Skip revoked keys when selecting DNSKEY in the validation loop

Don't select revoked keys when iterating through DNSKEYs in the DNSSEC validation routines.
2026-05-27 20:25:55 -04:00 · 2023-11-22 16:59:03 +11:00 · 2023-11-22 16:59:03 +11:00 · 439e16e4de
commit 439e16e4de
parent 1b3b0cef22
1 changed files with 2 additions and 0 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1144,6 +1144,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 				    (dns_secalg_t)dst_key_alg(val->key) &&
 			    siginfo->keyid ==
 				    (dns_keytag_t)dst_key_id(val->key) &&
+			    (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+				    0 &&
 			    dst_key_iszonekey(val->key))
 			{
 				if (foundold) {