From: Otto Moerbeek Date: Mon, 8 Apr 2024 10:14:01 +0000 (+0200) Subject: rec: do not count RRSIGs using unsupported algorithms toward RRSIGs limit X-Git-Tag: rec-5.1.0-alpha1~38^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F14049%2Fhead;p=thirdparty%2Fpdns.git rec: do not count RRSIGs using unsupported algorithms toward RRSIGs limit --- diff --git a/pdns/validate.cc b/pdns/validate.cc index d8f60c1150..eb63e2d818 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -1022,6 +1022,9 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t } vState ede = vState::Indeterminate; + if (!DNSCryptoKeyEngine::isAlgorithmSupported(signature->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(name, now, *signature, ede, log)) { if (isRRSIGIncepted(now, *signature)) { noneIncepted = false; @@ -1127,7 +1130,7 @@ bool haveNegativeTrustAnchor(const map& negAnchors, const D return true; } -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME { /* * Check all DNSKEY records against all DS records and place all DNSKEY records @@ -1194,6 +1197,9 @@ vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& // whole set uint16_t signaturesConsidered = 0; for (const auto& sig : sigs) { + if (!DNSCryptoKeyEngine::isAlgorithmSupported(sig->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(zone, now, *sig, ede, log)) { continue; }