From 088aad9e326795d78f16c94bfca0f1b909abe109 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Tue, 12 Mar 2019 15:31:42 +0100
Subject: [PATCH] daemon/lua/trust_anchors: don't crash when dealing with
 unknown algorhitm

---
 daemon/lua/trust_anchors.lua.in | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 2497fbcb8..ca4d221a6 100644
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -201,12 +201,16 @@ local function ta_present(keyset, rr, hold_down_time, force_valid)
 	if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
 		return false -- Ignore
 	end
+    -- Attempt to extract key_tag
+	local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
+    if key_tag < 0 or key_tag > 65535 then
+        warn(string.format('[ ta ] ignoring invalid or unsupported RR: %s: %s',
+            kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
+        return false
+    end
 	-- Find the key in current key set and check its status
 	local now = os.time()
 	local key_revoked = (rr.type == kres.type.DNSKEY) and C.kr_dnssec_key_revoked(rr.rdata)
-	local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
-	assert(key_tag >= 0 and key_tag <= 65535, string.format('invalid RR: %s: %s',
-	       kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
 	local ta = ta_find(keyset, rr)
 	if ta then
 		-- Key reappears (KeyPres)
-- 
2.47.3