From: Matthijs Mekking <github@pletterpet.nl>
Date: Tue, 18 Dec 2018 11:14:04 +0000 (+0100)
Subject: Allow unsupported alg in zone /w dnssec-signzone
X-Git-Tag: v9.11.6rc1~74^2~3
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=040e132f1692ce8bb1ac83032ee761b3278f0272;p=thirdparty%2Fbind9.git

Allow unsupported alg in zone /w dnssec-signzone

dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.

(cherry picked from commit 1dd11fc754baf396bb3040527087b14f0678dd83)
---

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index d12ae7e0ab9..b7afce1a73f 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1685,6 +1685,14 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
+
+		/* Skip unsupported algorithms */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			goto skip;
+
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 0b6369c50da..3aaeaf5d8f8 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -301,7 +301,7 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *	Requires:
  *\li		'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index a9d5cbada2b..978d03c7839 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1804,8 +1804,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
-
 		dns_rdataset_current(&rdataset, &rdata);
+
+		/* Skip unsupported algorithms when
+		 * calculating the maximum iterations.
+		 */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			continue;
+
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,