rec: Actually discard invalid RRSIGs with too high labels count

author Remi Gacogne <remi.gacogne@powerdns.com>

Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)
author Remi Gacogne <remi.gacogne@powerdns.com>
Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)
diff --git a/pdns/validate.cc b/pdns/validate.cc

index dc1e4c4dce9ed9240622852e145a89676c462272..154d49f27404f50586ce7c04d245d3856fa0d65e 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -789,6 +789,7 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t
      unsigned int labelCount = name.countLabels();
      if (signature->d_labels > labelCount) {
        LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
+      continue;
      }
  
      auto keysMatchingTag = getByTag(keys, signature->d_tag, signature->d_algorithm);
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 30 Nov 2020 16:06:02 +0000 (17:06 +0100)