From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 8 Jul 2020 09:04:47 +0000 (+0200)
Subject: rec: Check that DNSKEYs have the zone flag set
X-Git-Tag: rec-4.4.0-alpha2~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2a42d06911a4716348c82a0fc0c9d1be34c4f60;p=thirdparty%2Fpdns.git

rec: Check that DNSKEYs have the zone flag set

As required by rfc4034 Section 5.2.
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 52a8a30ec0..996870fc99 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -748,17 +748,26 @@ bool validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t&
       LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
     }
 
-    auto r = getByTag(keys, signature->d_tag, signature->d_algorithm);
+    auto keysMatchingTag = getByTag(keys, signature->d_tag, signature->d_algorithm);
 
-    if(r.empty()) {
+    if (keysMatchingTag.empty()) {
       LOG("No key provided for "<<signature->d_tag<<" and algorithm "<<std::to_string(signature->d_algorithm)<<endl;);
       continue;
     }
 
-    string msg=getMessageForRRSET(name, *signature, toSign, true);
-    for(const auto& l : r) {
-      bool signIsValid = checkSignatureWithKey(now, signature, l, msg);
-      if(signIsValid) {
+    string msg = getMessageForRRSET(name, *signature, toSign, true);
+    for(const auto& key : keysMatchingTag) {
+      /* rfc4034 Section 5.2:
+         "The DNSKEY RR Flags MUST have Flags bit 7 set."
+         Let's check that this is a ZONE key, even though there is no other
+         types of DNSKEYs at the moment.
+      */
+      if (!(key->d_flags & 256)) {
+        continue;
+      }
+
+      bool signIsValid = checkSignatureWithKey(now, signature, key, msg);
+      if (signIsValid) {
         isValid = true;
         LOG("Validated "<<name<<"/"<<DNSRecordContent::NumberToType(signature->d_type)<<endl);
         //	  cerr<<"valid"<<endl;