- DLV has downgrade protection again, because the RFC says so.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index 1b2ea8da44c6a56502adcad9ea1f9a6d8b646aeb..1c73271b216cebb31d575db11642f72b25a19cf4 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+17 September 2010: Wouter
+       - DLV has downgrade protection again, because the RFC says so.
+
  16 September 2010: Wouter
         - Algorithm rollover operational reality intrudes, for trust-anchor,
           5011-store, and DLV-anchor if one key matches it's good enough.
diff --git a/validator/validator.c b/validator/validator.c

index 5443e4fa5dc53b154a4d9c8ad94dcbeb9571e9ac..f0a150a57803eac7ef41bfdf1dcdcdb3e70fc6f9 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2650,8 +2650,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
                 vq->state = VAL_VALIDATE_STATE;
                 return;
         }
-       /* protect DS against downgrade, but DLV does not(for key scrapers) */
-       downprot = (ntohs(vq->ds_rrset->rk.type) == LDNS_RR_TYPE_DS);
+       downprot = 1;
         vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
                 ve, dnskey, vq->ds_rrset, downprot, &reason);
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Fri, 17 Sep 2010 08:54:16 +0000 (08:54 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/validator.c		patch \| blob \| blame \| history