From 996b09ba2b8c2691ff3b497a53ce458a50c6c7fa Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Tue, 30 Jun 2015 00:12:30 +0200
Subject: [PATCH] Reminder for single RRSIG per RRSET return

With the dnssec_return_validation_chain extension
---
 src/dnssec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index 115b95c4..4c2f2653 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1375,6 +1375,11 @@ static void check_chain_complete(chain_head *chain)
 	context = dnsreq->context;
 
 #ifdef STUB_NATIVE_DNSSEC
+	/* Perform validation only on GETDNS_RESOLUTION_STUB (unbound_id == -1)
+	 * TODO: When minimizing the validation chain (i.e. returning a single
+	 *       RRSIG per RRSET, it might be usefull to perform a fake dnssec
+	 *       validation to find out which RRSIGs should be returned.
+	 */
 	if (chain->netreq->unbound_id == -1) {
 		gldns_buffer_init_frm_data(&tas_buf, tas, sizeof(tas_spc));
 		_getdns_list2wire(&tas_buf, context->dnssec_trust_anchors);