Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms.  When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS.  This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.

(cherry picked from commit f983a6415293bf26e5001b44a202a618f60dbf34)

diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 445279a9ebc1c20a8dcc6b958c2439fa629be240..362e7e7e3fdba4b913708053e4009e3d05df2122 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -151,6 +151,7 @@ struct dns_validator {
        bool           digest_sha1;
        uint8_t        unsupported_algorithm;
        uint8_t        unsupported_digest;
+       uint8_t        validation_attempts;
        dns_rdata_t    rdata;
        bool           resume;
        isc_counter_t *nvalidations;

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 26cc6e4a5cd7f30d731b2062a9f31cd2e6af6472..0cd2cfb6c22a8fc2798655e6b98e044b095c9201 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2118,6 +2118,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
                return DNS_R_BADALG;
        }
 
+       val->validation_attempts++;
+
        /*
         * Find the DNSKEY matching the DS...
         */
@@ -2189,6 +2191,11 @@ validate_dnskey_dsset_next_done(void *arg) {
                return;
        }
 
+       if (val->validation_attempts != 0) {
+               val->unsupported_algorithm = 0;
+               val->unsupported_digest = 0;
+       }
+
        validate_dnskey_dsset_done(val, result);
        return;
 }