From 834660b5c62fe7a8bcf93b0182f26fbfa5464ecc Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Mon, 8 Apr 2024 12:14:01 +0200 Subject: [PATCH] rec: do not count RRSIGs using unsupported algorithms toward RRSIGs limit --- pdns/validate.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pdns/validate.cc b/pdns/validate.cc index d8f60c1150..eb63e2d818 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -1022,6 +1022,9 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t } vState ede = vState::Indeterminate; + if (!DNSCryptoKeyEngine::isAlgorithmSupported(signature->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(name, now, *signature, ede, log)) { if (isRRSIGIncepted(now, *signature)) { noneIncepted = false; @@ -1127,7 +1130,7 @@ bool haveNegativeTrustAnchor(const map& negAnchors, const D return true; } -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME { /* * Check all DNSKEY records against all DS records and place all DNSKEY records @@ -1194,6 +1197,9 @@ vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& // whole set uint16_t signaturesConsidered = 0; for (const auto& sig : sigs) { + if (!DNSCryptoKeyEngine::isAlgorithmSupported(sig->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(zone, now, *sig, ede, log)) { continue; } -- 2.47.2