| commit | ee4158678a5c5281cbbf38cd8f36b98df6d1b159 | [log] [tgz] |
|---|---|---|
| author | Simon Kelley <simon@thekelleys.org.uk> | Tue Feb 11 11:07:22 2014 +0000 |
| committer | Simon Kelley <simon@thekelleys.org.uk> | Tue Feb 11 11:07:22 2014 +0000 |
| tree | ffc21a5ff89491983ab00efcc2a511744552b260 | |
| parent | 83349b8aa4f8667f611918b9189446b0e93fc2bb [diff] [blame] |
Use DS records as trust anchors, not DNSKEYs. This allows us to query for the root zone DNSKEY RRset and validate it, thus automatically handling KSK rollover.
diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 6c19c05..3c8a847 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c
@@ -144,7 +144,7 @@ if (option_bool(OPT_DNSSEC_VALID)) { #ifdef HAVE_DNSSEC - if (!daemon->dnskeys) + if (!daemon->ds) die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF); if (daemon->cachesize < CACHESIZ)