]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 488d7bf)
Skip unsupported algorithms when looking for signing key
authorOndřej Surý <ondrej@isc.org>
Tue, 4 Nov 2025 01:09:38 +0000 (02:09 +0100)
committerOndřej Surý <ondrej@isc.org>
Tue, 4 Nov 2025 18:53:26 +0000 (19:53 +0100)
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
lib/dns/validator.c patch | blob | blame | history

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6781544b9653c12b7087a2bee5300577b212e9b..52677fbd80f1ad95b6baf4d20daa7733bae8954d 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1092,8 +1092,14 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
                        continue;
                }
 
-               return dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
-                                              val->view->mctx, &val->key);
+               result = dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
+                                                val->view->mctx, &val->key);
+               /* Don't count unsupported algorithm towards max fails */
+               if (result == DST_R_UNSUPPORTEDALG) {
+                       /* Continue with the next key */
+                       continue;
+               }
+               return result;
        }
 
        return ISC_R_NOTFOUND;
Mirror of https://gitlab.isc.org/isc-projects/bind9.git