From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 23 Feb 2026 05:13:59 +0000 (+0100)
Subject: Fail DNSKEY validation when supported but invalid DS is found
X-Git-Tag: v9.21.19~10^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f983a6415293bf26e5001b44a202a618f60dbf34;p=thirdparty%2Fbind9.git

Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms.  When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS.  This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.
---

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 777bb693b1d..1122180eaab 100644
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -408,7 +408,7 @@ def test_private_algorithms(ns4):
         isctest.check.noerror(res1)
         isctest.check.servfail(res2)
         watcher.wait_for_line(
-            "No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID"
+            "no DNSKEY matching DS"
         )
 
 
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index faa5ea15330..7676fe534b6 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -150,6 +150,7 @@ struct dns_validator {
 	bool	       digest_sha1;
 	uint8_t	       unsupported_algorithm;
 	uint8_t	       unsupported_digest;
+	uint8_t	       validation_attempts;
 	dns_rdata_t    rdata;
 	bool	       resume;
 	isc_counter_t *nvalidations;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 2e731a7576c..ed2931b7440 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2089,6 +2089,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
 		}
 	}
 
+	val->validation_attempts++;
+
 	/*
 	 * Find the DNSKEY matching the DS...
 	 */
@@ -2113,6 +2115,12 @@ validate_dnskey_dsset(dns_validator_t *val) {
 						      val->name, key.algorithm,
 						      key.data, key.datalen))
 		{
+			/*
+			 * Don't count the unsupported algorithm into the
+			 * validation attempts.
+			 */
+			val->validation_attempts--;
+
 			if (val->unsupported_algorithm == 0) {
 				val->unsupported_algorithm = key.algorithm;
 				/*
@@ -2184,6 +2192,11 @@ validate_dnskey_dsset_next_done(void *arg) {
 		return;
 	}
 
+	if (val->validation_attempts != 0) {
+		val->unsupported_algorithm = 0;
+		val->unsupported_digest = 0;
+	}
+
 	validate_dnskey_dsset_done(val, result);
 	return;
 }