Allow unsupported alg in zone /w dnssec-signzone

dnssec-signzone should sign a zonefile that contains a DNSKEY record with an unsupported algorithm. Current behavior is that it will fail, hitting a fatal error. The fix detects unsupported algorithms and will not try to add it to the keylist. Also when determining the maximum iterations for NSEC3, don't take into account DNSKEY records in the zonefile with an unsupported algorithm.
2026-05-28 04:34:54 -04:00 · 2018-12-18 12:14:04 +01:00 · 2018-12-18 12:14:04 +01:00 · 1dd11fc754
commit 1dd11fc754
parent 6d976b37c1
3 changed files with 19 additions and 2 deletions
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
+
+		/* Skip unsupported algorithms */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			goto skip;
+
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);

--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
 /*%<
 * Search 'directory' for K* key files matching the name in 'origin'.
 * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
 *
 *	Requires:
 *\li		'keylist' is not NULL
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
-
 		dns_rdataset_current(&rdataset, &rdata);
+
+		/* Skip unsupported algorithms when
+		 * calculating the maximum iterations.
+		 */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			continue;
+
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,