From: Mark Andrews <marka@isc.org>
Date: Wed, 28 May 2025 03:59:04 +0000 (+1000)
Subject: Check that the specified DS digest is supported
X-Git-Tag: v9.21.10~47^2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfee0e64ed54aad2d82758ec86559d44570d7220;p=thirdparty%2Fbind9.git

Check that the specified DS digest is supported

dnssec-dsfromkey and dnssec-cds failed to properly check if the
specified DS digest type is supported or not.
---

diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index cb42bb710a1..91a6c47554b 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -361,7 +361,10 @@ strtodsdigest(const char *str) {
 	r.length = strlen(str);
 	result = dns_dsdigest_fromtext(&alg, &r);
 	if (result != ISC_R_SUCCESS) {
-		fatal("unknown DS algorithm %s", str);
+		fatal("unknown DS digest %s", str);
+	}
+	if (!dst_ds_digest_supported(alg)) {
+		fatal("unsupported DS digest %s", str);
 	}
 	return alg;
 }