From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 4 Mar 2024 18:59:54 +0000 (+0100)
Subject: lib/dnssec nit: reverse order of validating a DNSKEY set
X-Git-Tag: v6.0.7~16^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-dnsk-496k20%2Fdeployments%2F3414;p=thirdparty%2Fknot-resolver.git

lib/dnssec nit: reverse order of validating a DNSKEY set

Suggested by Libor Peltan.
---

diff --git a/lib/dnssec.c b/lib/dnssec.c
index 6d809abf7..646ec8280 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -467,9 +467,13 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
 	/* RFC4035 5.2, bullet 1
 	 * The supplied DS record has been authenticated.
 	 * It has been validated or is part of a configured trust anchor.
+	 *
+	 * We iterate backwards.  That way we try keys with the SEP flag
+	 * before those without it - and thus likely succeed faster.
 	 */
-	knot_rdata_t *krr = keys->rrs.rdata;
-	for (int i = 0; i < keys->rrs.count; ++i, krr = knot_rdataset_next(krr)) {
+	for (int i = keys->rrs.count; --i >= 0; ) {
+		const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, i);
+
 		/* RFC4035 5.3.1, bullet 8 requires the Zone Flag bit */
 		if (!kr_dnssec_key_usable(krr->data))
 			continue;