From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 9 Dec 2015 17:11:28 +0000 (+0100)
Subject: resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKE... 
X-Git-Tag: v229~217^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa89931749f081be8b1f90643c81ae2860257e53;p=thirdparty%2Fsystemd.git

resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm

As long as we support the digest we are good.
---

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index af94565713e..8cfed27a345 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -654,16 +654,14 @@ int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) {
         if (dnskey->dnskey.protocol != 3)
                 return -EKEYREJECTED;
 
-        if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm))
-                return -EOPNOTSUPP;
-        if (!dnssec_digest_supported(ds->ds.digest_type))
-                return -EOPNOTSUPP;
-
         if (dnskey->dnskey.algorithm != ds->ds.algorithm)
                 return 0;
         if (dnssec_keytag(dnskey) != ds->ds.key_tag)
                 return 0;
 
+        if (!dnssec_digest_supported(ds->ds.digest_type))
+                return -EOPNOTSUPP;
+
         switch (ds->ds.digest_type) {
 
         case DNSSEC_DIGEST_SHA1: