summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/resolve/resolved-dns-transaction.c22
1 files changed, 13 insertions, 9 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index aa1970bc34..14a5c0f06a 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2552,18 +2552,22 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
return r;
/* Unless the NSEC proof showed that the key really doesn't exist something is off. */
- if (r == 0 || !authenticated)
+ if (r == 0)
result = DNSSEC_INVALID;
+ else {
+ r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
+ if (r < 0)
+ return r;
- r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
- if (r < 0)
- return r;
-
- t->scope->manager->n_dnssec_secure++;
+ if (authenticated)
+ t->scope->manager->n_dnssec_secure++;
+ else
+ t->scope->manager->n_dnssec_insecure++;
- /* Exit the loop, we dropped something from the answer, start from the beginning */
- changed = true;
- break;
+ /* Exit the loop, we dropped something from the answer, start from the beginning */
+ changed = true;
+ break;
+ }
}
if (result == DNSSEC_NO_SIGNATURE) {