Fix bug in DLV. Iana portlist.

git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@1762 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,5 +1,8 @@
 14 August 2009: Wouter
 	- unbound-control lookup prints out infra cache information, like RTT.
+	- Fix bug in DLV lookup reported by Amanda from Secure64.
+	  It could sometimes wrongly classify a domain as unsigned, which
+	  does not give the AD bit on replies.
 
 13 August 2009: Wouter
 	- autotrust read anchor files. locked trust anchors.

testdata/dlv_negnx.rpl

@@ -0,0 +1,402 @@
+; config options
+; The island of trust is at example.com (the DLV repository)
+server:
+	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with DLV anchor for negcache nxdomain proof
+; put a DLV in the negcache.
+; then test ask-higher with that in the cache.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; DLV query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net.example.com. IN DLV
+SECTION ANSWER
+example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
+example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; under example.net in DLV
+ENTRY_BEGIN
+MATCH opcode qtype subdomain
+ADJUST copy_id copy_query
+REPLY QR NXDOMAIN
+SECTION QUESTION
+example.net.example.com. IN DLV
+SECTION ANSWER
+SECTION AUTHORITY
+example.net.example.com.	3600	IN 	NSEC fru.net.example.com. RRSIG NSEC DLV
+example.net.example.com.	3600	IN	RRSIG	NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AI6NNKt4dGcAdCrW73GYwyoqelsdj1dd8mBNPpHRQIL0yp7yYFZ7kXU= ;{id = 2854}
+example.com. IN SOA . . 1 2 3 4 5
+example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AIkRPbv+kZaiG61pH/wQy8fX2UqQS5YRwHaxe4yjEUXk59fgO71Db3s= ;{id = 2854}
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net.example.com. IN DLV
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
+example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
+example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
+example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NXDOMAIN
+SECTION QUESTION
+com.example.com. IN DLV
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
+example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
+example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
+example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
+ENTRY_END
+
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+; DS RR is
+; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
+; DNSKEY prime query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN DNSKEY
+SECTION ANSWER
+; have it flushed out of the cache quickly.
+example.net.    0    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.net.    0    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
+SECTION AUTHORITY
+example.net.    IN NS   ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.         IN      A       1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; NS query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.    IN NS   ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.         IN      A       1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; www.example.net query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION ANSWER
+www.example.net.	3600	IN	A	10.20.30.40
+www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
+SECTION AUTHORITY
+example.net.    IN NS   ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.         IN      A       1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; subzone
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub1.example.net. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+sub1.example.net.	3600	IN	DS	30899 5 1 8916603e54c6f7edcfd885602e3b7b8dc475ba5c ; xodec-komif-vehis-kotav-tefot-mecyk-biryf-rivym-ticol-huvyh-saxox
+sub1.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. A3vVrEY3+oIUqdbAa3tkKaU3o47eBD01hVXfAEAue1M+Uci2PA5YyiulLzStyiP75XUXkvubLQ2+ltKMTtfdag== ;{id = 30899}
+sub1.example.net. IN NS ns.sub1.example.net.
+SECTION ADDITIONAL
+ns.sub1.example.net. IN A 1.2.3.10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub2.example.net. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+sub2.example.net.	3600	IN	DS	30899 5 1 627f7a51f1545133fec3ecbd19b85b92b15679c9 ; ximil-zovah-casuh-gygef-fyzas-farir-tikir-mukon-disih-kavus-nyxex
+sub2.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. azMXKt4VPHj2hk5MDU6h8E/HOtNnHnIVS6Le3BV43wtJcHG5wlCxOksOZBOpXMkpbWLvbCJOOMPOnh31nlbjgg== ;{id = 30899}
+sub2.example.net. IN NS ns.sub2.example.net.
+SECTION ADDITIONAL
+ns.sub2.example.net. IN A 1.2.3.12
+ENTRY_END
+RANGE_END
+
+; sub1.example.net.
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.10
+; DNSKEY query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+sub1.example.net. IN DNSKEY
+SECTION ANSWER
+sub1.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+sub1.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub1.example.net. E200eTdRnkL7/fk54i1nXEE9a/rC2GxZfVkWMU044tpwV6d4XRxVhlFBzY4FytbRFFBUDhz7L3B0qC6BXJM8rg== ;{id = 30899}
+ENTRY_END
+
+; www query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.sub1.example.net. IN A
+SECTION ANSWER
+www.sub1.example.net. IN A 192.168.1.1
+www.sub1.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
+ENTRY_END
+
+RANGE_END
+
+; sub2.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.12
+; DNSKEY query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+sub2.example.net. IN DNSKEY
+SECTION ANSWER
+sub2.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+sub2.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub2.example.net. VcNaPuz9Mmjj5ofZqOa4FsixBomFJTjd/9wxhZOVdxf1LsNR5L++8k09gQvnjtCvqSPfNer/uv0xl+9sRr8Wmw== ;{id = 30899}
+ENTRY_END
+
+; www query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.sub2.example.net. IN A
+SECTION ANSWER
+www.sub2.example.net. IN A 192.168.1.12
+www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
+ENTRY_END
+
+RANGE_END
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.sub1.example.net. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.sub1.example.net. IN A
+SECTION ANSWER
+www.sub1.example.net. IN A 192.168.1.1
+www.sub1.example.net.   3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; have example.net DNSKEY time out
+STEP 14 TIME_PASSES ELAPSE 1.0
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.sub2.example.net. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.sub2.example.net. IN A
+SECTION ANSWER
+www.sub2.example.net. IN A 192.168.1.12
+www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+
+SCENARIO_END

util/iana_ports.inc

@@ -4033,6 +4033,7 @@
 5055,
 5056,
 5057,
+5058,
 5059,
 5060,
 5061,

validator/validator.c

@@ -1700,7 +1700,8 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
 	if(val_neg_dlvlookup(ve->neg_cache, vq->dlv_lookup_name,
 		vq->dlv_lookup_name_len, vq->qchase.qclass,
 		qstate->env->rrset_cache, *qstate->env->now)) {
-		return 1;
+		dname_remove_label(&vq->dlv_lookup_name, 
+			&vq->dlv_lookup_name_len);
 	}
 
 	/* perform a lookup for the DLV; with validation */
@@ -1924,10 +1925,11 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
 	if(val_neg_dlvlookup(ve->neg_cache, vq->dlv_lookup_name,
 		vq->dlv_lookup_name_len, vq->qchase.qclass,
 		qstate->env->rrset_cache, *qstate->env->now)) {
-		vq->dlv_status = dlv_there_is_no_dlv;
-		/* continue with the insecure result we got */
-		vq->state = VAL_FINISHED_STATE;
-		return 1;
+		/* does not exist, go up one (go higher). */
+		dname_remove_label(&vq->dlv_lookup_name, 
+			&vq->dlv_lookup_name_len);
+		/* limit number of labels, limited number of recursion */
+		return processDLVLookup(qstate, vq, ve, id);
 	}
 
 	if(!generate_request(qstate, id, vq->dlv_lookup_name,