From 587b320d95d9f280f8e64289a4acbdd3c9d3a4a4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 14 Jul 2015 10:49:00 +0200
Subject: [PATCH] DNS tree was upside down (wording in comments)

According to RFC1034 Section 4.2.1., the zone's apex is at the top and delegations at the bottom.
---
 src/dnssec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 382d848c..5e76592c 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2317,9 +2317,9 @@ static int key_proves_nonexistance(
 	return 0;
 }
 
-/* Descend down to the root along chain_nodes.  Try to find a keyset
+/* Ascend up to the root along chain_nodes.  Try to find a keyset
  * authenticated by a key in ta rrset (trust anchor).  When we found one,
- * ascend back up, authenticating more specific keysets along the chain.
+ * descend back down, authenticating more specific keysets along the chain.
  *
  * The most specific keyset is returned in keys.  Also a DNSSEC status is
  * returned.  BOGUS if no keyset could be found.  INSECURE if the 
@@ -2330,7 +2330,7 @@ static int chain_node_get_trusted_keys(
 {
 	int s, keytag;
 
-	/* Descend down to the root */
+	/* Ascend up to the root */
 	if (! node)
 		return GETDNS_DNSSEC_BOGUS;
 	
@@ -2379,7 +2379,7 @@ static int chain_node_get_trusted_keys(
 
 	/* keys is an authenticated dnskey rrset always now (i.e. ZSK) */
 	ta = *keys;
-	/* Back up to the head */
+	/* Back down to the head */
 	if ((keytag = key_proves_nonexistance(ta, &node->ds, NULL))) {
 		node->ds_signer = keytag;
 		return GETDNS_DNSSEC_INSECURE;
@@ -2411,7 +2411,7 @@ static int chain_node_get_trusted_keys(
 		return GETDNS_DNSSEC_BOGUS;
 
 	/* Not at a zone cut, the trusted keyset must be authenticating
-	 * something above (closer to head) this node.
+	 * something below (closer to head) this node.
 	 */
 	return GETDNS_DNSSEC_SECURE;
 }
@@ -2784,7 +2784,7 @@ static void check_chain_complete(chain_head *chain)
 				    !rrset_has_rrs(&node->ds)) {
 					/* Add empty DS, to prevent less
 					 * specific to be able to authenticate
-					 * above a zone cut (closer to head)
+					 * below a zone cut (closer to head)
 					 */
 					append_empty_ds2val_chain_list(
 					    context, val_chain_list,