From 6d3b6ff5ebb2efa70369bef5247bab708f508103 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Vavru=C5=A1a?= <marek.vavrusa@nic.cz>
Date: Tue, 22 Sep 2015 17:51:39 +0200
Subject: [PATCH] lib/validate: accept DNSKEYs at/below current cut

this fixes a case when a DNSKEY is either accepted from cache or offered
in advance
---
 lib/layer/validate.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 4f76104f8..201ec0ed9 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -183,12 +183,11 @@ static int validate_records(struct kr_query *qry, knot_pkt_t *answer, mm_ctx_t *
 
 static int validate_keyset(struct kr_query *qry, knot_pkt_t *answer, bool has_nsec3)
 {
-	/* Merge DNSKEY records from answer */
+	/* Merge DNSKEY records from answer that are below/at current cut. */
 	const knot_pktsection_t *an = knot_pkt_section(answer, KNOT_ANSWER);
 	for (unsigned i = 0; i < an->count; ++i) {
 		const knot_rrset_t *rr = knot_pkt_rr(an, i);
-		if ((rr->type != KNOT_RRTYPE_DNSKEY) ||
-		    (knot_dname_cmp(rr->owner, qry->zone_cut.name) != 0)) {
+		if ((rr->type != KNOT_RRTYPE_DNSKEY) || !knot_dname_in(qry->zone_cut.name, rr->owner)) {
 			continue;
 		}
 		/* Merge with zone cut (or replace ancestor key). */
-- 
GitLab