From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 30 Apr 2026 11:24:00 +0000 (+0200)
Subject: [9.20] fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c425827743fb3d62a6c04712611d7ecb0684d66d;p=thirdparty%2Fbind9.git

[9.20] fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU

A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures.  The
validator now rejects such DNSKEYs, matching the limit already
applied to keys read from files or HSMs.

Closes #5881

Backport of MR !11917

Merge branch 'backport-5881-rsa-exponent-keytrap-cpu-amplification-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11923
---

c425827743fb3d62a6c04712611d7ecb0684d66d