From 035289be713dba446db814845ec7f4a9d36be725 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 7 Aug 2024 16:57:45 +1000
Subject: [PATCH] Check key tag range when matching dnssec keys to kasp keys

---
 lib/dns/kasp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 03308b44b6..285ae0bb7f 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -544,6 +544,16 @@ dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
 	if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(key)) {
 		return (false);
 	}
+	/* Valid key tag range? */
+	uint16_t id = dst_key_id(dkey->key);
+	uint16_t rid = dst_key_rid(dkey->key);
+	if (id < key->tag_min || id > key->tag_max) {
+		return (false);
+	}
+	if (rid < key->tag_min || rid > key->tag_max) {
+		return (false);
+	}
+
 	/* Found a match. */
 	return (true);
 }