configuration option affects autotrust.

git-svn-id: file:///svn/unbound/trunk@3472 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/validator/autotrust.c b/validator/autotrust.c
index 1afaf61a361c99d04d83cfe403037e21660be6f8..e63b086e6a09e32dc8a6e3d95552343c3b055b4e 100644 (file)
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
 {
        char* reason = NULL;
        uint8_t sigalg[ALGO_NEEDS_MAX+1];
-       int downprot = 0;
+       int downprot = env->cfg->harden_algo_downgrade;
        enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
                tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
        /* sigalg is ignored, it returns algorithms signalled to exist, but

diff --git a/validator/validator.c b/validator/validator.c
index 74068659f010f93fd6d7946e6bc4a8b1e0c5b9b0..f8b429e52b58a6bf26cd8901d1603ea7256ff1da 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2769,7 +2769,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
                vq->state = VAL_VALIDATE_STATE;
                return;
        }
-       downprot = 1;
+       downprot = qstate->env->cfg->harden_algo_downgrade;
        vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
                ve, dnskey, vq->ds_rrset, downprot, &reason);