- DLV has downgrade protection again, because the RFC says so.

git-svn-id: file:///svn/unbound/trunk@2238 be551aaa-1e26-0410-a405-d3ace91eadb9
2026-01-04 22:09:36 -05:00 · 2010-09-17 08:54:16 +00:00 · 2010-09-17 08:54:16 +00:00 · e399b79baa
commit e399b79baa
parent aac3c03f72
2 changed files with 4 additions and 2 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+17 September 2010: Wouter
+	- DLV has downgrade protection again, because the RFC says so.
+
 16 September 2010: Wouter
 	- Algorithm rollover operational reality intrudes, for trust-anchor,
 	  5011-store, and DLV-anchor if one key matches it's good enough.
--- a/validator/validator.c
+++ b/validator/validator.c
@ -2650,8 +2650,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
 		vq->state = VAL_VALIDATE_STATE;
 		return;
 	}
-	/* protect DS against downgrade, but DLV does not(for key scrapers) */
-	downprot = (ntohs(vq->ds_rrset->rk.type) == LDNS_RR_TYPE_DS);
+	downprot = 1;
 	vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
 		ve, dnskey, vq->ds_rrset, downprot, &reason);