From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 30 Apr 2026 08:55:49 +0000 (+0200)
Subject: fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=120eaf546f0b37aa15c8c01cbb3ceb580a29b2fb;p=thirdparty%2Fbind9.git

fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU

A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures.  The
validator now rejects such DNSKEYs, matching the limit already
applied to keys read from files or HSMs.

Closes #5881

Merge branch '5881-rsa-exponent-keytrap-cpu-amplification' into 'main'

See merge request isc-projects/bind9!11917
---

120eaf546f0b37aa15c8c01cbb3ceb580a29b2fb