From: Matthijs Mekking Date: Mon, 11 Mar 2024 09:51:20 +0000 (+0100) Subject: Fix validate_dnskey_dsset when KSK is not signing X-Git-Tag: v9.19.22~3^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb2f0c816859bbc7183abc1fdd902833fc4d1e0a;p=thirdparty%2Fbind9.git Fix validate_dnskey_dsset when KSK is not signing When there is a secure chain of trust with a KSK that is not actively signing the DNSKEY RRset, the code for validating the DNSKEY RRset against the DS RRset could potentially skip DS records, thinking the chain of trust is broken while there is a valid DS with corresponding DNSKEY record present. This is because we pass the result ISC_R_NOMORE on when we are done checking for signatures, but then treat it as "no more DS records". Chaning the return value to something else (DNS_R_NOVALIDSIG seems the most appropriate here) fixes the issue. --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 38d0b62e5ae..5681c89a367 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1976,7 +1976,7 @@ validate_dnskey_dsset(dns_validator_t *val) { validator_log(val, ISC_LOG_DEBUG(3), "no RRSIG matching DS key"); - return (result); + return (DNS_R_NOVALIDSIG); } return (ISC_R_SUCCESS);