From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 13 Aug 2015 12:03:53 +0000 (+0000)
Subject: - 5011 implementation does not insist on all algorithms, when
X-Git-Tag: release-1.5.5rc1~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08e6883578bd400324ccb9dcb55643cf54815a2d;p=thirdparty%2Funbound.git

- 5011 implementation does not insist on all algorithms, when
  harden-algo-downgrade is turned off.


git-svn-id: file:///svn/unbound/trunk@3471 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 4f813092b..b3ee0d765 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+13 August 2015: Wouter
+	- 5011 implementation does not insist on all algorithms, when
+	  harden-algo-downgrade is turned off.
+
 11 August 2015: Wouter
 	- Fix #694: configure script does not detect LibreSSL 2.2.2
 
diff --git a/validator/autotrust.c b/validator/autotrust.c
index c732e24e4..1afaf61a3 100644
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve,
 {
 	char* reason = NULL;
 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
-	int downprot = 1;
+	int downprot = 0;
 	enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
 		tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
 	/* sigalg is ignored, it returns algorithms signalled to exist, but