diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-12-09 18:11:28 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-12-10 11:35:52 +0100 |
commit | aa89931749f081be8b1f90643c81ae2860257e53 (patch) | |
tree | a07b4cde29ec11173031273e756ff6f559129676 | |
parent | 15accc2765de9cc379eb1042e14b7b519efdb7a0 (diff) |
resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm
As long as we support the digest we are good.
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index af94565713..8cfed27a34 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -654,16 +654,14 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) { if (dnskey->dnskey.protocol != 3) return -EKEYREJECTED; - if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm)) - return -EOPNOTSUPP; - if (!dnssec_digest_supported(ds->ds.digest_type)) - return -EOPNOTSUPP; - if (dnskey->dnskey.algorithm != ds->ds.algorithm) return 0; if (dnssec_keytag(dnskey) != ds->ds.key_tag) return 0; + if (!dnssec_digest_supported(ds->ds.digest_type)) + return -EOPNOTSUPP; + switch (ds->ds.digest_type) { case DNSSEC_DIGEST_SHA1: |