diff options
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index aa1970bc34..14a5c0f06a 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2552,18 +2552,22 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { return r; /* Unless the NSEC proof showed that the key really doesn't exist something is off. */ - if (r == 0 || !authenticated) + if (r == 0) result = DNSSEC_INVALID; + else { + r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0); + if (r < 0) + return r; - r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE); - if (r < 0) - return r; - - t->scope->manager->n_dnssec_secure++; + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; - /* Exit the loop, we dropped something from the answer, start from the beginning */ - changed = true; - break; + /* Exit the loop, we dropped something from the answer, start from the beginning */ + changed = true; + break; + } } if (result == DNSSEC_NO_SIGNATURE) { |