Replace INSIST in KSR DNSKEY parser with a structured error

A DNSKEY record appearing before any ';; KeySigningRequest' header
in a KSR file made dnssec-ksr abort on INSIST(rdatalist != NULL),
which is the wrong tool for a malformed-input case.  Issue a fatal()
naming the file and line instead so pipelines see a clean exit
status and an actionable message; the now-unreachable NULL check on
the rdatalist->ttl update goes away too.

Assisted-by: Claude:claude-opus-4-7

diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index d2a387290906557accb857b622a348415803c9c1..9b8b1c44147f6ed44354f8ac1a76ae55237b5908 100644 (file)
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -1244,7 +1244,11 @@ sign(ksr_ctx_t *ksr) {
                        isc_region_t r;
                        u_char rdatabuf[DST_KEY_MAXSIZE];
 
-                       INSIST(rdatalist != NULL);
+                       if (rdatalist == NULL) {
+                               fatal("bad KSR file %s(%lu): DNSKEY record "
+                                     "before ';; KeySigningRequest' header",
+                                     ksr->file, isc_lex_getsourceline(lex));
+                       }
 
                        rdata = isc_mem_get(isc_g_mctx, sizeof(*rdata));
                        dns_rdata_init(rdata);
@@ -1261,7 +1265,7 @@ sign(ksr_ctx_t *ksr) {
                        isc_buffer_usedregion(newbuf, &r);
                        dns_rdata_fromregion(rdata, dns_rdataclass_in,
                                             dns_rdatatype_dnskey, &r);
-                       if (rdatalist != NULL && ttl < rdatalist->ttl) {
+                       if (ttl < rdatalist->ttl) {
                                rdatalist->ttl = ttl;
                        }
 

diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py
index 75d36f94cdf183c67f48aaacd4860aefb5c665ff..406250b6f1f34305e373b4921362295132ff8081 100644 (file)
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -651,6 +651,22 @@ def test_ksr_errors():
     )
     assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in cmd.err
 
+    # check that 'dnssec-ksr sign' rejects a KSR whose first record
+    # is a DNSKEY without a preceding ';; KeySigningRequest' header,
+    # rather than aborting on an INSIST assertion
+    bad_ksr = "common.test.bad.ksr"
+    with open(bad_ksr, "w", encoding="utf-8") as f:
+        f.write(". 3600 IN DNSKEY 257 3 8 AwEAAa==\n")
+    cmd = ksr(
+        "common.test",
+        "common",
+        "sign",
+        options=f"-K ns1/offline -f {bad_ksr} -i now -e +1y",
+        raise_on_exception=False,
+    )
+    assert cmd.rc == 1
+    assert "DNSKEY record before ';; KeySigningRequest' header" in cmd.err
+
 
 def test_ksr_common(ns1):
     # common test cases (1)