Commit 5d3a7aad authored by Mark Andrews's avatar Mark Andrews
Browse files

Merge branch...

Merge branch '1689-bind-stops-dnskey-lookup-in-get_dst_key-when-a-key-with-unsupported-algorithm-is-found-first' into 'main'

Resolve "BIND stops DNSKEY lookup in get_dst_key() when a key with unsupported algorithm is found first"

Closes #1689

See merge request !3736
parents 30b85fe4 c6345fff
Pipeline #45237 passed with stages
in 2 minutes and 50 seconds
5446. [bug] The validator could fail to accept a properly signed
RRset if an unsupported algorithm appeared earlier in
the DNSKEY RRset than a supported algorithm. It could
also stop if it detected a malformed public key.
[GL #1689]
5445. [cleanup] Disable and disallow static linking. [GL #1933]
 
5444. [bug] 'rndc dnstap -roll <value>' was not limiting the
......
......@@ -3562,6 +3562,13 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# TODO: test case for GL #1689.
# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
# we could write a test that signs a zone with supported and unsupported
# algorithm, apply a fixed rrset order such that the unsupported algorithm
# precedes the supported one in the DNSKEY RRset, and verify the result still
# validates succesfully.
echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
ret=0
(
......
......@@ -48,3 +48,8 @@ Bug Fixes
- 'rndc dnstap -roll <value>' was not limiting the number of saved
files to <value>. [GL !3728]
- The validator could fail to accept a properly signed RRset if an
unsupported algorithm appeared earlier in the DNSKEY RRset than a
supported algorithm. It could also stop if it detected a malformed
public key. [GL #1689]
......@@ -1126,24 +1126,25 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
INSIST(val->key == NULL);
result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
val->view->mctx, &val->key);
if (result != ISC_R_SUCCESS) {
goto failure;
}
if (siginfo->algorithm == (dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid == (dns_keytag_t)dst_key_id(val->key) &&
dst_key_iszonekey(val->key))
{
if (foundold) {
/*
* This is the key we're looking for.
*/
return (ISC_R_SUCCESS);
} else if (dst_key_compare(oldkey, val->key)) {
foundold = true;
dst_key_free(&oldkey);
if (result == ISC_R_SUCCESS) {
if (siginfo->algorithm ==
(dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid ==
(dns_keytag_t)dst_key_id(val->key) &&
dst_key_iszonekey(val->key))
{
if (foundold) {
/*
* This is the key we're looking for.
*/
return (ISC_R_SUCCESS);
} else if (dst_key_compare(oldkey, val->key)) {
foundold = true;
dst_key_free(&oldkey);
}
}
dst_key_free(&val->key);
}
dst_key_free(&val->key);
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
} while (result == ISC_R_SUCCESS);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment