From e497292abac908cae4f814bcdda2654ffb4bef0b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 6 Jan 2016 00:57:21 +0100
Subject: resolved: count unsupported dnssec algorithm as indeterminate RRset

After all, when we don't support the algorithm we cannot determine
validity.
---
 src/resolve/resolved-dns-transaction.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'src/resolve/resolved-dns-transaction.c')

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 7212fb9c4d..8631afadb2 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2404,10 +2404,9 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                 if (IN_SET(result,
                                            DNSSEC_INVALID,
                                            DNSSEC_SIGNATURE_EXPIRED,
-                                           DNSSEC_NO_SIGNATURE,
-                                           DNSSEC_UNSUPPORTED_ALGORITHM))
+                                           DNSSEC_NO_SIGNATURE))
                                         t->scope->manager->n_dnssec_bogus++;
-                                else
+                                else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
                                         t->scope->manager->n_dnssec_indeterminate++;
 
                                 r = dns_transaction_is_primary_response(t, rr);
-- 
cgit v1.2.3-54-g00ecf