Require local KEYs for SIG(0) verification

This is additional hardening. There is no known use-case for KEY RRs
from DNS cache and it potentially allows attackers to put weird keys
into cache.

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 97ff5ecf18a505ea98c260d12aa15c288f8702ae..fe8e05c0a00e4fc46f429279fe561b5858e6cf96 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3323,11 +3323,9 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
                                             0, false, &keyset, NULL);
 
                if (result != ISC_R_SUCCESS) {
-                       /* XXXBEW Should possibly create a fetch here */
                        result = DNS_R_KEYUNAUTHORIZED;
                        goto freesig;
-               } else if (keyset.trust < dns_trust_secure) {
-                       /* XXXBEW Should call a validator here */
+               } else if (keyset.trust < dns_trust_ultimate) {
                        result = DNS_R_KEYUNAUTHORIZED;
                        goto freesig;
                }