From e399b79baa219f8fa78799ef383f35efe43be48c Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Fri, 17 Sep 2010 08:54:16 +0000 Subject: [PATCH] - DLV has downgrade protection again, because the RFC says so. git-svn-id: file:///svn/unbound/trunk@2238 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 +++ validator/validator.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 1b2ea8da4..1c73271b2 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +17 September 2010: Wouter + - DLV has downgrade protection again, because the RFC says so. + 16 September 2010: Wouter - Algorithm rollover operational reality intrudes, for trust-anchor, 5011-store, and DLV-anchor if one key matches it's good enough. diff --git a/validator/validator.c b/validator/validator.c index 5443e4fa5..f0a150a57 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -2650,8 +2650,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq, vq->state = VAL_VALIDATE_STATE; return; } - /* protect DS against downgrade, but DLV does not(for key scrapers) */ - downprot = (ntohs(vq->ds_rrset->rk.type) == LDNS_RR_TYPE_DS); + downprot = 1; vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, ve, dnskey, vq->ds_rrset, downprot, &reason); -- 2.47.2