git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 7 Jan 2016 19:33:31 +0000 (20:33 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 11 Jan 2016 18:39:59 +0000 (19:39 +0100)
commit	c9c72065419e6595131a6fe1e663e2184a843f7c
tree	1706d1d0ab0ea9cc4c960af9977c5e4235fa0661	tree \| snapshot
parent	d12315a4c883af968ec5ffb36a5aed3dc43b7ce7	commit \| diff

resolved: when validating, first strip revoked trust anchor keys from validated keys list

When validating a transaction we initially collect DNSKEY, DS, SOA RRs
in the "validated_keys" list, that we need for the proofs. This includes
DNSKEY and DS data from our trust anchor database. Quite possibly we
learn that some of these DNSKEY/DS RRs have been revoked between the
time we request and collect those additional RRs and we begin the
validation step. In this case we need to make sure that the respective
DS/DNSKEY RRs are removed again from our list. This patch adds that, and
strips known revoked trust anchor RRs from the validated list before we
begin the actual validation proof, and each time we add more DNSKEY
material to it while we are doing the proof.

src/resolve/resolved-dns-rr.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-rr.h		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-trust-anchor.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-trust-anchor.h		diff \| blob \| blame \| history