From 439e16e4de525599bbb5a31575211d06cc3e2fbb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 22 Nov 2023 16:59:03 +1100
Subject: [PATCH] Skip revoked keys when selecting DNSKEY in the validation
 loop

Don't select revoked keys when iterating through DNSKEYs in the DNSSEC
validation routines.
---
 lib/dns/validator.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 56a0ced7b7..7ae0b3c49c 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1144,6 +1144,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 				    (dns_secalg_t)dst_key_alg(val->key) &&
 			    siginfo->keyid ==
 				    (dns_keytag_t)dst_key_id(val->key) &&
+			    (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+				    0 &&
 			    dst_key_iszonekey(val->key))
 			{
 				if (foundold) {