From: Mark Andrews <marka@isc.org>
Date: Wed, 22 Nov 2023 05:59:03 +0000 (+1100)
Subject: Skip revoked keys when selecting DNSKEY in the validation loop
X-Git-Tag: v9.16.48~5^2~4
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=751b7cc4750ede6d8c5232751d60aad8ad84aa67;p=thirdparty%2Fbind9.git

Skip revoked keys when selecting DNSKEY in the validation loop

Don't select revoked keys when iterating through DNSKEYs in the DNSSEC
validation routines.

(cherry picked from commit 439e16e4de525599bbb5a31575211d06cc3e2fbb)
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 6cf717f8702..8bec8fed6c5 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1144,6 +1144,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 				    (dns_secalg_t)dst_key_alg(val->key) &&
 			    siginfo->keyid ==
 				    (dns_keytag_t)dst_key_id(val->key) &&
+			    (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+				    0 &&
 			    dst_key_iszonekey(val->key))
 			{
 				if (foundold) {