From aa89931749f081be8b1f90643c81ae2860257e53 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 9 Dec 2015 18:11:28 +0100 Subject: resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm As long as we support the digest we are good. --- src/resolve/resolved-dns-dnssec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index af94565713..8cfed27a34 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -654,16 +654,14 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) { if (dnskey->dnskey.protocol != 3) return -EKEYREJECTED; - if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm)) - return -EOPNOTSUPP; - if (!dnssec_digest_supported(ds->ds.digest_type)) - return -EOPNOTSUPP; - if (dnskey->dnskey.algorithm != ds->ds.algorithm) return 0; if (dnssec_keytag(dnskey) != ds->ds.key_tag) return 0; + if (!dnssec_digest_supported(ds->ds.digest_type)) + return -EOPNOTSUPP; + switch (ds->ds.digest_type) { case DNSSEC_DIGEST_SHA1: -- cgit v1.2.3-54-g00ecf