- Added root-key-sentinel support

git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4652 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/worker.c

@@ -502,6 +502,7 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			 * let validator do that */
 			return 0;
 		case sec_status_bogus:
+		case sec_status_secure_sentinel_fail:
 			/* some rrsets are bogus, reply servfail */
 			edns->edns_version = EDNS_ADVERTISED_VERSION;
 			edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -658,7 +659,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 		}
 	}
 	/* check security status of the cached answer */
-	if( rep->security == sec_status_bogus && must_validate) {
+	if(must_validate && (rep->security == sec_status_bogus ||
+		rep->security == sec_status_secure_sentinel_fail)) {
 		/* BAD cached */
 		edns->edns_version = EDNS_ADVERTISED_VERSION;
 		edns->udp_size = EDNS_ADVERTISED_SIZE;

doc/Changelog

@@ -1,3 +1,6 @@
+24 April 2018: Ralph
+	- Added root-key-sentinel support
+
 23 April 2018: Wouter
 	- makedist uses bz2 for expat code, instead of tar.gz.
 	- Fix #4092: libunbound: use-caps-for-id lacks colon in

doc/example.conf.in

@@ -458,6 +458,9 @@ server:
 
 	# trust anchor signaling sends a RFC8145 key tag query after priming.
 	# trust-anchor-signaling: yes
+	
+	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+	# root-key-sentinel: yes
 
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.

doc/unbound.conf.5.in

@@ -849,6 +849,9 @@ expanded on start and on reload.
 .B trust\-anchor\-signaling: \fI<yes or no>
 Send RFC8145 key tag query after trust anchor priming. Default is on.
 .TP
+.B root\-key\-sentinel: \fI<yes or no>
+Root key trust anchor sentinel. Default is on.
+.TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have

services/mesh.c

@@ -975,7 +975,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
-	if(!rcode && rep->security == sec_status_bogus) {
+	if(!rcode && (rep->security == sec_status_bogus ||
+		rep->security == sec_status_secure_sentinel_fail)) {
 		if(!(reason = errinf_to_str(&m->s)))
 			rcode = LDNS_RCODE_SERVFAIL;
 	}
@@ -1041,7 +1042,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	/* examine security status */
 	if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
 		m->s.env->cfg->ignore_cd) && rep && 
-		rep->security <= sec_status_bogus) {
+		(rep->security <= sec_status_bogus ||
+		rep->security == sec_status_secure_sentinel_fail)) {
 		rcode = LDNS_RCODE_SERVFAIL;
 		if(m->s.env->cfg->stat_extended) 
 			m->s.env->mesh->ans_bogus++;

util/config_file.c

@@ -213,6 +213,7 @@ config_create(void)
 	cfg->trust_anchor_list = NULL;
 	cfg->trusted_keys_file_list = NULL;
 	cfg->trust_anchor_signaling = 1;
+	cfg->root_key_sentinel = 1;
 	cfg->dlv_anchor_file = NULL;
 	cfg->dlv_anchor_list = NULL;
 	cfg->domain_insecure = NULL;
@@ -521,6 +522,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("trust-anchor:", trust_anchor_list)
 	else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
 	else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
+	else S_YNO("root-key-sentinel:", root_key_sentinel)
 	else S_STR("dlv-anchor-file:", dlv_anchor_file)
 	else S_STRLIST("dlv-anchor:", dlv_anchor_list)
 	else S_STRLIST("domain-insecure:", domain_insecure)
@@ -932,6 +934,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "trust-anchor", trust_anchor_list)
 	else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
 	else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
+	else O_YNO(opt, "root-key-sentinel", root_key_sentinel)
 	else O_LST(opt, "dlv-anchor", dlv_anchor_list)
 	else O_LST(opt, "control-interface", control_ifs)
 	else O_LST(opt, "domain-insecure", domain_insecure)

util/config_file.h

@@ -291,6 +291,8 @@ struct config_file {
 	struct config_strlist* domain_insecure;
 	/** send key tag query */
 	int trust_anchor_signaling;
+	/** enable root key sentinel */
+	int root_key_sentinel;
 
 	/** if not 0, this value is the validation date for RRSIGs */
 	int32_t val_date_override;

util/configlexer.lex

@@ -336,6 +336,7 @@ auto-trust-anchor-file{COLON}	{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
 trusted-keys-file{COLON}	{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
 trust-anchor{COLON}		{ YDVAR(1, VAR_TRUST_ANCHOR) }
 trust-anchor-signaling{COLON}	{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
+root-key-sentinel{COLON}	{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
 val-override-date{COLON}	{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 val-sig-skew-min{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 val-sig-skew-max{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }

util/configparser.h

@@ -248,41 +248,42 @@ extern int yydebug;
     VAR_USE_SYSTEMD = 458,
     VAR_SHM_ENABLE = 459,
     VAR_SHM_KEY = 460,
-    VAR_DNSCRYPT = 461,
-    VAR_DNSCRYPT_ENABLE = 462,
-    VAR_DNSCRYPT_PORT = 463,
-    VAR_DNSCRYPT_PROVIDER = 464,
-    VAR_DNSCRYPT_SECRET_KEY = 465,
-    VAR_DNSCRYPT_PROVIDER_CERT = 466,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 467,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 468,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 469,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 470,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 471,
-    VAR_IPSECMOD_ENABLED = 472,
-    VAR_IPSECMOD_HOOK = 473,
-    VAR_IPSECMOD_IGNORE_BOGUS = 474,
-    VAR_IPSECMOD_MAX_TTL = 475,
-    VAR_IPSECMOD_WHITELIST = 476,
-    VAR_IPSECMOD_STRICT = 477,
-    VAR_CACHEDB = 478,
-    VAR_CACHEDB_BACKEND = 479,
-    VAR_CACHEDB_SECRETSEED = 480,
-    VAR_CACHEDB_REDISHOST = 481,
-    VAR_CACHEDB_REDISPORT = 482,
-    VAR_CACHEDB_REDISTIMEOUT = 483,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 484,
-    VAR_FOR_UPSTREAM = 485,
-    VAR_AUTH_ZONE = 486,
-    VAR_ZONEFILE = 487,
-    VAR_MASTER = 488,
-    VAR_URL = 489,
-    VAR_FOR_DOWNSTREAM = 490,
-    VAR_FALLBACK_ENABLED = 491,
-    VAR_ADDITIONAL_TLS_PORT = 492,
-    VAR_LOW_RTT = 493,
-    VAR_LOW_RTT_PCT = 494,
-    VAR_ALLOW_NOTIFY = 495
+    VAR_ROOT_KEY_SENTINEL = 461,
+    VAR_DNSCRYPT = 462,
+    VAR_DNSCRYPT_ENABLE = 463,
+    VAR_DNSCRYPT_PORT = 464,
+    VAR_DNSCRYPT_PROVIDER = 465,
+    VAR_DNSCRYPT_SECRET_KEY = 466,
+    VAR_DNSCRYPT_PROVIDER_CERT = 467,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 468,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 469,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 470,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 471,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 472,
+    VAR_IPSECMOD_ENABLED = 473,
+    VAR_IPSECMOD_HOOK = 474,
+    VAR_IPSECMOD_IGNORE_BOGUS = 475,
+    VAR_IPSECMOD_MAX_TTL = 476,
+    VAR_IPSECMOD_WHITELIST = 477,
+    VAR_IPSECMOD_STRICT = 478,
+    VAR_CACHEDB = 479,
+    VAR_CACHEDB_BACKEND = 480,
+    VAR_CACHEDB_SECRETSEED = 481,
+    VAR_CACHEDB_REDISHOST = 482,
+    VAR_CACHEDB_REDISPORT = 483,
+    VAR_CACHEDB_REDISTIMEOUT = 484,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 485,
+    VAR_FOR_UPSTREAM = 486,
+    VAR_AUTH_ZONE = 487,
+    VAR_ZONEFILE = 488,
+    VAR_MASTER = 489,
+    VAR_URL = 490,
+    VAR_FOR_DOWNSTREAM = 491,
+    VAR_FALLBACK_ENABLED = 492,
+    VAR_ADDITIONAL_TLS_PORT = 493,
+    VAR_LOW_RTT = 494,
+    VAR_LOW_RTT_PCT = 495,
+    VAR_ALLOW_NOTIFY = 496
   };
 #endif
 /* Tokens.  */
@@ -489,41 +490,42 @@ extern int yydebug;
 #define VAR_USE_SYSTEMD 458
 #define VAR_SHM_ENABLE 459
 #define VAR_SHM_KEY 460
-#define VAR_DNSCRYPT 461
-#define VAR_DNSCRYPT_ENABLE 462
-#define VAR_DNSCRYPT_PORT 463
-#define VAR_DNSCRYPT_PROVIDER 464
-#define VAR_DNSCRYPT_SECRET_KEY 465
-#define VAR_DNSCRYPT_PROVIDER_CERT 466
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 467
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 468
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 469
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 470
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 471
-#define VAR_IPSECMOD_ENABLED 472
-#define VAR_IPSECMOD_HOOK 473
-#define VAR_IPSECMOD_IGNORE_BOGUS 474
-#define VAR_IPSECMOD_MAX_TTL 475
-#define VAR_IPSECMOD_WHITELIST 476
-#define VAR_IPSECMOD_STRICT 477
-#define VAR_CACHEDB 478
-#define VAR_CACHEDB_BACKEND 479
-#define VAR_CACHEDB_SECRETSEED 480
-#define VAR_CACHEDB_REDISHOST 481
-#define VAR_CACHEDB_REDISPORT 482
-#define VAR_CACHEDB_REDISTIMEOUT 483
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 484
-#define VAR_FOR_UPSTREAM 485
-#define VAR_AUTH_ZONE 486
-#define VAR_ZONEFILE 487
-#define VAR_MASTER 488
-#define VAR_URL 489
-#define VAR_FOR_DOWNSTREAM 490
-#define VAR_FALLBACK_ENABLED 491
-#define VAR_ADDITIONAL_TLS_PORT 492
-#define VAR_LOW_RTT 493
-#define VAR_LOW_RTT_PCT 494
-#define VAR_ALLOW_NOTIFY 495
+#define VAR_ROOT_KEY_SENTINEL 461
+#define VAR_DNSCRYPT 462
+#define VAR_DNSCRYPT_ENABLE 463
+#define VAR_DNSCRYPT_PORT 464
+#define VAR_DNSCRYPT_PROVIDER 465
+#define VAR_DNSCRYPT_SECRET_KEY 466
+#define VAR_DNSCRYPT_PROVIDER_CERT 467
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 468
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 469
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 470
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 471
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 472
+#define VAR_IPSECMOD_ENABLED 473
+#define VAR_IPSECMOD_HOOK 474
+#define VAR_IPSECMOD_IGNORE_BOGUS 475
+#define VAR_IPSECMOD_MAX_TTL 476
+#define VAR_IPSECMOD_WHITELIST 477
+#define VAR_IPSECMOD_STRICT 478
+#define VAR_CACHEDB 479
+#define VAR_CACHEDB_BACKEND 480
+#define VAR_CACHEDB_SECRETSEED 481
+#define VAR_CACHEDB_REDISHOST 482
+#define VAR_CACHEDB_REDISPORT 483
+#define VAR_CACHEDB_REDISTIMEOUT 484
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 485
+#define VAR_FOR_UPSTREAM 486
+#define VAR_AUTH_ZONE 487
+#define VAR_ZONEFILE 488
+#define VAR_MASTER 489
+#define VAR_URL 490
+#define VAR_FOR_DOWNSTREAM 491
+#define VAR_FALLBACK_ENABLED 492
+#define VAR_ADDITIONAL_TLS_PORT 493
+#define VAR_LOW_RTT 494
+#define VAR_LOW_RTT_PCT 495
+#define VAR_ALLOW_NOTIFY 496
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -534,7 +536,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 538 "util/configparser.h" /* yacc.c:1909  */
+#line 540 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -142,6 +142,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
 %token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
 %token VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
+%token VAR_ROOT_KEY_SENTINEL
 %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
 %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
 %token VAR_DNSCRYPT_PROVIDER_CERT_ROTATED
@@ -242,6 +243,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_response_ip_tag | server_response_ip | server_response_ip_data |
 	server_shm_enable | server_shm_key | server_fake_sha1 |
 	server_hide_trustanchor | server_trust_anchor_signaling |
+	server_root_key_sentinel |
 	server_ipsecmod_enabled | server_ipsecmod_hook |
 	server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
 	server_ipsecmod_whitelist | server_ipsecmod_strict |
@@ -871,6 +873,17 @@ server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG
 		free($2);
 	}
 	;
+server_root_key_sentinel: VAR_ROOT_KEY_SENTINEL STRING_ARG
+	{
+		OUTYY(("P(server_root_key_sentinel:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else
+			cfg_parser->cfg->root_key_sentinel =
+				(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG
 	{
 		OUTYY(("P(server_domain_insecure:%s)\n", $2));

util/data/dname.c

@@ -523,6 +523,29 @@ dname_lab_cmp(uint8_t* d1, int labs1, uint8_t* d2, int labs2, int* mlabs)
 	return lastdiff;
 }
 
+int
+dname_lab_startswith(uint8_t* label, char* prefix, char** endptr)
+{
+	size_t plen = strlen(prefix);
+	size_t orig_plen = plen;
+	size_t lablen = (size_t)*label;
+	if(plen > lablen)
+		return 0;
+	label++;
+	while(plen--) {
+		if(*prefix != tolower((unsigned char)*label)) {
+			return 0;
+		}
+		prefix++; label++;
+	}
+	if(orig_plen < lablen)
+		*endptr = (char *)label;
+	else
+		/* prefix length == label length */
+		*endptr = NULL;
+	return 1;
+}
+
 int 
 dname_buffer_write(sldns_buffer* pkt, uint8_t* dname)
 {

util/data/dname.h

@@ -185,6 +185,17 @@ int dname_count_size_labels(uint8_t* dname, size_t* size);
  */
 int dname_lab_cmp(uint8_t* d1, int labs1, uint8_t* d2, int labs2, int* mlabs);
 
+/**
+ * Check if labels starts with given prefix 
+ * @param label: dname label
+ * @param prefix: the string to match label with, null terminated.
+ * @param endptr: pointer to location in label after prefix, only if return
+ * 	value is 1. NULL if nothing in the label after the prefix, i.e. prefix
+ * 	and label are the same.
+ * @return: 1 if label starts with prefix, else 0
+ */
+int dname_lab_startswith(uint8_t* label, char* prefix, char** endptr);
+
 /**
  * See if domain name d1 is a strict subdomain of d2.
  * That is a subdomain, but not equal. 

util/data/packed_rrset.c

@@ -253,6 +253,7 @@ sec_status_to_string(enum sec_status s)
 	case sec_status_bogus: 		return "sec_status_bogus";
 	case sec_status_indeterminate: 	return "sec_status_indeterminate";
 	case sec_status_insecure: 	return "sec_status_insecure";
+	case sec_status_secure_sentinel_fail: 	return "sec_status_secure_sentinel_fail";
 	case sec_status_secure: 	return "sec_status_secure";
 	}
 	return "unknown_sec_status_value";

util/data/packed_rrset.h

@@ -187,6 +187,10 @@ enum sec_status {
 	 * insecure. Generally this means that this RRset is below a trust 
 	 * anchor, but also below a verified, insecure delegation. */
 	sec_status_insecure,
+	/** SECURE_SENTINEL_FAIL means that the object (RRset or message)
+	 * validated according to local policy but did not succeed in the root
+	 * KSK sentinel test (draft-ietf-dnsop-kskroll-sentinel). */
+	sec_status_secure_sentinel_fail,
 	/** SECURE means that the object (RRset or message) validated 
 	 * according to local policy. */
 	sec_status_secure

validator/val_anchor.c

@@ -1309,3 +1309,44 @@ anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num)
 	qsort(list, ret, sizeof(*list), keytag_compare);
 	return ret;
 }
+
+int
+anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
+	size_t namelen, uint16_t dclass, uint16_t keytag)
+{
+	uint16_t* taglist;
+	uint16_t* tl;
+	size_t numtag, i;
+	struct trust_anchor* anchor = anchor_find(anchors,
+		name, namelabs, namelen, dclass);
+	if(!anchor)
+		return 0;
+	if(!anchor->numDS && !anchor->numDNSKEY) {
+		lock_basic_unlock(&anchor->lock);
+		return 0;
+	}
+
+	taglist = calloc(anchor->numDS + anchor->numDNSKEY, sizeof(*taglist));
+	if(!taglist) {
+		lock_basic_unlock(&anchor->lock);
+		return 0;
+	}
+
+	numtag = anchor_list_keytags(anchor, taglist,
+		anchor->numDS+anchor->numDNSKEY);
+	lock_basic_unlock(&anchor->lock);
+	if(!numtag) {
+		free(taglist);
+		return 0;
+	}
+	tl = taglist;
+	for(i=0; i<numtag; i++) {
+		if(*tl == keytag) {
+			free(taglist);
+			return 1;
+		}
+		tl++;
+	}
+	free(taglist);
+	return 0;
+}

validator/val_anchor.h

@@ -227,4 +227,19 @@ void anchors_delete_insecure(struct val_anchors* anchors, uint16_t c,
  */
 size_t anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num);
 
+/**
+ * Check if there is a trust anchor for given zone with this keytag.
+ *
+ * @param anchors: anchor storage
+ * @param name: name of trust anchor (wireformat)
+ * @param namelabs: labels in name
+ * @param namelen: length of name
+ * @param dclass: class of trust anchor
+ * @param keytag: keytag
+ * @return 1 if there is a trust anchor in the trustachor store for this zone
+ * and keytag, else 0.
+ */
+int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
+	size_t namelen, uint16_t dclass, uint16_t keytag);
+
 #endif /* VALIDATOR_VAL_ANCHOR_H */

validator/validator.c

@@ -40,6 +40,7 @@
  * According to RFC 4034.
  */
 #include "config.h"
+#include <ctype.h>
 #include "validator/validator.h"
 #include "validator/val_anchor.h"
 #include "validator/val_kcache.h"
@@ -477,6 +478,31 @@ generate_keytag_query(struct module_qstate* qstate, int id,
 	return 1;
 }
 
+/**
+ * Get keytag as uint16_t from string
+ *
+ * @param start: start of string containing keytag
+ * @param keytag: pointer where to store the extracted keytag
+ * @return: 1 if keytag was extracted, else 0.
+ */
+static int
+sentinel_get_keytag(char* start, uint16_t* keytag) {
+	char* keytag_str;
+	char* e = NULL;
+	keytag_str = calloc(1, SENTINEL_KEYTAG_LEN + 1 /* null byte */);
+	if(!keytag_str)
+		return 0;
+	strncpy(keytag_str, start, SENTINEL_KEYTAG_LEN);
+	keytag_str[SENTINEL_KEYTAG_LEN] = '\0';
+	*keytag = (uint16_t)strtol(keytag_str, &e, 10);
+	if(!e || *e != '\0') {
+		free(keytag_str);
+		return 0;
+	}
+	free(keytag_str);
+	return 1;
+}
+
 /**
  * Prime trust anchor for use.
  * Generate and dispatch a priming query for the given trust anchor.
@@ -2223,6 +2249,34 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 			vq->orig_msg->rep->security = sec_status_indeterminate;
 	}
 
+	if(vq->orig_msg->rep->security == sec_status_secure &&
+		qstate->env->cfg->root_key_sentinel &&
+		(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)) {
+		char* keytag_start;
+		uint16_t keytag;
+		if(*qstate->qinfo.qname == strlen(SENTINEL_IS) +
+			SENTINEL_KEYTAG_LEN &&
+			dname_lab_startswith(qstate->qinfo.qname, SENTINEL_IS,
+			&keytag_start)) {
+			if(sentinel_get_keytag(keytag_start, &keytag) &&
+				!anchor_has_keytag(qstate->env->anchors,
+				(uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) {
+				vq->orig_msg->rep->security =
+					sec_status_secure_sentinel_fail;
+			}
+		} else if(*qstate->qinfo.qname == strlen(SENTINEL_NOT) +
+			SENTINEL_KEYTAG_LEN &&
+			dname_lab_startswith(qstate->qinfo.qname, SENTINEL_NOT,
+			&keytag_start)) {
+			if(sentinel_get_keytag(keytag_start, &keytag) &&
+				anchor_has_keytag(qstate->env->anchors,
+				(uint8_t*)"", 1, 0, vq->qchase.qclass, keytag)) {
+				vq->orig_msg->rep->security =
+					sec_status_secure_sentinel_fail;
+			}
+		}
+	}
 	/* store results in cache */
 	if(qstate->query_flags&BIT_RD) {
 		/* if secure, this will override cache anyway, no need

validator/validator.h

@@ -67,6 +67,13 @@ struct config_strlist;
 /** max number of query restarts, number of IPs to probe */
 #define VAL_MAX_RESTART_COUNT 5
 
+/** Root key sentinel is ta preamble */
+#define SENTINEL_IS		"root-key-sentinel-is-ta-"
+/** Root key sentinel is not ta preamble */
+#define SENTINEL_NOT		"root-key-sentinel-not-ta-"
+/** Root key sentinal keytag length */
+#define SENTINEL_KEYTAG_LEN	5
+
 /**
  * Global state for the validator. 
  */