projects / dnssec-prover / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d7bf25b) | patch
Move RRSig loop to after DS loop to be more mindful of KeyTrap
authorMatt Corallo <git@bluematt.me>
Wed, 20 Mar 2024 22:03:20 +0000 (22:03 +0000)
committerMatt Corallo <git@bluematt.me>
Wed, 20 Mar 2024 22:07:31 +0000 (22:07 +0000)
commit4647e1dff32ced43fcfb5a82f75f5cde988cd032
tree4c66459e9c70bde3b5606a85322c107cf674e370tree | snapshot
parentd7bf25b7d6335f250a96036c792ce997a4a7b05dcommit | diff
Move RRSig loop to after DS loop to be more mindful of KeyTrap

In general we were mostly fine regarding KeyTrap, as we largely
fail after any invalid signature and only loop if a signature or
key required an unknown algorithm. Thus, addressing KeyTrap is
mostly an exercise in adding comments.

However, we did verify all DS hashes every time we went to verify
a single DNSKey RRSig, which is potentially some work, which we
fix here, leading to a nice simplification in `verify_rr_stream`.
src/validation.rs diff | blob | history
Generates and validates RFC 9102-formatted DNSSEC proofs