dns_name_t *name = val->name;
isc_result_t result;
isc_mem_t *mctx = val->view->mctx;
+ bool match = false;
if (rdataset->type != dns_rdatatype_dnskey) {
return DNS_R_NOKEYMATCH;
/*
* If the REVOKE bit is not set we have a
- * theoretically self signed DNSKEY RRset.
- * This will be verified later.
+ * theoretically self-signed DNSKEY RRset;
+ * this will be verified later.
+ *
+ * We don't return the answer yet, though,
+ * because we need to check the remaining keys
+ * and possbly remove them if they're revoked.
*/
if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
- return ISC_R_SUCCESS;
- }
-
- result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
- &dstkey);
- if (result != ISC_R_SUCCESS) {
- return result;
+ match = true;
+ break;
}
/*
if (DNS_TRUST_PENDING(rdataset->trust) &&
dns_view_istrusted(val->view, name, &key))
{
+ result = dns_dnssec_keyfromrdata(
+ name, &keyrdata, mctx, &dstkey);
+ if (result == DST_R_UNSUPPORTEDALG) {
+ /* don't count towards max fails */
+ break; /* continue with next key */
+ } else if (result != ISC_R_SUCCESS) {
+ consume_validation(val);
+ if (over_max_fails(val)) {
+ return ISC_R_QUOTA;
+ }
+ consume_validation_fail(val);
+ break; /* continue with next key */
+ }
+
if (over_max_validations(val)) {
dst_key_free(&dstkey);
return ISC_R_QUOTA;
consume_validation_fail(val);
break;
}
+
+ dst_key_free(&dstkey);
} else if (rdataset->trust >= dns_trust_secure) {
/*
* We trust this RRset so if the key is
*/
dns_view_untrust(val->view, name, &key);
}
-
- dst_key_free(&dstkey);
}
}
- return DNS_R_NOKEYMATCH;
+ if (!match) {
+ return DNS_R_NOKEYMATCH;
+ }
+
+ return ISC_R_SUCCESS;
}
/*%
projects / thirdparty / bind9.git / commitdiff
