summaryrefslogtreecommitdiff
path: root/validator/val_utils.c
diff options
context:
space:
mode:
Diffstat (limited to 'validator/val_utils.c')
-rw-r--r--validator/val_utils.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/validator/val_utils.c b/validator/val_utils.c
index da8066aad7e9..e3677e1d9ceb 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -495,16 +495,21 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
return sec_status_bogus;
}
- digest_algo = val_favorite_ds_algo(ds_rrset);
- if(sigalg)
+ if(sigalg) {
+ /* harden against algo downgrade is enabled */
+ digest_algo = val_favorite_ds_algo(ds_rrset);
algo_needs_init_ds(&needs, ds_rrset, digest_algo, sigalg);
+ } else {
+ /* accept any key algo, any digest algo */
+ digest_algo = -1;
+ }
num = rrset_get_count(ds_rrset);
for(i=0; i<num; i++) {
/* Check to see if we can understand this DS.
* And check it is the strongest digest */
if(!ds_digest_algo_is_supported(ds_rrset, i) ||
!ds_key_algo_is_supported(ds_rrset, i) ||
- ds_get_digest_algo(ds_rrset, i) != digest_algo) {
+ (sigalg && (ds_get_digest_algo(ds_rrset, i) != digest_algo))) {
continue;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-08 13:50:43 +0000