resolved: never authenticate RRsets with revoked keys

author: Lennart Poettering <lennart@poettering.net> 2016-01-03 17:56:50 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-03 17:56:50 +0100
commit: 28b8191e2f391f043d380d47eb79ed9ff66f14bd (patch)
tree: e06b5d74a6f15fe487ff96439eeb93b91fd561f2 /src/resolve/resolved-dns-dnssec.c
parent: 1d3db294fca96fff0a7f8cff4eeeb42460ac21ac (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 6e6e62b132..606d681779 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -671,6 +671,8 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske
                 return 0;
         if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
                 return 0;
+        if ((dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE))
+                return 0;
         if (dnskey->dnskey.protocol != 3)
                 return 0;
         if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)
author	Lennart Poettering <lennart@poettering.net>	2016-01-03 17:56:50 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-03 17:56:50 +0100
commit	28b8191e2f391f043d380d47eb79ed9ff66f14bd (patch)
tree	e06b5d74a6f15fe487ff96439eeb93b91fd561f2 /src/resolve/resolved-dns-dnssec.c
parent	1d3db294fca96fff0a7f8cff4eeeb42460ac21ac (diff)