]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Allow unsupported alg in zone /w dnssec-signzone
authorMatthijs Mekking <github@pletterpet.nl>
Tue, 18 Dec 2018 11:14:04 +0000 (12:14 +0100)
committerMatthijs Mekking <github@pletterpet.nl>
Wed, 19 Dec 2018 11:54:31 +0000 (12:54 +0100)
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.

lib/dns/dnssec.c
lib/dns/include/dns/dnssec.h
lib/dns/nsec3.c

index c12ecacc5aa76be4a2941b1e8324a26ba79be2af..e255b6e2a9b5d9d395e17302af8eb8f10f4839d4 100644 (file)
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
             result = dns_rdataset_next(&keys)) {
                dns_rdata_reset(&rdata);
                dns_rdataset_current(&keys, &rdata);
+
+               /* Skip unsupported algorithms */
+               REQUIRE(rdata.type == dns_rdatatype_key ||
+                       rdata.type == dns_rdatatype_dnskey);
+               REQUIRE(rdata.length > 3);
+               if (!dst_algorithm_supported(rdata.data[3]))
+                       goto skip;
+
                RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
                dst_key_setttl(pubkey, keys.ttl);
 
index 50930b66d6e6fa718f511ce1bbe78d45554e1360..e60375e039c9fdb5b5fccfc53cde5a6a197a05f9 100644 (file)
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *     Requires:
  *\li          'keylist' is not NULL
index 861e9094227bf53bfc06d8ab89353048279868a7..f30d69591bbb65b7be456df73f3a3bac49e774b6 100644 (file)
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
             result == ISC_R_SUCCESS;
             result = dns_rdataset_next(&rdataset)) {
                dns_rdata_t rdata = DNS_RDATA_INIT;
-
                dns_rdataset_current(&rdataset, &rdata);
+
+               /* Skip unsupported algorithms when
+                * calculating the maximum iterations.
+                */
+               REQUIRE(rdata.type == dns_rdatatype_key ||
+                       rdata.type == dns_rdatatype_dnskey);
+               REQUIRE(rdata.length > 3);
+               if (!dst_algorithm_supported(rdata.data[3]))
+                       continue;
+
                isc_buffer_init(&buffer, rdata.data, rdata.length);
                isc_buffer_add(&buffer, rdata.length);
                CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,