Update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
(cherry picked from commit 6095d95109915c62875170f11f645aa3dec67002)
(cherry picked from commit d02d2ae67c37462a81d8540df25a1a36c321c786)

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 0a3e343e573c199d1d1c82d0cb14c2806aeee31b..6ba1e136affed9f83eae5b30004c134f5b8b0676 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -70,8 +70,7 @@ typedef struct dst_context    dst_context_t;
 #define DST_ALG_HMACSHA512     165     /* XXXMPA */
 #define DST_ALG_INDIRECT       252
 #define DST_ALG_PRIVATE                254
-#define DST_ALG_EXPAND         255
-#define DST_MAX_ALGS           255
+#define DST_MAX_ALGS           256
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE                1280

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index d1f59168c61bca58019e002ff5b60ae9bc5fdc8d..3dcfc12ee9ed41534a34d15bbd55386a721a9fa4 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9500,6 +9500,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
                dns_keydata_todnskey(&keydata, &dnskey, NULL);
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                /*
@@ -9611,6 +9622,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
                        continue;
 
                result = compute_tag(keyname, &dnskey, mctx, &keytag);
+               if (result != ISC_R_SUCCESS) {
+                       /*
+                        * Skip if we cannot compute the key tag.
+                        * This may happen if the algorithm is unsupported
+                        */
+                       dns_zone_log(zone, ISC_LOG_ERROR,
+                               "Cannot compute tag for key in zone %s: %s "
+                               "(skipping)",
+                               namebuf, dns_result_totext(result));
+                       continue;
+               }
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                revoked = (dnskey.flags & DNS_KEYFLAG_REVOKE);