From: W.C.A. Wijngaards Date: Tue, 21 Apr 2026 11:07:34 +0000 (+0200) Subject: - Fix that signatures are not allowed with revoked dnskeys. X-Git-Tag: release-1.25.0rc1~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c112bcf2fdef000abda7e607f2f70fe08d1a33c6;p=thirdparty%2Funbound.git - Fix that signatures are not allowed with revoked dnskeys. Thanks to Qifan Zhang, Palo Alto Networks for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 52515a33e..23a65d2ae 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -32,6 +32,8 @@ upstream connections. Thanks to TaoFei Guo from Peking University and JianJun Chen from Tsinghua University for the report. + - Fix that signatures are not allowed with revoked dnskeys. + Thanks to Qifan Zhang, Palo Alto Networks for the report. 20 April 2026: Wouter - Fix compile warnings for thread setname routine, and test compile. diff --git a/testdata/test_sigs.revoked b/testdata/test_sigs.revoked index bcf6e159c..66382ea03 100644 --- a/testdata/test_sigs.revoked +++ b/testdata/test_sigs.revoked @@ -15,10 +15,29 @@ ENTRY_END ; entry to test ENTRY_BEGIN SECTION QUESTION -secure.example.com. IN SOA +bogus.example.com. IN SOA SECTION ANSWER +; The REVOKE key is not allowed to sign other data example.com. 43200 IN SOA home.kuroiwa.eng.br. hostmaster.cesar.sec3.br. 2008040903 86400 86400 8640000 600 example.com. 43200 IN RRSIG SOA 5 2 43200 20081010000000 20080410122550 31027 example.com. af7nqRak6cEeQLytqLHMIUKPsOECA4Cu/Zpm7vdnKSh2q2+/8ZwIxwHLyCEGdiu/mTYffZEHTZytJyzxnB0oxA== ;{id = 31027} ENTRY_END +; entry to test +ENTRY_BEGIN +SECTION QUESTION +bogus.a.example.com. IN DNSKEY +SECTION ANSWER +a.example.com. 3600 IN DNSKEY 384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 +a.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20081010000000 20080410122550 31027 example.com. MdkvlzXlNEUrnk7jTXZ0whEjYLp1bGjOevL4yyzWAl+/LgaQqbFVApXbAQhHvouFQeoMp2+NvEGTLW8unBzJEw== +ENTRY_END + +; entry to test +ENTRY_BEGIN +SECTION QUESTION +secure.example.com. IN DNSKEY +SECTION ANSWER +; the REVOKE key can sign itself +example.com. 3600 IN DNSKEY 384 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 31027 (zsk), size = 512b} +example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20081010000000 20080410122550 31027 example.com. NEEY7W2F0XGUo9pVhiLALoz1ToM1gIS4TwUvVBPlIQMF+ZRGtB7PMthV0BN+aR+AEurxYsMfVmXEH2vKUVepgw== +ENTRY_END diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 86de6fb8e..9f27f9cc9 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1570,6 +1570,18 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf, *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET; return sec_status_bogus; } + if((dnskey_get_flags(dnskey, dnskey_idx) & LDNS_KEY_REVOKE_KEY) && + /* The REVOKE key is allowed to check sigs on itself. */ + !(ntohs(rrset->rk.type) == LDNS_RR_TYPE_DNSKEY && + query_dname_compare(rrset->rk.dname, dnskey->rk.dname)==0) + ) { + verbose(VERB_QUERY, "verify: dnskey has REVOKE bit set, " + "not usable for data validation per RFC 5011 s2.1"); + *reason = "dnskey revoked"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSKEY_MISSING; + return sec_status_bogus; + } if(dnskey_get_protocol(dnskey, dnskey_idx) != LDNS_DNSSEC_KEYPROTO) { /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */