From 50550c7b4c831bb4e1daf341be29c21ac44fcce5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 4 Mar 2024 19:59:54 +0100
Subject: [PATCH] lib/dnssec nit: reverse order of validating a DNSKEY set

Suggested by Libor Peltan.
---
 lib/dnssec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/dnssec.c b/lib/dnssec.c
index 6d809abf7..646ec8280 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -467,9 +467,13 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
 	/* RFC4035 5.2, bullet 1
 	 * The supplied DS record has been authenticated.
 	 * It has been validated or is part of a configured trust anchor.
+	 *
+	 * We iterate backwards.  That way we try keys with the SEP flag
+	 * before those without it - and thus likely succeed faster.
 	 */
-	knot_rdata_t *krr = keys->rrs.rdata;
-	for (int i = 0; i < keys->rrs.count; ++i, krr = knot_rdataset_next(krr)) {
+	for (int i = keys->rrs.count; --i >= 0; ) {
+		const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, i);
+
 		/* RFC4035 5.3.1, bullet 8 requires the Zone Flag bit */
 		if (!kr_dnssec_key_usable(krr->data))
 			continue;
-- 
2.47.2