Process RRSIGs also in authority and additional sections.

src/dnssec.c

@@ -435,17 +435,18 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
 {
   unsigned char *p, *reply;
   char *owner = daemon->namebuff;
-  int i, qtype, qclass, rdlen;
+  int i, s, qtype, qclass, rdlen;
   unsigned long ttl;
+  int slen[3] = { ntohs(header->ancount), ntohs(header->nscount), ntohs(header->arcount) };
 
-  if (header->ancount == 0)
+  if (slen[0] + slen[1] + slen[2] == 0)
     return 0;
   if (!(reply = p = skip_questions(header, pktlen)))
     return 0;
 
   /* First, process DNSKEY/DS records and add them to the cache. */
   cache_start_insert();
-  for (i = 0; i < ntohs(header->ancount); i++)
+  for (i = 0; i < slen[0]; i++)
     {
       if (!extract_name(header, pktlen, &p, owner, 1, 10))
       	return 0;
@@ -471,7 +472,10 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
      We want to do this in a separate step because we want the cache
      to be already populated with DNSKEYs before parsing signatures. */
   p = reply;
-  for (i = 0; i < ntohs(header->ancount); i++)
+  for (s = 0; s < 3; ++s)
+    {
+      reply = p;
+      for (i = 0; i < slen[s]; i++)
         {
           if (!extract_name(header, pktlen, &p, owner, 1, 10))
             return 0;
@@ -487,10 +491,11 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
                  There is a memory vs CPU conflict here; should we validate everything
                  to save memory and thus waste CPU, or better first acquire all information
                  (wasting memory) and then doing the minimum CPU computations required? */
-          dnssec_parserrsig(header, pktlen, reply, ntohs(header->ancount), owner, qclass, rdlen, p);
+              dnssec_parserrsig(header, pktlen, reply, slen[s], owner, qclass, rdlen, p);
             }
           p += rdlen;
         }
+    }
 
   return 1;
 }