Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported DNSKEY and DS algorithms. When the parent has both supported and unsupported algorithm in the DS record, the validator would treat the supported DS algorithm as insecure when validating DNSKEY records instead of BOGUS. This has not security impact as the rest of the child zone correctly ends with BOGUS status, but it is incorrect and thus the regression has been fixed. (cherry picked from commit f983a64152)
2026-06-10 06:40:00 -04:00 · 2026-02-23 06:13:59 +01:00 · 2026-02-23 06:13:59 +01:00 · 585bf1bddc
commit 585bf1bddc
parent 06a671a0ef
2 changed files with 8 additions and 0 deletions
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@ -151,6 +151,7 @@ struct dns_validator {
 	bool	       digest_sha1;
 	uint8_t	       unsupported_algorithm;
 	uint8_t	       unsupported_digest;
+	uint8_t	       validation_attempts;
 	dns_rdata_t    rdata;
 	bool	       resume;
 	isc_counter_t *nvalidations;
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -2118,6 +2118,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
 		return DNS_R_BADALG;
 	}

+	val->validation_attempts++;
+
 	/*
 	 * Find the DNSKEY matching the DS...
 	 */
@ -2189,6 +2191,11 @@ validate_dnskey_dsset_next_done(void *arg) {
 		return;
 	}

+	if (val->validation_attempts != 0) {
+		val->unsupported_algorithm = 0;
+		val->unsupported_digest = 0;
+	}
+
 	validate_dnskey_dsset_done(val, result);
 	return;
 }