resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer name, not the owner name

When the DNSKEY is in higher zone, then that's OK, and we need to check the RRSIG's signer name against the DNSKEY hence.
author: Lennart Poettering <lennart@poettering.net> 2015-12-09 18:09:06 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-10 11:35:52 +0100
commit: 15accc2765de9cc379eb1042e14b7b519efdb7a0 (patch)
tree: aea6fba86de1d2e5a623d12c0baa84fd088b3d6e /src
parent: 6c5e8fbf4e4362c7d6db43e316880a16b1ebd620 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 75797db6c8..af94565713 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -477,7 +477,7 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske
         if (dnssec_keytag(dnskey) != rrsig->rrsig.key_tag)
                 return 0;
 
-        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(rrsig->key));
+        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);
 }
 
 int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig) {
@@ -508,7 +508,7 @@ int dnssec_verify_rrset_search(
 
         assert(key);
 
-        /* Verifies all RRs from "a" that match the key "key", against DNSKEY RRs in "validated_dnskeys" */
+        /* Verifies all RRs from "a" that match the key "key", against DNSKEY and DS RRs in "validated_dnskeys" */
 
         if (!a || a->n_rrs <= 0)
                 return -ENODATA;
author	Lennart Poettering <lennart@poettering.net>	2015-12-09 18:09:06 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-10 11:35:52 +0100
commit	15accc2765de9cc379eb1042e14b7b519efdb7a0 (patch)
tree	aea6fba86de1d2e5a623d12c0baa84fd088b3d6e /src
parent	6c5e8fbf4e4362c7d6db43e316880a16b1ebd620 (diff)