From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 5 Jul 2021 15:04:04 +0000 (+0200)
Subject: rec: do not use DNSKEYs found below an apex for validation
X-Git-Tag: dnsdist-1.7.0-alpha1~85^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90b85dd0e7bfb7a21ab07f2ab9b31c616c6c62b9;p=thirdparty%2Fpdns.git

rec: do not use DNSKEYs found below an apex for validation
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 4c34384137..bf5b439e18 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -3269,7 +3269,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       LOG(d_prefix<<": got initial zone status "<<initialState<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
 
       if (initialState == vState::Secure) {
-        if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) {
+        if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER && i->first.name == getSigner(i->second.signatures)) {
           LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
           recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
         }
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index 2f895c2ff3..8ab62558bc 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -181,6 +181,8 @@ cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
 dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
 dname-insecure.secure.example. 3600 IN DNAME insecure.example.
 dname-bogus.secure.example. 3600 IN DNAME bogus.example.
+
+non-apex-dnskey.secure.example. 3600 IN DNSKEY 257 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg==
         """,
         'dname-secure.example': """
 dname-secure.example. 3600 IN SOA {soa}
diff --git a/regression-tests.recursor-dnssec/test_Interop.py b/regression-tests.recursor-dnssec/test_Interop.py
index 44c172d19f..799633eac9 100644
--- a/regression-tests.recursor-dnssec/test_Interop.py
+++ b/regression-tests.recursor-dnssec/test_Interop.py
@@ -121,6 +121,23 @@ forward-zones+=undelegated.insecure.example=%s.12
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], [])
 
+
+    def testNonApexDNSKEY(self):
+        """
+        a DNSKEY not at the apex of a zone should not be treated as a DNSKEY in validation
+        """
+        query = dns.message.make_query('non-apex-dnskey.secure.example.', 'DNSKEY')
+        query.flags |= dns.flags.AD
+
+        res = self.sendUDPQuery(query)
+        print(res)
+        expectedDNSKEY = dns.rrset.from_text('non-apex-dnskey.secure.example.', 0, dns.rdataclass.IN, 'DNSKEY', '257 3 13 CT6AJ4MEOtNDgj0+xLtTLGHf1WbLsKWZI8ONHOt/6q7hTjeWSnY/SGig1dIKZrHg+pJFUSPaxeShv48SYVRKEg==')
+
+        self.assertRRsetInAnswer(res, expectedDNSKEY)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], [])
+
+
     @classmethod
     def startResponders(cls):
         print("Launching responders..")