Previously, if a matching but cryptographically invalid key was encountered during
DNSSEC validation, the key was skipped and not counted
towards validation failures. :iscman:`named` now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead of
continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention.
Backport of MR !821
Closes isc-projects/bind9#5343
Merge branch '5343-security-count-invalid-keys-into-validation-fails-9.18' into 'v9.18.40-release'
See merge request isc-private/bind9!843
projects / thirdparty / bind9.git / commitdiff
