From: Ondřej Surý Date: Thu, 30 Apr 2026 04:43:50 +0000 (+0200) Subject: Replace INSIST in KSR DNSKEY parser with a structured error X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b4200ba2590df33a6f30d1b8c259c454b7045bf5;p=thirdparty%2Fbind9.git Replace INSIST in KSR DNSKEY parser with a structured error A DNSKEY record appearing before any ';; KeySigningRequest' header in a KSR file made dnssec-ksr abort on INSIST(rdatalist != NULL), which is the wrong tool for a malformed-input case. Issue a fatal() naming the file and line instead so pipelines see a clean exit status and an actionable message; the now-unreachable NULL check on the rdatalist->ttl update goes away too. Assisted-by: Claude:claude-opus-4-7 --- diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index d2a38729090..9b8b1c44147 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -1244,7 +1244,11 @@ sign(ksr_ctx_t *ksr) { isc_region_t r; u_char rdatabuf[DST_KEY_MAXSIZE]; - INSIST(rdatalist != NULL); + if (rdatalist == NULL) { + fatal("bad KSR file %s(%lu): DNSKEY record " + "before ';; KeySigningRequest' header", + ksr->file, isc_lex_getsourceline(lex)); + } rdata = isc_mem_get(isc_g_mctx, sizeof(*rdata)); dns_rdata_init(rdata); @@ -1261,7 +1265,7 @@ sign(ksr_ctx_t *ksr) { isc_buffer_usedregion(newbuf, &r); dns_rdata_fromregion(rdata, dns_rdataclass_in, dns_rdatatype_dnskey, &r); - if (rdatalist != NULL && ttl < rdatalist->ttl) { + if (ttl < rdatalist->ttl) { rdatalist->ttl = ttl; } diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 75d36f94cdf..406250b6f1f 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -651,6 +651,22 @@ def test_ksr_errors(): ) assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in cmd.err + # check that 'dnssec-ksr sign' rejects a KSR whose first record + # is a DNSKEY without a preceding ';; KeySigningRequest' header, + # rather than aborting on an INSIST assertion + bad_ksr = "common.test.bad.ksr" + with open(bad_ksr, "w", encoding="utf-8") as f: + f.write(". 3600 IN DNSKEY 257 3 8 AwEAAa==\n") + cmd = ksr( + "common.test", + "common", + "sign", + options=f"-K ns1/offline -f {bad_ksr} -i now -e +1y", + raise_on_exception=False, + ) + assert cmd.rc == 1 + assert "DNSKEY record before ';; KeySigningRequest' header" in cmd.err + def test_ksr_common(ns1): # common test cases (1)