Fix validate_dnskey_dsset when KSK is not signing (!8848) · Merge requests · ISC Open Source Projects / BIND

Matthijs Mekking requested to merge 4625-broken-trust-chain-on-corner-case-secure-chain-fixup-keytrap into main Mar 11, 2024

When there is a secure chain of trust with a KSK that is not actively signing the DNSKEY RRset, the code for validating the DNSKEY RRset against the DS RRset could potentially skip DS records, thinking the chain of trust is broken while there is a valid DS with corresponding DNSKEY record present.

This is because we pass the result ISC_R_NOMORE on when we are done checking for signatures, but then treat it as "no more DS records".

Changing the return value to something else (DNS_R_NOVALIDSIG seems the most appropriate here) fixes the issue.

Closes #4625 (closed)

Edited Mar 11, 2024 by Mark Andrews

Fix validate_dnskey_dsset when KSK is not signing

Merge request reports