summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-12-09 18:11:28 +0100
committerLennart Poettering <lennart@poettering.net>2015-12-10 11:35:52 +0100
commitaa89931749f081be8b1f90643c81ae2860257e53 (patch)
treea07b4cde29ec11173031273e756ff6f559129676
parent15accc2765de9cc379eb1042e14b7b519efdb7a0 (diff)
resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm
As long as we support the digest we are good.
-rw-r--r--src/resolve/resolved-dns-dnssec.c8
1 files changed, 3 insertions, 5 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index af94565713..8cfed27a34 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -654,16 +654,14 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) {
if (dnskey->dnskey.protocol != 3)
return -EKEYREJECTED;
- if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm))
- return -EOPNOTSUPP;
- if (!dnssec_digest_supported(ds->ds.digest_type))
- return -EOPNOTSUPP;
-
if (dnskey->dnskey.algorithm != ds->ds.algorithm)
return 0;
if (dnssec_keytag(dnskey) != ds->ds.key_tag)
return 0;
+ if (!dnssec_digest_supported(ds->ds.digest_type))
+ return -EOPNOTSUPP;
+
switch (ds->ds.digest_type) {
case DNSSEC_DIGEST_SHA1: