From 99ea36cd42541e309d732bbb20305f3e1d8472f2 Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Thu, 16 Feb 2012 23:34:09 +0100
Subject: [PATCH] Check the protocol value of the key

---
 README.markdown | 1 +
 dnssec.go       | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/README.markdown b/README.markdown
index 65aed139..91fc35c8 100644
--- a/README.markdown
+++ b/README.markdown
@@ -62,6 +62,7 @@ All of them:
 * 3110 - RSASHA1 DNS keys
 * 3225 - DO bit (DNSSEC OK)
 * 340{1,2,3} - NAPTR
+* 3445 - Limiting the scope of (DNS)KEY
 * 3597 - Unkown RRs
 * 403{3,4,5} - DNSSEC + validation functions
 * 4255 - SSHFP
diff --git a/dnssec.go b/dnssec.go
index aac4496f..2fa7abc7 100644
--- a/dnssec.go
+++ b/dnssec.go
@@ -300,6 +300,9 @@ func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
 	if s.SignerName != k.Hdr.Name {
 		return ErrKey
 	}
+        if k.Protocol != 3 {
+                return ErrKey
+        }
 	for _, r := range rrset {
 		if r.Header().Class != s.Hdr.Class {
 			return ErrRRset