Merge branch '1689-bind-stops-dnskey-lookup-in-get_dst_key-when-a-key-with-unsupported-algorithm-is-found-first' into 'main'

Resolve "BIND stops DNSKEY lookup in get_dst_key() when a key with unsupported algorithm is found first" Closes #1689 See merge request isc-projects/bind9!3736
2026-05-28 04:34:54 -04:00 · 2020-06-25 12:40:45 +00:00 · 2020-06-25 12:40:45 +00:00 · 5d3a7aadb8
commit 5d3a7aadb8
parent 30b85fe4a8 c6345fffe9
4 changed files with 35 additions and 16 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+5446.	[bug]		The validator could fail to accept a properly signed
+			RRset if an unsupported algorithm appeared earlier in
+			the DNSKEY RRset than a supported algorithm.  It could
+			also stop if it detected a malformed public key.
+			[GL #1689]
+
 5445.	[cleanup]	Disable and disallow static linking. [GL #1933]

 5444.	[bug]		'rndc dnstap -roll <value>' was not limiting the
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -3562,6 +3562,13 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))

+# TODO: test case for GL #1689.
+# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
+# we could write a test that signs a zone with supported and unsupported
+# algorithm, apply a fixed rrset order such that the unsupported algorithm
+# precedes the supported one in the DNSKEY RRset, and verify the result still
+# validates succesfully.
+
 echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
 ret=0
 (
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -48,3 +48,8 @@ Bug Fixes

 - 'rndc dnstap -roll <value>' was not limiting the number of saved
  files to <value>. [GL !3728]
+
+- The validator could fail to accept a properly signed RRset if an
+  unsupported algorithm appeared earlier in the DNSKEY RRset than a
+  supported algorithm.  It could also stop if it detected a malformed
+  public key. [GL #1689]
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1126,24 +1126,25 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 		INSIST(val->key == NULL);
 		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
 					 val->view->mctx, &val->key);
-		if (result != ISC_R_SUCCESS) {
-			goto failure;
-		}
-		if (siginfo->algorithm == (dns_secalg_t)dst_key_alg(val->key) &&
-		    siginfo->keyid == (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key))
-		{
-			if (foundold) {
-				/*
-				 * This is the key we're looking for.
-				 */
-				return (ISC_R_SUCCESS);
-			} else if (dst_key_compare(oldkey, val->key)) {
-				foundold = true;
-				dst_key_free(&oldkey);
+		if (result == ISC_R_SUCCESS) {
+			if (siginfo->algorithm ==
+				    (dns_secalg_t)dst_key_alg(val->key) &&
+			    siginfo->keyid ==
+				    (dns_keytag_t)dst_key_id(val->key) &&
+			    dst_key_iszonekey(val->key))
+			{
+				if (foundold) {
+					/*
+					 * This is the key we're looking for.
+					 */
+					return (ISC_R_SUCCESS);
+				} else if (dst_key_compare(oldkey, val->key)) {
+					foundold = true;
+					dst_key_free(&oldkey);
+				}
 			}
+			dst_key_free(&val->key);
 		}
-		dst_key_free(&val->key);
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(rdataset);
 	} while (result == ISC_R_SUCCESS);