From 585bf1bddc0ab180c5cc75fa54895bad40ade8b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 23 Feb 2026 06:13:59 +0100 Subject: [PATCH] Fail DNSKEY validation when supported but invalid DS is found A regression was introduced when adding the EDE code for unsupported DNSKEY and DS algorithms. When the parent has both supported and unsupported algorithm in the DS record, the validator would treat the supported DS algorithm as insecure when validating DNSKEY records instead of BOGUS. This has not security impact as the rest of the child zone correctly ends with BOGUS status, but it is incorrect and thus the regression has been fixed. (cherry picked from commit f983a6415293bf26e5001b44a202a618f60dbf34) --- lib/dns/include/dns/validator.h | 1 + lib/dns/validator.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index 445279a9eb..362e7e7e3f 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -151,6 +151,7 @@ struct dns_validator { bool digest_sha1; uint8_t unsupported_algorithm; uint8_t unsupported_digest; + uint8_t validation_attempts; dns_rdata_t rdata; bool resume; isc_counter_t *nvalidations; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 26cc6e4a5c..0cd2cfb6c2 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -2118,6 +2118,8 @@ validate_dnskey_dsset(dns_validator_t *val) { return DNS_R_BADALG; } + val->validation_attempts++; + /* * Find the DNSKEY matching the DS... */ @@ -2189,6 +2191,11 @@ validate_dnskey_dsset_next_done(void *arg) { return; } + if (val->validation_attempts != 0) { + val->unsupported_algorithm = 0; + val->unsupported_digest = 0; + } + validate_dnskey_dsset_done(val, result); return; }