From: Ondřej Surý Date: Wed, 8 Jul 2026 08:47:47 +0000 (+0200) Subject: Size RRSIG rdata buffers by the maximum rdata length X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=a7716fa763b2f48a14dd5880ca7effac1eb02ab7;p=thirdparty%2Fbind9.git Size RRSIG rdata buffers by the maximum rdata length The buffers receiving the RRSIG rdata built by dns_dnssec_sign() were fixed-size arrays (1024 or 2048 octets), which is too small for post-quantum signatures. Use DNS_RDATA_MAXLENGTH sized buffers instead, which no RRSIG rdata can exceed by construction. Assisted-by: Claude:claude-fable-5 --- diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 904debd5708..85db3cd3546 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -656,7 +656,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t *rrsig = NULL; isc_region_t rs; - unsigned char rdatabuf[SIG_FORMATSIZE]; + unsigned char rdatabuf[DNS_RDATA_MAXLENGTH]; isc_stdtime_t clockskew = inception - 3600; isc_stdtime_t pub = 0, act = 0, inact = 0, del = 0; diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index a537e822431..7745993ddf6 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -106,7 +106,6 @@ static int nsec_datatype = dns_rdatatype_nsec; #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define BUFSIZE 2048 #define MAXDSKEYS 8 #define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453) @@ -270,7 +269,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, isc_stdtime_t jendtime, expiry; char keystr[DST_KEY_FORMATSIZE]; dns_rdata_t trdata = DNS_RDATA_INIT; - unsigned char array[BUFSIZE]; + unsigned char array[DNS_RDATA_MAXLENGTH]; isc_buffer_t b; dns_difftuple_t *tuple; diff --git a/lib/dns/update.c b/lib/dns/update.c index c8e6542d139..446415ea225 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -970,7 +971,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_rdata_t sig_rdata = DNS_RDATA_INIT; dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone); isc_buffer_t buffer; - unsigned char data[1024]; /* XXX */ + unsigned char data[DNS_RDATA_MAXLENGTH]; unsigned int i; bool added_sig = false; bool use_kasp = false; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3d9ac836501..e5b2f397d8d 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -5728,7 +5728,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, dns_stats_t *dnssecsignstats; dns_rdataset_t rdataset; dns_rdata_t sig_rdata = DNS_RDATA_INIT; - unsigned char data[1024]; /* XXX */ + unsigned char data[DNS_RDATA_MAXLENGTH]; isc_buffer_t buffer; unsigned int i; bool use_kasp = false; @@ -6420,7 +6420,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, dns_stats_t *dnssecsignstats; bool offlineksk = false; isc_buffer_t buffer; - unsigned char data[1024]; + unsigned char data[DNS_RDATA_MAXLENGTH]; seen_t seen; if (zone->kasp != NULL) {