From 935a999f7d6881af2e888316be7165801420dc5f Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Mon, 28 Dec 2015 19:05:59 +0100 Subject: [PATCH] resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet. --- src/resolve/resolved-dns-dnssec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 6a6aabc18f..552fd48fba 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -525,9 +525,6 @@ int dnssec_verify_rrset( if (md_algorithm < 0) return md_algorithm; - if (a->n_rrs > VERIFY_RRS_MAX) - return -E2BIG; - r = dnssec_rrsig_expired(rrsig, realtime); if (r < 0) return r; @@ -552,6 +549,9 @@ int dnssec_verify_rrset( return r; list[n++] = rr; + + if (n > VERIFY_RRS_MAX) + return -E2BIG; } if (n <= 0)