summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-12-22 18:20:09 +0100
committerLennart Poettering <lennart@poettering.net>2015-12-26 19:09:10 +0100
commitd1c4ee32480cb997b673ca8396ca95c70be610f7 (patch)
treeee0b87656bef0a1b9bccf845d6b3928aa8ee9de1
parent6b2f709364b3bb4277de3d6fa2e5b45ba3c12424 (diff)
resolved: be stricter when searching for a DS RR for a DNSKEY RR
-rw-r--r--src/resolve/resolved-dns-dnssec.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 482ee4a0b3..f37f1d91be 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -831,6 +831,15 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
if (ds->key->type != DNS_TYPE_DS)
continue;
+ if (ds->key->class != dnskey->key->class)
+ continue;
+
+ r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(ds->key));
+ if (r < 0)
+ return r;
+ if (r == 0)
+ continue;
+
r = dnssec_verify_dnskey(dnskey, ds);
if (r < 0)
return r;