• Vladimír Čunát's avatar
    validate nitpick fix: unsupported algo edge case · 2bd31a48
    Vladimír Čunát authored
    kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
    a part of public API.
    Go insecure due to algorithm support even if DNSKEY is NODATA.
    I can't see how that's relevant to practical usage, but I think this new
    behavior makes more sense.  We still do try to fetch the DNSKEY even
    though we have information about its un-usability beforehand.
    I'd consider fixing that a premature optimization.
    We'll still be affected if the DNSKEY query SERVFAILs or something.
    Thanks to PowerDNS people for catching this!
dnssec.h 5.33 KB