Commit 5d01eab0 authored by Mukund Sivaraman's avatar Mukund Sivaraman

Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)

parent b0dbcba2
4597. [bug] The validator now ignores SHA-1 DS digest type
when a DS record with SHA-384 digest type is
present and is a supported digest type.
[RT #45017]
4596. [bug] Validate glue before adding it to the additional
section. This also fixes incorrect TTL capping
when the RRSIG expired earlier than the TTL.
......
......@@ -1812,10 +1812,10 @@ dlv_validatezonekey(dns_validator_t *val) {
supported_algorithm = ISC_FALSE;
/*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
* it over DNS_DSDIGEST_SHA1. This in practice means that we
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
* is present.
* If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
* are required to prefer it over DNS_DSDIGEST_SHA1. This in
* practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
* DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
*/
memset(digest_types, 1, sizeof(digest_types));
for (result = dns_rdataset_first(&val->dlv);
......@@ -1826,13 +1826,21 @@ dlv_validatezonekey(dns_validator_t *val) {
result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
dlv.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
dlv.algorithm))
continue;
if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
dlv.length == ISC_SHA256_DIGESTLENGTH) {
if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
dlv.length == ISC_SHA256_DIGESTLENGTH) ||
(dlv.digest_type == DNS_DSDIGEST_SHA384 &&
dlv.length == ISC_SHA384_DIGESTLENGTH))
{
digest_types[DNS_DSDIGEST_SHA1] = 0;
break;
}
......@@ -2164,10 +2172,10 @@ validatezonekey(dns_validator_t *val) {
supported_algorithm = ISC_FALSE;
/*
* If DNS_DSDIGEST_SHA256 is present we are required to prefer
* it over DNS_DSDIGEST_SHA1. This in practice means that we
* need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
* is present.
* If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
* are required to prefer it over DNS_DSDIGEST_SHA1. This in
* practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
* DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
*/
memset(digest_types, 1, sizeof(digest_types));
for (result = dns_rdataset_first(val->dsset);
......@@ -2178,13 +2186,21 @@ validatezonekey(dns_validator_t *val) {
result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (!dns_resolver_ds_digest_supported(val->view->resolver,
val->event->name,
ds.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
ds.algorithm))
continue;
if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
ds.length == ISC_SHA256_DIGESTLENGTH) {
if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
ds.length == ISC_SHA256_DIGESTLENGTH) ||
(ds.digest_type == DNS_DSDIGEST_SHA384 &&
ds.length == ISC_SHA384_DIGESTLENGTH))
{
digest_types[DNS_DSDIGEST_SHA1] = 0;
break;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment