struct module_qstate* qstate)
{
enum sec_status sec;
- size_t i, num, numchecked = 0;
+ size_t i, num, numchecked = 0, numindeterminate = 0;
rbtree_type* sortree = NULL;
int buf_canon = 0;
uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx);
if(sec == sec_status_secure)
return sec;
numchecked ++;
+ if (sec == sec_status_indeterminate)
+ numindeterminate ++;
+
}
verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus");
if(!numchecked) *reason = "signature missing";
+ else if (numchecked == numindeterminate) {
+ *reason = "algorithm refused by cryptolib";
+ return sec_status_indeterminate;
+ }
return sec_status_bogus;
}
}
/* If it didn't validate with the DNSKEY, try the next one! */
}
- if(numsizesupp != 0) {
+ if(numsizesupp != 0 || sec == sec_status_indeterminate) {
/* there is a working DS, but that DNSKEY is not supported */
return sec_status_insecure;
}
projects / thirdparty / unbound.git / commitdiff
