Update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 2e7f643c28fb20c16107c3bcc08f3199fe48b6c2..3146d88cb9229c2b88292e209c5b9f912758b5ae 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -70,8 +70,7 @@ typedef struct dst_context    dst_context_t;
 #define DST_ALG_HMACSHA512     165     /* XXXMPA */
 #define DST_ALG_INDIRECT       252
 #define DST_ALG_PRIVATE                254
-#define DST_ALG_EXPAND         255
-#define DST_MAX_ALGS           255
+#define DST_MAX_ALGS           256
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE                1280

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index fd18e512730fb655b7ccca2e04d1012a00ad25a6..f2087658c8ab7c04b1f371272f54bc674c519c6f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9653,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
                dns_keydata_todnskey(&keydata, &dnskey, NULL);
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                /*
@@ -9766,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                }
 
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);