Before using a key for validation, also verify that algorithm matches.

2025-12-19 18:28:25 +00:00 · 2012-04-25 18:13:20 +02:00
parent 47f99dd2b3
commit e6c2a670fe
1 changed files with 2 additions and 0 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -252,6 +252,8 @@ static void dnssec_parserrsig(struct dns_header *header, size_t pktlen,

      if (crecp->addr.key.keytag != val.keytag)
        continue;
+      if (crecp->addr.key.algo != verifyalg_algonum(val.alg))
+        continue;

      printf("RRSIG: found DNSKEY %d in cache, attempting validation\n", val.keytag);