Allow unsupported alg in zone /w dnssec-signzone

dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.

(cherry picked from commit 1dd11fc754baf396bb3040527087b14f0678dd83)

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index d12ae7e0ab9473aa5c0244394c1f504149d01048..b7afce1a73f3f75c70b22f5819f2748615ad5b55 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1685,6 +1685,14 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
             result = dns_rdataset_next(&keys)) {
                dns_rdata_reset(&rdata);
                dns_rdataset_current(&keys, &rdata);
+
+               /* Skip unsupported algorithms */
+               REQUIRE(rdata.type == dns_rdatatype_key ||
+                       rdata.type == dns_rdatatype_dnskey);
+               REQUIRE(rdata.length > 3);
+               if (!dst_algorithm_supported(rdata.data[3]))
+                       goto skip;
+
                RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
                dst_key_setttl(pubkey, keys.ttl);
 

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 0b6369c50dabced9a5c82ca3eb5df7dba9edc8b0..3aaeaf5d8f83150147b16516397c293a6e6ca6fc 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -301,7 +301,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *     Requires:
  *\li          'keylist' is not NULL

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index a9d5cbada2b6dd56f836501782fa766024de8424..978d03c7839679f6f73249ee0a1abe8bb53e81e9 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1804,8 +1804,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
             result == ISC_R_SUCCESS;
             result = dns_rdataset_next(&rdataset)) {
                dns_rdata_t rdata = DNS_RDATA_INIT;
-
                dns_rdataset_current(&rdataset, &rdata);
+
+               /* Skip unsupported algorithms when
+                * calculating the maximum iterations.
+                */
+               REQUIRE(rdata.type == dns_rdatatype_key ||
+                       rdata.type == dns_rdatatype_dnskey);
+               REQUIRE(rdata.length > 3);
+               if (!dst_algorithm_supported(rdata.data[3]))
+                       continue;
+
                isc_buffer_init(&buffer, rdata.data, rdata.length);
                isc_buffer_add(&buffer, rdata.length);
                CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,