summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-cache.h
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-12-11 13:55:26 +0100
committerLennart Poettering <lennart@poettering.net>2015-12-11 14:14:27 +0100
commit203f1b35d962bab3c67ecf57ce6bd9ec87bf7078 (patch)
tree56a31af821e5be67ac8b721d0107cab93f0303f2 /src/resolve/resolved-dns-cache.h
parent79e249313887840e0fc52f69afc0daeed754bff1 (diff)
resolved: rework dnssec validation results
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is returned when we encounter an unsupported crypto algorithm when trying to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP in this case, but it's better to consider this a non-error DNSSEC validation result, since our reaction to this case needs to be more like in cases such as expired or missing keys: we need to keep continue validation looking for another RRSIG/DNSKEY combination that works better for us. This also reworks how dnssec_validate_rrsig_search() propagates errors from dnssec_validate_rrsig(). Previously, errors such as unsupported algorithms or expired signatures would not be propagated, but simply be returned as "missing-key".
Diffstat (limited to 'src/resolve/resolved-dns-cache.h')
0 files changed, 0 insertions, 0 deletions