Fail the DNSSEC validation if matching but invalid DNSKEY is found

If a matching but cryptographically invalid key was encountered during
the DNSSEC validation, the key would be just skipped and not counted
towards validation failures.  Treat such DNSSEC keys as hard failures
and fail the DNSSEC validation immediatelly instead of continuing the
DNSSEC validation with the next DNSKEYs in the RRset.

Co-authored-by: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit f00117a4226be90d1bc865aff19bddf114242914)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 55138d25906d0637c02374add7d1b03a4c6b79a0..6c21d35e640ed4094ad8a44e6300d5f845135028 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -435,6 +435,8 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
                        result = select_signing_key(val, rdataset);
                        if (result == ISC_R_SUCCESS) {
                                val->keyset = &val->frdataset;
+                       } else {
+                               val->failed = true;
                        }
                }
                result = validate_answer(val, true);
@@ -1174,6 +1176,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
                                goto done;
                        }
                        dst_key_free(&val->key);
+               } else {
+                       break;
                }
                dns_rdata_reset(&rdata);
                result = dns_rdataset_next(rdataset);
@@ -1291,13 +1295,15 @@ seek_dnskey(dns_validator_t *val) {
                                      "keyset with trust %s",
                                      dns_trust_totext(val->frdataset.trust));
                        result = select_signing_key(val, val->keyset);
-                       if (result != ISC_R_SUCCESS) {
+                       if (result == ISC_R_NOTFOUND) {
                                /*
-                                * Either the key we're looking for is not
-                                * in the rrset, or something bad happened.
-                                * Give up.
+                                * The key we're looking for is not
+                                * in the rrset
                                 */
                                result = DNS_R_CONTINUE;
+                       } else if (result != ISC_R_SUCCESS) {
+                               /* Something bad happened. Give up. */
+                               break;
                        }
                }
                break;
@@ -1417,7 +1423,7 @@ selfsigned_dnskey(dns_validator_t *val) {
                        result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
                                                         &dstkey);
                        if (result != ISC_R_SUCCESS) {
-                               continue;
+                               return result;
                        }
 
                        /*
@@ -1688,10 +1694,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
                                val->event->name, keyrdata, val->view->mctx,
                                &dstkey);
                        if (result != ISC_R_SUCCESS) {
-                               /*
-                                * This really shouldn't happen, but...
-                                */
-                               continue;
+                               return result;
                        }
                }
                result = verify(val, dstkey, &rdata, sig.keyid);