From: Petr Špaček <pspacek@isc.org>
Date: Tue, 4 Jun 2024 16:41:44 +0000 (+0200)
Subject: Require local KEYs for SIG(0) verification
X-Git-Tag: v9.20.0~7^2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=9370acd3a798b266bcb62d476ef1969934eabeb8;p=thirdparty%2Fbind9.git

Require local KEYs for SIG(0) verification

This is additional hardening. There is no known use-case for KEY RRs
from DNS cache and it potentially allows attackers to put weird keys
into cache.
---

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 97ff5ecf18a..fe8e05c0a00 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3323,11 +3323,9 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 					     0, false, &keyset, NULL);
 
 		if (result != ISC_R_SUCCESS) {
-			/* XXXBEW Should possibly create a fetch here */
 			result = DNS_R_KEYUNAUTHORIZED;
 			goto freesig;
-		} else if (keyset.trust < dns_trust_secure) {
-			/* XXXBEW Should call a validator here */
+		} else if (keyset.trust < dns_trust_ultimate) {
 			result = DNS_R_KEYUNAUTHORIZED;
 			goto freesig;
 		}