From dfb074ac4ae09ef95f795d1c6a6079b556def691 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Mon, 8 Apr 2024 12:14:01 +0200 Subject: [PATCH] rec: do not count RRSIGs using unsupported algorithms toward RRSIGs limit (cherry picked from commit 834660b5c62fe7a8bcf93b0182f26fbfa5464ecc) --- pdns/validate.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pdns/validate.cc b/pdns/validate.cc index 120452e98c..8b151f91d6 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -1022,6 +1022,9 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t } vState ede = vState::Indeterminate; + if (!DNSCryptoKeyEngine::isAlgorithmSupported(signature->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(name, now, signature, ede)) { if (isRRSIGIncepted(now, signature)) { noneIncepted = false; @@ -1151,7 +1154,7 @@ bool haveNegativeTrustAnchor(const map& negAnchors, const D return true; } -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, pdns::validation::ValidationContext& context) +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME { /* * Check all DNSKEY records against all DS records and place all DNSKEY records @@ -1217,6 +1220,9 @@ vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& // whole set uint16_t signaturesConsidered = 0; for (const auto& sig : sigs) { + if (!DNSCryptoKeyEngine::isAlgorithmSupported(sig->d_algorithm)) { + continue; + } if (!checkSignatureInceptionAndExpiry(zone, now, sig, ede)) { continue; } -- 2.47.2