From: Tony Finch Date: Mon, 4 Oct 2021 23:01:54 +0000 (+1100) Subject: dnssec-dsfromkey should not convert revoked keys X-Git-Tag: v9.16.24~5^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f7fa710d7744e0fa22d6743f42ae944b5a549ac;p=thirdparty%2Fbind9.git dnssec-dsfromkey should not convert revoked keys it is pointless to convert revoked keys to DS or CDS records as they cannot be used to provide a cryptographic link from the parent zone. (cherry picked from commit 04a5529c2da2187dde4cfce656fee023d55b1b47) --- diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 75ef21f2d39..f089bbbbaa8 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -262,6 +262,10 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) { fatal("can't convert DNSKEY"); } + if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + return; + } + if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) { return; } diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst index 35d62c0bcbe..4d68ca80efa 100644 --- a/bin/dnssec/dnssec-dsfromkey.rst +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -43,6 +43,10 @@ Description The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the ``-C`` option. +By default, only KSKs are converted (keys with flags = 257). The +``-A`` option includes ZSKs (flags = 256). Revoked keys are never +included. + The input keys can be specified in a number of ways: By default, ``dnssec-dsfromkey`` reads a key file named in the format diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in index 65b4122e187..75d7888a0a3 100644 --- a/doc/man/dnssec-dsfromkey.8in +++ b/doc/man/dnssec-dsfromkey.8in @@ -44,6 +44,10 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option. .sp +By default, only KSKs are converted (keys with flags = 257). The +\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never +included. +.sp The input keys can be specified in a number of ways: .sp By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format