From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 30 Apr 2026 13:50:37 +0000 (+0200)
Subject: fix: dev: Reject RSA DNSKEYs with degenerate modulus
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d455794d0d9bece33346f96f1c9d2652b63b4755;p=thirdparty%2Fbind9.git

fix: dev: Reject RSA DNSKEYs with degenerate modulus

A crafted DNSKEY rdata whose declared exponent length consumed the
whole buffer produced an RSA key with no modulus, which dnssec-importkey
accepted as valid and wrote to a .private file with no key material.
The wire-format parser now rejects RSA public keys with a modulus
smaller than 512 bits, the lowest legitimate size across the RSA
DNSSEC algorithms.

Closes #5920

Merge branch '5920-opensslrsa-fromdns-zero-modulus-accepted' into 'main'

See merge request isc-projects/bind9!11929
---

d455794d0d9bece33346f96f1c9d2652b63b4755