From d1c4ee32480cb997b673ca8396ca95c70be610f7 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 22 Dec 2015 18:20:09 +0100
Subject: [PATCH] resolved: be stricter when searching for a DS RR for a DNSKEY
 RR

---
 src/resolve/resolved-dns-dnssec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 482ee4a0b3b..f37f1d91be9 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -831,6 +831,15 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
                 if (ds->key->type != DNS_TYPE_DS)
                         continue;
 
+                if (ds->key->class != dnskey->key->class)
+                        continue;
+
+                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(ds->key));
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        continue;
+
                 r = dnssec_verify_dnskey(dnskey, ds);
                 if (r < 0)
                         return r;
-- 
2.39.2