From a7716fa763b2f48a14dd5880ca7effac1eb02ab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 8 Jul 2026 10:47:47 +0200 Subject: [PATCH] Size RRSIG rdata buffers by the maximum rdata length The buffers receiving the RRSIG rdata built by dns_dnssec_sign() were fixed-size arrays (1024 or 2048 octets), which is too small for post-quantum signatures. Use DNS_RDATA_MAXLENGTH sized buffers instead, which no RRSIG rdata can exceed by construction. Assisted-by: Claude:claude-fable-5 --- bin/dnssec/dnssec-ksr.c | 2 +- bin/dnssec/dnssec-signzone.c | 3 +-- lib/dns/update.c | 3 ++- lib/dns/zone.c | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 904debd570..85db3cd354 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -656,7 +656,7 @@ sign_rrset(ksr_ctx_t *ksr, isc_stdtime_t inception, isc_stdtime_t expiration, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t *rrsig = NULL; isc_region_t rs; - unsigned char rdatabuf[SIG_FORMATSIZE]; + unsigned char rdatabuf[DNS_RDATA_MAXLENGTH]; isc_stdtime_t clockskew = inception - 3600; isc_stdtime_t pub = 0, act = 0, inact = 0, del = 0; diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index a537e82243..7745993ddf 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -106,7 +106,6 @@ static int nsec_datatype = dns_rdatatype_nsec; #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0) -#define BUFSIZE 2048 #define MAXDSKEYS 8 #define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453) @@ -270,7 +269,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, isc_stdtime_t jendtime, expiry; char keystr[DST_KEY_FORMATSIZE]; dns_rdata_t trdata = DNS_RDATA_INIT; - unsigned char array[BUFSIZE]; + unsigned char array[DNS_RDATA_MAXLENGTH]; isc_buffer_t b; dns_difftuple_t *tuple; diff --git a/lib/dns/update.c b/lib/dns/update.c index c8e6542d13..446415ea22 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -970,7 +971,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db, dns_rdata_t sig_rdata = DNS_RDATA_INIT; dns_stats_t *dnssecsignstats = dns_zone_getdnssecsignstats(zone); isc_buffer_t buffer; - unsigned char data[1024]; /* XXX */ + unsigned char data[DNS_RDATA_MAXLENGTH]; unsigned int i; bool added_sig = false; bool use_kasp = false; diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3d9ac83650..e5b2f397d8 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -5728,7 +5728,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone, dns_stats_t *dnssecsignstats; dns_rdataset_t rdataset; dns_rdata_t sig_rdata = DNS_RDATA_INIT; - unsigned char data[1024]; /* XXX */ + unsigned char data[DNS_RDATA_MAXLENGTH]; isc_buffer_t buffer; unsigned int i; bool use_kasp = false; @@ -6420,7 +6420,7 @@ sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name, dns_stats_t *dnssecsignstats; bool offlineksk = false; isc_buffer_t buffer; - unsigned char data[1024]; + unsigned char data[DNS_RDATA_MAXLENGTH]; seen_t seen; if (zone->kasp != NULL) {