--- bind-9.3.6-P1/lib/dns/validator.c.rh555118 2010-01-18 15:35:17.587785286 +0100 +++ bind-9.3.6-P1/lib/dns/validator.c 2010-01-18 15:37:33.335285482 +0100 @@ -2544,20 +2544,22 @@ proveunsecure(dns_validator_t *val, isc_ if (val->havedlvsep) dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); else { + unsigned int labels; dns_name_copy(val->event->name, secroot, NULL); + /* * If this is a response to a DS query, we need to look in * the parent zone for the trust anchor. */ - if (val->event->type == dns_rdatatype_ds && - dns_name_countlabels(secroot) > 1U) - dns_name_split(secroot, 1, NULL, secroot); + labels = dns_name_countlabels(secroot); + if (val->event->type == dns_rdatatype_ds && labels > 1U) + dns_name_getlabelsequence(secroot, 1, labels - 1, + secroot); + result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot); if (result == ISC_R_NOTFOUND) { - validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure");