From: Nicki Křížek <nicki@isc.org>
Date: Mon, 5 Jan 2026 13:45:06 +0000 (+0100)
Subject: [CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
X-Git-Tag: v9.21.17~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=849c17abe55c495b92a70202e866a28828b0031e;p=thirdparty%2Fbind9.git

[CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY

Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.

Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.

Closes #5343

Merge branch '5343-count-invalid-keys-into-validation-fails-test' into 'main'

See merge request isc-projects/bind9!11425
---

849c17abe55c495b92a70202e866a28828b0031e