resolved: be stricter when searching for a DS RR for a DNSKEY RR

2015-12-22 18:20:09 +01:00 · 2015-12-22 18:20:09 +01:00 · d1c4ee3248
parent 6b2f709364
commit d1c4ee3248
1 changed files with 9 additions and 0 deletions
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -831,6 +831,15 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
                if (ds->key->type != DNS_TYPE_DS)
                        continue;

+                if (ds->key->class != dnskey->key->class)
+                        continue;
+
+                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(ds->key));
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        continue;
+
                r = dnssec_verify_dnskey(dnskey, ds);
                if (r < 0)
                        return r;