Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms.  When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS.  This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 777bb693b1d830c2abd10d943ac06b5465ace526..1122180eaab7d5a41a142fd5a2d1619c19ea6d13 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -408,7 +408,7 @@ def test_private_algorithms(ns4):
         isctest.check.noerror(res1)
         isctest.check.servfail(res2)
         watcher.wait_for_line(
-            "No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID"
+            "no DNSKEY matching DS"
         )
 
 

diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index faa5ea15330fcefa2816f8c5375816057adbec2e..7676fe534b66713b0c2decd51121283c873ee5f3 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -150,6 +150,7 @@ struct dns_validator {
        bool           digest_sha1;
        uint8_t        unsupported_algorithm;
        uint8_t        unsupported_digest;
+       uint8_t        validation_attempts;
        dns_rdata_t    rdata;
        bool           resume;
        isc_counter_t *nvalidations;

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 2e731a7576c2125ff6a6a20f3cf10d356d81ed4b..ed2931b744021f2a01ef9740bbccf7af719641ac 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2089,6 +2089,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
                }
        }
 
+       val->validation_attempts++;
+
        /*
         * Find the DNSKEY matching the DS...
         */
@@ -2113,6 +2115,12 @@ validate_dnskey_dsset(dns_validator_t *val) {
                                                      val->name, key.algorithm,
                                                      key.data, key.datalen))
                {
+                       /*
+                        * Don't count the unsupported algorithm into the
+                        * validation attempts.
+                        */
+                       val->validation_attempts--;
+
                        if (val->unsupported_algorithm == 0) {
                                val->unsupported_algorithm = key.algorithm;
                                /*
@@ -2184,6 +2192,11 @@ validate_dnskey_dsset_next_done(void *arg) {
                return;
        }
 
+       if (val->validation_attempts != 0) {
+               val->unsupported_algorithm = 0;
+               val->unsupported_digest = 0;
+       }
+
        validate_dnskey_dsset_done(val, result);
        return;
 }