diff options
author | Tom Gundersen <teg@jklm.no> | 2015-12-28 19:05:59 +0100 |
---|---|---|
committer | Tom Gundersen <teg@jklm.no> | 2016-01-01 16:48:52 +0100 |
commit | 935a999f7d6881af2e888316be7165801420dc5f (patch) | |
tree | 45cccae2fb53d6951986a850636a2f881c0b9de0 /src/resolve | |
parent | ac04adbeb9d0b19e77a715715be24779f7dcf1b2 (diff) |
resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs
Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we
actually try to verify, not about the total number of RRs in the RRSet.
Diffstat (limited to 'src/resolve')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 6a6aabc18f..552fd48fba 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -525,9 +525,6 @@ int dnssec_verify_rrset( if (md_algorithm < 0) return md_algorithm; - if (a->n_rrs > VERIFY_RRS_MAX) - return -E2BIG; - r = dnssec_rrsig_expired(rrsig, realtime); if (r < 0) return r; @@ -552,6 +549,9 @@ int dnssec_verify_rrset( return r; list[n++] = rr; + + if (n > VERIFY_RRS_MAX) + return -E2BIG; } if (n <= 0) |