From e6c2a670fed9a6bfb89fbe469f04411704dd6b06 Mon Sep 17 00:00:00 2001
From: Giovanni Bajo <rasky@develer.com>
Date: Wed, 25 Apr 2012 18:13:20 +0200
Subject: [PATCH] Before using a key for validation, also verify that algorithm
 matches.

---
 src/dnssec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index a248884..38507a3 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -252,6 +252,8 @@ static void dnssec_parserrsig(struct dns_header *header, size_t pktlen,
 
       if (crecp->addr.key.keytag != val.keytag)
         continue;
+      if (crecp->addr.key.algo != verifyalg_algonum(val.alg))
+        continue;
 
       printf("RRSIG: found DNSKEY %d in cache, attempting validation\n", val.keytag);