From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 8 Jun 2026 16:01:03 +0000 (+0200)
Subject: fix: usr: Reject unsupported RSA DNSKEY shapes during DNSSEC validation
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c7a0a6af4dac3a95b76efaded6cd210699489cdf;p=thirdparty%2Fbind9.git

fix: usr: Reject unsupported RSA DNSKEY shapes during DNSSEC validation

An authoritative server publishing an RSA DNSKEY with an unusually
large modulus or an exotic public exponent could make each DNSSEC
signature check on a validating recursive resolver noticeably more
expensive than for a normally sized key.  Such DNSKEYs are now
treated as invalid.

Closes #6008

Merge branch '6008-reject-oversized-rsa-dnskeys' into 'main'

See merge request isc-projects/bind9!12054
---

c7a0a6af4dac3a95b76efaded6cd210699489cdf