- Fix that signatures are not allowed with revoked dnskeys.

  Thanks to Qifan Zhang, Palo Alto Networks for the report.

diff --git a/doc/Changelog b/doc/Changelog
index 52515a33e8179cf2e4c4c46293bf5d6f946b3f2e..23a65d2aeb3638f390d10690835d5edac87b7cb9 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -32,6 +32,8 @@
          upstream connections. Thanks to TaoFei Guo from Peking
          University and JianJun Chen from Tsinghua University for
          the report.
+       - Fix that signatures are not allowed with revoked dnskeys.
+         Thanks to Qifan Zhang, Palo Alto Networks for the report.
 
 20 April 2026: Wouter
        - Fix compile warnings for thread setname routine, and test compile.

diff --git a/testdata/test_sigs.revoked b/testdata/test_sigs.revoked
index bcf6e159ca8e41188883c94ca3832ad934b3d741..66382ea03d7ce62fb8742477ebd5ad14f8f3c099 100644 (file)
--- a/testdata/test_sigs.revoked
+++ b/testdata/test_sigs.revoked
@@ -15,10 +15,29 @@ ENTRY_END
 ; entry to test
 ENTRY_BEGIN
 SECTION QUESTION
-secure.example.com.       IN      SOA
+bogus.example.com.       IN      SOA
 SECTION ANSWER
+; The REVOKE key is not allowed to sign other data
 example.com.  43200   IN      SOA     home.kuroiwa.eng.br. hostmaster.cesar.sec3.br. 2008040903 86400 86400 8640000 600
 example.com.   43200   IN      RRSIG   SOA 5 2 43200 20081010000000 20080410122550 31027 example.com. af7nqRak6cEeQLytqLHMIUKPsOECA4Cu/Zpm7vdnKSh2q2+/8ZwIxwHLyCEGdiu/mTYffZEHTZytJyzxnB0oxA== ;{id = 31027}
 ENTRY_END
 
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+bogus.a.example.com.       IN      DNSKEY
+SECTION ANSWER
+a.example.com. 3600    IN      DNSKEY  384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3
+a.example.com. 3600    IN      RRSIG   DNSKEY 5 3 3600 20081010000000 20080410122550 31027 example.com. MdkvlzXlNEUrnk7jTXZ0whEjYLp1bGjOevL4yyzWAl+/LgaQqbFVApXbAQhHvouFQeoMp2+NvEGTLW8unBzJEw==
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+secure.example.com.       IN      DNSKEY
+SECTION ANSWER
+; the REVOKE key can sign itself
+example.com.   3600    IN      DNSKEY  384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 31027 (zsk), size = 512b}
+example.com.   3600    IN      RRSIG   DNSKEY 5 2 3600 20081010000000 20080410122550 31027 example.com. NEEY7W2F0XGUo9pVhiLALoz1ToM1gIS4TwUvVBPlIQMF+ZRGtB7PMthV0BN+aR+AEurxYsMfVmXEH2vKUVepgw==
+ENTRY_END
 

diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 86de6fb8e80f73886e5c9f3c2df1e83ef8450119..9f27f9cc9bb7338d4d97140a605e8cf3132aff82 100644 (file)
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -1570,6 +1570,18 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
                        *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET;
                return sec_status_bogus; 
        }
+       if((dnskey_get_flags(dnskey, dnskey_idx) & LDNS_KEY_REVOKE_KEY) &&
+               /* The REVOKE key is allowed to check sigs on itself. */
+               !(ntohs(rrset->rk.type) == LDNS_RR_TYPE_DNSKEY &&
+                 query_dname_compare(rrset->rk.dname, dnskey->rk.dname)==0)
+               ) {
+               verbose(VERB_QUERY, "verify: dnskey has REVOKE bit set, "
+                       "not usable for data validation per RFC 5011 s2.1");
+               *reason = "dnskey revoked";
+               if(reason_bogus)
+                       *reason_bogus = LDNS_EDE_DNSKEY_MISSING;
+               return sec_status_bogus;
+       }
 
        if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) { 
                /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */