resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs

Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet.
2015-12-28 19:05:59 +01:00 · 2015-12-28 19:05:59 +01:00 · 935a999f7d
parent ac04adbeb9
commit 935a999f7d
1 changed files with 3 additions and 3 deletions
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -525,9 +525,6 @@ int dnssec_verify_rrset(
        if (md_algorithm < 0)
                return md_algorithm;

-        if (a->n_rrs > VERIFY_RRS_MAX)
-                return -E2BIG;
-
        r = dnssec_rrsig_expired(rrsig, realtime);
        if (r < 0)
                return r;
@ -552,6 +549,9 @@ int dnssec_verify_rrset(
                        return r;

                list[n++] = rr;
+
+                if (n > VERIFY_RRS_MAX)
+                        return -E2BIG;
        }

        if (n <= 0)