lib/validate: accept DNSKEYs at/below current cut

this fixes a case when a DNSKEY is either accepted from cache or offered in advance

lib/validate: accept DNSKEYs at/below current cut
this fixes a case when a DNSKEY is either accepted from cache or offered in advance
6d3b6ff5 · Marek Vavruša · ec62abec · 6d3b6ff5
Commit 6d3b6ff5 authored 9 years ago by Marek Vavruša
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -183,12 +183,11 @@ static int validate_records(struct kr_query *qry, knot_pkt_t *answer, mm_ctx_t *

 static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer, bool has_nsec3)
 {
-	/* Merge DNSKEY records from answer */
+	/* Merge DNSKEY records from answer that are below/at current cut. */
 	const knot_pktsection_t *an = knot_pkt_section(answer, KNOT_ANSWER);
 	for (unsigned i = 0; i < an->count; ++i) {
 		const knot_rrset_t *rr = knot_pkt_rr(an, i);
-		if ((rr->type != KNOT_RRTYPE_DNSKEY) ||
-		    (knot_dname_cmp(rr->owner, qry->zone_cut.name) != 0)) {
+		if ((rr->type != KNOT_RRTYPE_DNSKEY) || !knot_dname_in(qry->zone_cut.name, rr->owner)) {
 			continue;
 		}
 		/* Merge with zone cut (or replace ancestor key). */