EVP_dss1();
+#else
+			*digest_type = EVP_sha1();
+#endif
 
 			break;
 #endif /* USE_DSA */
@@ -545,6 +560,11 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	EVP_MD_CTX* ctx;
 	int res, dofree = 0, docrypto_free = 0;
 	EVP_PKEY *evp_key = NULL;
+
+#ifndef USE_DSA
+	if((algo == LDNS_DSA || algo == LDNS_DSA_NSEC3) && fake_dsa)
+		return sec_status_secure;
+#endif
 	
 	if(!setup_key_digest(algo, &evp_key, &digest_type, key, keylen)) {
 		verbose(VERB_QUERY, "verify: failed to setup key");
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index e60f3f9369c6..c79a73d2a1cc 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -1291,7 +1291,7 @@ adjust_ttl(struct val_env* ve, uint32_t unow,
 	 */
 	if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) {
 		verbose(VERB_QUERY, "rrset TTL larger than original and minimum"
-			" TTL, adjusting TTL downwards to mimimum ttl");
+			" TTL, adjusting TTL downwards to minimum ttl");
 		d->ttl = MIN_TTL;
 	}
 	else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) {
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 94f00a7f7ee8..da8066aad7e9 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -219,7 +219,7 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 {
 	size_t i;
 	
-	if(subtype == VAL_CLASS_POSITIVE || subtype == VAL_CLASS_ANY) {
+	if(subtype == VAL_CLASS_POSITIVE) {
 		/* check for the answer rrset */
 		for(i=skip; i<rep->an_numrrsets; i++) {
 			if(query_dname_compare(qinf->qname, 
@@ -271,6 +271,29 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
 					signer_name, signer_len, &matchcount);
 			}
 		}
+	} else if(subtype == VAL_CLASS_ANY) {
+		/* check for one of the answer rrset that has signatures,
+		 * or potentially a DNAME is in use with a different qname */
+		for(i=skip; i<rep->an_numrrsets; i++) {
+			if(query_dname_compare(qinf->qname, 
+				rep->rrsets[i]->rk.dname) == 0) {
+				val_find_rrset_signer(rep->rrsets[i], 
+					signer_name, signer_len);
+				if(*signer_name)
+					return;
+			}
+		}
+		/* no answer RRSIGs with qname, try a DNAME */
+		if(skip < rep->an_numrrsets &&
+			ntohs(rep->rrsets[skip]->rk.type) ==
+			LDNS_RR_TYPE_DNAME) {
+			val_find_rrset_signer(rep->rrsets[skip], 
+				signer_name, signer_len);
+			if(*signer_name)
+				return;
+		}
+		*signer_name = NULL;
+		*signer_len = 0;
 	} else if(subtype == VAL_CLASS_REFERRAL) {
 		/* find keys for the item at skip */
 		if(skip < rep->rrset_count) {
@@ -1115,6 +1138,7 @@ val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c,
 	qinfo.qname_len = nmlen;
 	qinfo.qtype = LDNS_RR_TYPE_DS;
 	qinfo.qclass = c;
+	qinfo.local_alias = NULL;
 	/* do not add SOA to reply message, it is going to be used internal */
 	msg = val_neg_getmsg(env->neg_cache, &qinfo, region, env->rrset_cache,
 		env->scratch_buffer, *env->now, 0, topname);
diff --git a/validator/validator.c b/validator/validator.c
index f9b6a986ec9e..676dcdfe4d8b 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -181,6 +181,7 @@ val_init(struct module_env* env, int id)
 		log_err("validator: could not apply configuration settings.");
 		return 0;
 	}
+
 	return 1;
 }
 
@@ -377,6 +378,7 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
 	ask.qname_len = namelen;
 	ask.qtype = qtype;
 	ask.qclass = qclass;
+	ask.local_alias = NULL;
 	log_query_info(VERB_ALGO, "generate request", &ask);
 	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
 	/* enable valrec flag to avoid recursion to the same validation
@@ -2087,7 +2089,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 	}
 
 	/* store results in cache */
-	if(qstate->query_flags&BIT_RD) {
+	if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
 		/* if secure, this will override cache anyway, no need
 		 * to check if from parentNS */
 		if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, 
@@ -2280,6 +2282,7 @@ val_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	(void)outbound;
 	if(event == module_event_new || 
 		(event == module_event_pass && vq == NULL)) {
+
 		/* pass request to next module, to get it */
 		verbose(VERB_ALGO, "validator: pass to next module");
 		qstate->ext_state[id] = module_wait_module;
@@ -2288,6 +2291,7 @@ val_operate(struct module_qstate* qstate, enum module_ev event, int id,
 	if(event == module_event_moddone) {
 		/* check if validation is needed */
 		verbose(VERB_ALGO, "validator: nextmodule returned");
+
 		if(!needs_validation(qstate, qstate->return_rcode, 
 			qstate->return_msg)) {
 			/* no need to validate this */