daemon/lua/trust_anchors: don't crash when dealing with unknown algorhitm

author Tomas Krizek <tomas.krizek@nic.cz>

Tue, 12 Mar 2019 14:31:42 +0000 (15:31 +0100)

committer Petr Špaček <petr.spacek@nic.cz>

Thu, 4 Apr 2019 12:18:55 +0000 (14:18 +0200)
author Tomas Krizek <tomas.krizek@nic.cz>
Tue, 12 Mar 2019 14:31:42 +0000 (15:31 +0100)
committer Petr Špaček <petr.spacek@nic.cz>
Thu, 4 Apr 2019 12:18:55 +0000 (14:18 +0200)
diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in

index 2497fbcb8762c92b8841c26246bfbb52d9ea3b0f..ca4d221a610323228397b0fe929ce2a9165bbf3d 100644 (file)
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -201,12 +201,16 @@ local function ta_present(keyset, rr, hold_down_time, force_valid)
         if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
                 return false -- Ignore
         end
+    -- Attempt to extract key_tag
+       local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
+    if key_tag < 0 or key_tag > 65535 then
+        warn(string.format('[ ta ] ignoring invalid or unsupported RR: %s: %s',
+            kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
+        return false
+    end
         -- Find the key in current key set and check its status
         local now = os.time()
         local key_revoked = (rr.type == kres.type.DNSKEY) and C.kr_dnssec_key_revoked(rr.rdata)
-       local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
-       assert(key_tag >= 0 and key_tag <= 65535, string.format('invalid RR: %s: %s',
-              kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
         local ta = ta_find(keyset, rr)
         if ta then
                 -- Key reappears (KeyPres)
author	Tomas Krizek <tomas.krizek@nic.cz>
	Tue, 12 Mar 2019 14:31:42 +0000 (15:31 +0100)
committer	Petr Špaček <petr.spacek@nic.cz>
	Thu, 4 Apr 2019 12:18:55 +0000 (14:18 +0200)