From: Bob Halley <halley@dnspython.org>
Date: Tue, 20 Feb 2018 19:41:30 +0000 (-0800)
Subject: DNSSEC validation did not check names properly.
X-Git-Tag: v1.16.0~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=389c3de5737a1eb16d3118bb81af74af95f8a1f5;p=thirdparty%2Fdnspython.git

DNSSEC validation did not check names properly.
(Found by LGTM scan tool).
[Issue #295]
---

diff --git a/README.md b/README.md
index 87b30c11..c19183ac 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,10 @@ This is dnspython 1.15.0
 
 * The AVC RR is now supported.
 
+### Bugs fixed since 1.15.0:
+
+* DNSSEC signature validation didn't check names correctly.  [Issue #295]
+
 ### Bugs fixed since 1.14.0:
 
 * Some problems with newlines in various output modes have been
diff --git a/dns/dnssec.py b/dns/dnssec.py
index b91a64fe..07912261 100644
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -451,7 +451,7 @@ def _validate(rrset, rrsigset, keys, origin=None, now=None):
         rrsigrdataset = rrsigset
 
     rrname = rrname.choose_relativity(origin)
-    rrsigname = rrname.choose_relativity(origin)
+    rrsigname = rrsigname.choose_relativity(origin)
     if rrname != rrsigname:
         raise ValidationFailure("owner names do not match")