diff options
| author | Tom Gundersen <teg@jklm.no> | 2015-12-28 19:05:59 +0100 |
|---|---|---|
| committer | Tom Gundersen <teg@jklm.no> | 2016-01-01 16:48:52 +0100 |
| commit | 935a999f7d6881af2e888316be7165801420dc5f (patch) | |
| tree | 45cccae2fb53d6951986a850636a2f881c0b9de0 | |
| parent | ac04adbeb9d0b19e77a715715be24779f7dcf1b2 (diff) | |
resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs
Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we
actually try to verify, not about the total number of RRs in the RRSet.
| -rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 6a6aabc18f..552fd48fba 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -525,9 +525,6 @@ int dnssec_verify_rrset( if (md_algorithm < 0) return md_algorithm; - if (a->n_rrs > VERIFY_RRS_MAX) - return -E2BIG; - r = dnssec_rrsig_expired(rrsig, realtime); if (r < 0) return r; @@ -552,6 +549,9 @@ int dnssec_verify_rrset( return r; list[n++] = rr; + + if (n > VERIFY_RRS_MAX) + return -E2BIG; } if (n <= 0) |