diff options
| author | Lennart Poettering <lennart@poettering.net> | 2015-12-11 13:55:26 +0100 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-12-11 14:14:27 +0100 | 
| commit | 203f1b35d962bab3c67ecf57ce6bd9ec87bf7078 (patch) | |
| tree | 56a31af821e5be67ac8b721d0107cab93f0303f2 /src/resolve/resolved-dns-cache.h | |
| parent | 79e249313887840e0fc52f69afc0daeed754bff1 (diff) | |
resolved: rework dnssec validation results
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is
returned when we encounter an unsupported crypto algorithm when trying
to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP
in this case, but it's better to consider this a non-error DNSSEC
validation result, since our reaction to this case needs to be more like
in cases such as expired or missing keys: we need to keep continue
validation looking for another RRSIG/DNSKEY combination that works
better for us.
This also reworks how dnssec_validate_rrsig_search() propagates errors
from dnssec_validate_rrsig(). Previously, errors such as unsupported
algorithms or expired signatures would not be propagated, but simply be
returned as "missing-key".
Diffstat (limited to 'src/resolve/resolved-dns-cache.h')
0 files changed, 0 insertions, 0 deletions
