resolved: when validating, first strip revoked trust anchor keys from validated keys...
authorLennart Poettering <lennart@poettering.net>
Thu, 7 Jan 2016 19:33:31 +0000 (20:33 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 11 Jan 2016 18:39:59 +0000 (19:39 +0100)
commitc9c72065419e6595131a6fe1e663e2184a843f7c
tree1706d1d0ab0ea9cc4c960af9977c5e4235fa0661
parentd12315a4c883af968ec5ffb36a5aed3dc43b7ce7
resolved: when validating, first strip revoked trust anchor keys from validated keys list

When validating a transaction we initially collect DNSKEY, DS, SOA RRs
in the "validated_keys" list, that we need for the proofs. This includes
DNSKEY and DS data from our trust anchor database. Quite possibly we
learn that some of these DNSKEY/DS RRs have been revoked between the
time we request and collect those additional RRs and we begin the
validation step. In this case we need to make sure that the respective
DS/DNSKEY RRs are removed again from our list. This patch adds that, and
strips known revoked trust anchor RRs from the validated list before we
begin the actual validation proof, and each time we add more DNSKEY
material to it while we are doing the proof.
src/resolve/resolved-dns-rr.c
src/resolve/resolved-dns-rr.h
src/resolve/resolved-dns-transaction.c
src/resolve/resolved-dns-trust-anchor.c
src/resolve/resolved-dns-trust-anchor.h