lib/dnssec nit: reverse order of validating a DNSKEY set

author Vladimír Čunát <vladimir.cunat@nic.cz>

Mon, 4 Mar 2024 18:59:54 +0000 (19:59 +0100)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Tue, 5 Mar 2024 09:09:46 +0000 (10:09 +0100)
author Vladimír Čunát <vladimir.cunat@nic.cz>
Mon, 4 Mar 2024 18:59:54 +0000 (19:59 +0100)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Tue, 5 Mar 2024 09:09:46 +0000 (10:09 +0100)
diff --git a/lib/dnssec.c b/lib/dnssec.c

index 6d809abf797f99f483fc991a9b43742024d68dec..646ec82809e421c671b1a23114baa8ee1ed682bc 100644 (file)
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -467,9 +467,13 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
         /* RFC4035 5.2, bullet 1
          * The supplied DS record has been authenticated.
          * It has been validated or is part of a configured trust anchor.
+        *
+        * We iterate backwards.  That way we try keys with the SEP flag
+        * before those without it - and thus likely succeed faster.
          */
-       knot_rdata_t *krr = keys->rrs.rdata;
-       for (int i = 0; i < keys->rrs.count; ++i, krr = knot_rdataset_next(krr)) {
+       for (int i = keys->rrs.count; --i >= 0; ) {
+               const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, i);
+
                 /* RFC4035 5.3.1, bullet 8 requires the Zone Flag bit */
                 if (!kr_dnssec_key_usable(krr->data))
                         continue;
author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Mon, 4 Mar 2024 18:59:54 +0000 (19:59 +0100)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Tue, 5 Mar 2024 09:09:46 +0000 (10:09 +0100)