From 08e6883578bd400324ccb9dcb55643cf54815a2d Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Thu, 13 Aug 2015 12:03:53 +0000 Subject: [PATCH] - 5011 implementation does not insist on all algorithms, when harden-algo-downgrade is turned off. git-svn-id: file:///svn/unbound/trunk@3471 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 4 ++++ validator/autotrust.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 4f813092b..b3ee0d765 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +13 August 2015: Wouter + - 5011 implementation does not insist on all algorithms, when + harden-algo-downgrade is turned off. + 11 August 2015: Wouter - Fix #694: configure script does not detect LibreSSL 2.2.2 diff --git a/validator/autotrust.c b/validator/autotrust.c index c732e24e4..1afaf61a3 100644 --- a/validator/autotrust.c +++ b/validator/autotrust.c @@ -1225,7 +1225,7 @@ verify_dnskey(struct module_env* env, struct val_env* ve, { char* reason = NULL; uint8_t sigalg[ALGO_NEEDS_MAX+1]; - int downprot = 1; + int downprot = 0; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset, tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason); /* sigalg is ignored, it returns algorithms signalled to exist, but -- 2.47.2