Update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 0a3e343e573c199d1d1c82d0cb14c2806aeee31b..6ba1e136affed9f83eae5b30004c134f5b8b0676 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -70,8 +70,7 @@ typedef struct dst_context    dst_context_t;
 #define DST_ALG_HMACSHA512     165     /* XXXMPA */
 #define DST_ALG_INDIRECT       252
 #define DST_ALG_PRIVATE                254
-#define DST_ALG_EXPAND         255
-#define DST_MAX_ALGS           255
+#define DST_MAX_ALGS           256
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE                1280

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 0667beb9422fe098ba438bfadc570e7917de2e99..df39dfb4d0a5c6e2efabfd8b27573d3051a0fc0c 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9501,6 +9501,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
                dns_keydata_todnskey(&keydata, &dnskey, NULL);
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                /*
@@ -9613,6 +9624,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                }
 
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);