From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 15 May 2026 08:08:46 +0000 (+0200)
Subject: Allow any valid DNS name as a key name
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85f854b076a08fa69fed78f56de1aa92ea8f1356;p=thirdparty%2Fbind9.git

Allow any valid DNS name as a key name

TSIG key names need to be any valid DNS name so that update-policy
"self" rules work with arbitrary names.  Replace the
alnum+'.'+'-'+'_' charset filter in the key-generation tools with a
dns_name_fromstring() validity check.
---

diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index 2080078fc34..e23bd92fb68 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -26,6 +26,7 @@
 #include <isc/result.h>
 #include <isc/string.h>
 
+#include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -95,17 +96,17 @@ alg_bits(dns_secalg_t alg) {
  */
 void
 validate_keyname(const char *keyname) {
+	dns_fixedname_t fixed;
+	dns_name_t *name = dns_fixedname_initname(&fixed);
+	isc_result_t result;
+
 	if (keyname == NULL || keyname[0] == '\0') {
 		fatal("key name must not be empty");
 	}
-	for (const char *p = keyname; *p != '\0'; p++) {
-		unsigned char c = (unsigned char)*p;
-		if (!isalnum(c) && c != '.' && c != '-' && c != '_') {
-			fatal("key name '%s' contains invalid character; "
-			      "only alphanumerics, '.', '-', and '_' are "
-			      "allowed",
-			      keyname);
-		}
+
+	result = dns_name_fromstring(name, keyname, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fatal("invalid key name: %s", isc_result_totext(result));
 	}
 }