From 15accc2765de9cc379eb1042e14b7b519efdb7a0 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 9 Dec 2015 18:09:06 +0100
Subject: [PATCH] resolved: when matching up RRSIG and DNSKEY RRs, use the
 RRSIG's signer name, not the owner name

When the DNSKEY is in higher zone, then that's OK, and we need to check
the RRSIG's signer name against the DNSKEY hence.
---
 src/resolve/resolved-dns-dnssec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 75797db6c82..af94565713e 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -477,7 +477,7 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske
         if (dnssec_keytag(dnskey) != rrsig->rrsig.key_tag)
                 return 0;
 
-        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(rrsig->key));
+        return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), rrsig->rrsig.signer);
 }
 
 int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig) {
@@ -508,7 +508,7 @@ int dnssec_verify_rrset_search(
 
         assert(key);
 
-        /* Verifies all RRs from "a" that match the key "key", against DNSKEY RRs in "validated_dnskeys" */
+        /* Verifies all RRs from "a" that match the key "key", against DNSKEY and DS RRs in "validated_dnskeys" */
 
         if (!a || a->n_rrs <= 0)
                 return -ENODATA;
-- 
2.39.5