From: Mark Andrews <marka@isc.org>
Date: Fri, 16 May 2025 06:14:14 +0000 (+1000)
Subject: Check the DS trust anchor algorithm is supported
X-Git-Tag: v9.21.10~47^2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=215bde91c6558cb28422af58f8071a8f76fa4762;p=thirdparty%2Fbind9.git

Check the DS trust anchor algorithm is supported

This make DS based trust anchors consistent with DNSKEY based
trust anchors.
---

diff --git a/bin/named/server.c b/bin/named/server.c
index db395e20ef2..b39bf1b1072 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -853,8 +853,13 @@ ta_fromconfig(const cfg_obj_t *key, bool *initialp, const char **namestrp,
 
 		ds->length = r.length;
 		ds->digest = digest;
+		INSIST(r.length <= ISC_MAX_MD_SIZE);
 		memmove(ds->digest, r.base, r.length);
 
+		if (!dst_algorithm_supported(ds->algorithm)) {
+			CHECK(DST_R_UNSUPPORTEDALG);
+		}
+
 		break;
 
 	default: