]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c12608c)
Skip revoked keys when selecting DNSKEY in the validation loop
authorMark Andrews <marka@isc.org>
Wed, 22 Nov 2023 05:59:03 +0000 (16:59 +1100)
committerMichał Kępień <michal@isc.org>
Thu, 1 Feb 2024 20:51:07 +0000 (21:51 +0100)
Don't select revoked keys when iterating through DNSKEYs in the DNSSEC
validation routines.

(cherry picked from commit 439e16e4de525599bbb5a31575211d06cc3e2fbb)

lib/dns/validator.c patch | blob | blame | history

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 6cf717f870293ea057ecf6f3a715599d9c2fcd0c..8bec8fed6c5334012ef6e74cd5971715ef3c5d98 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1144,6 +1144,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
                                    (dns_secalg_t)dst_key_alg(val->key) &&
                            siginfo->keyid ==
                                    (dns_keytag_t)dst_key_id(val->key) &&
+                           (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+                                   0 &&
                            dst_key_iszonekey(val->key))
                        {
                                if (foundold) {
Mirror of https://gitlab.isc.org/isc-projects/bind9.git