upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 10:32:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: dev: handle KSR files with DNSKEY records before any header

Browse source 
A DNSKEY record appearing before the first ';; KeySigningRequest'
header in a KSR file made dnssec-ksr abort on an internal assertion
instead of producing a structured error, killing pipelines that
fed it crafted or corrupted input.  The tool now exits with a
fatal error naming the file and line.

Closes #5914

Merge branch '5914-dnssec-ksr-rdatalist-null-insist' into 'main'

See merge request isc-projects/bind9!11916
This commit is contained in:
Ondřej Surý 2026-05-05 21:06:43 +02:00
commit 55213079c6
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bin/dnssec/dnssec-ksr.c
View file

@ -1244,7 +1244,11 @@ sign(ksr_ctx_t *ksr) {
isc_region_t r;
u_char rdatabuf[DST_KEY_MAXSIZE];
INSIST(rdatalist != NULL);
if (rdatalist == NULL) {
fatal("bad KSR file %s(%lu): DNSKEY record "
"before ';; KeySigningRequest' header",
ksr->file, isc_lex_getsourceline(lex));
}
rdata = isc_mem_get(isc_g_mctx, sizeof(*rdata));
dns_rdata_init(rdata);
@ -1261,7 +1265,7 @@ sign(ksr_ctx_t *ksr) {
isc_buffer_usedregion(newbuf, &r);
dns_rdata_fromregion(rdata, dns_rdataclass_in,
dns_rdatatype_dnskey, &r);
if (rdatalist != NULL && ttl < rdatalist->ttl) {
if (ttl < rdatalist->ttl) {
rdatalist->ttl = ttl;
}

16
bin/tests/system/ksr/tests_ksr.py
View file

@ -651,6 +651,22 @@ def test_ksr_errors():
)
assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in cmd.err
# check that 'dnssec-ksr sign' rejects a KSR whose first record
# is a DNSKEY without a preceding ';; KeySigningRequest' header,
# rather than aborting on an INSIST assertion
bad_ksr = "common.test.bad.ksr"
with open(bad_ksr, "w", encoding="utf-8") as f:
f.write(". 3600 IN DNSKEY 257 3 8 AwEAAa==\n")
cmd = ksr(
"common.test",
"common",
"sign",
options=f"-K ns1/offline -f {bad_ksr} -i now -e +1y",
raise_on_exception=False,
)
assert cmd.rc == 1
assert "DNSKEY record before ';; KeySigningRequest' header" in cmd.err
def test_ksr_common(ns1):
# common test cases (1)