]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1b3b0ce)
Skip revoked keys when selecting DNSKEY in the validation loop
authorMark Andrews <marka@isc.org>
Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committerMichał Kępień <michal@isc.org>
Thu, 1 Feb 2024 20:47:29 +0000 (21:47 +0100)
Don't select revoked keys when iterating through DNSKEYs in the DNSSEC
validation routines.

lib/dns/validator.c patch | blob | blame | history

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 56a0ced7b7580ff5e8f0c41a91c262c7de279f30..7ae0b3c49cef2042564ce01e8843915b9a51cfd3 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1144,6 +1144,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
                                    (dns_secalg_t)dst_key_alg(val->key) &&
                            siginfo->keyid ==
                                    (dns_keytag_t)dst_key_id(val->key) &&
+                           (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+                                   0 &&
                            dst_key_iszonekey(val->key))
                        {
                                if (foundold) {
Mirror of https://gitlab.isc.org/isc-projects/bind9.git