commit 4137b84e4ebfb3fc4d3682c34dac21ad131b6d60
author Giovanni Bajo <rasky@develer.com> Wed Apr 25 18:13:41 2012 +0200
committer Simon Kelley <simon@thekelleys.org.uk> Tue Aug 20 15:41:20 2013 +0100
tree a0792be2b97f266e3c4502d2946cfaa2a29cf3d2
parent e6c2a670fed9a6bfb89fbe469f04411704dd6b06

Postpone RRSIG processing after all DNSKEY/DS have been parsed.

src/dnssec.c

diff --git a/src/dnssec.c b/src/dnssec.c
index 38507a3..cc12dc9 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -382,17 +382,33 @@
           printf("DNSKEY found\n");
           dnssec_parsekey(header, pktlen, owner, ttl, rdlen, p);
         }
-      else if (qtype == T_RRSIG)
+      p += rdlen;
+    }
+
+  /* After we have parsed DNSKEY/DS records, start looking for RRSIGs.
+     We want to do this in a separate step because we want the cache
+     to be already populated with DNSKEYs before parsing signatures. */
+  p = reply;
+  for (i = 0; i < ntohs(header->ancount); i++)
+    {
+      if (!extract_name(header, pktlen, &p, owner, 1, 10))
+        return 0;
+      GETSHORT(qtype, p);
+      GETSHORT(qclass, p);
+      GETLONG(ttl, p);
+      GETSHORT(rdlen, p);
+      if (qtype == T_RRSIG)
         {
-      	  printf("RRSIG found\n");
+          printf("RRSIG found\n");
           /* TODO: missing logic. We should only validate RRSIGs for which we
-             have a valid DNSKEY that is referenced by a DS record upstream. 
+             have a valid DNSKEY that is referenced by a DS record upstream.
              There is a memory vs CPU conflict here; should we validate everything
              to save memory and thus waste CPU, or better first acquire all information
              (wasting memory) and then doing the minimum CPU computations required? */
           dnssec_parserrsig(header, pktlen, reply, ntohs(header->ancount), owner, qclass, rdlen, p);
-      	}
+        }
       p += rdlen;
     }
+
   return 1;
 }