From 71f023a1c395d34be690147da9162a25a5041e6f Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 17 Nov 2023 13:45:17 +0100
Subject: [PATCH 1/3] Recognize escapes when reading the public key

Escapes are valid in DNS names, and should be recognized when reading
the public key from disk.
---
 lib/dns/dst_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index d01062781a..af53947ac6 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1606,7 +1606,7 @@ dst_key_read_public(const char *filename, int type, isc_mem_t *mctx,
 	isc_token_t token;
 	isc_result_t ret;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
+	unsigned int opt = ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
 	dns_rdataclass_t rdclass = dns_rdataclass_in;
 	isc_lexspecials_t specials;
 	uint32_t ttl = 0;

From 6a4f3ec242be67124bdc81785c8c78bf79c5066d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 17 Nov 2023 16:00:23 +0100
Subject: [PATCH 2/3] Add a DNSSEC policy test case for a special zone

Try to create a key for a zone, and then sign it, that has some special
characters in the name.
---
 bin/tests/system/kasp/ns3/named-fips.conf.in |  8 ++++++++
 bin/tests/system/kasp/ns3/setup.sh           |  7 +++++++
 bin/tests/system/kasp/tests.sh               | 10 ++++++++++
 3 files changed, 25 insertions(+)

diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
index cef81f94d5..d67aa5f38a 100644
--- a/bin/tests/system/kasp/ns3/named-fips.conf.in
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -48,6 +48,14 @@ zone "default.kasp" {
 	dnssec-policy "default";
 };
 
+/* A zone with special characters. */
+zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." {
+        type primary;
+        file "i-am.special.kasp.db";
+        check-names ignore;
+        dnssec-policy "default";
+};
+
 /* checkds: Zone with one KSK. */
 zone "checkds-ksk.kasp" {
 	type primary;
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 63aeb36fa5..55fcd1b5e1 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -51,6 +51,13 @@ for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
   cp template.db.in "$zonefile"
 done
 
+#
+# Setup special zone
+#
+zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
+echo_i "setting up zone: $zone"
+cp template.db.in "i-am.special.kasp.db"
+
 #
 # Set up RSASHA1 based zones
 #
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 6ac891c0d2..645d77b8dd 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -393,6 +393,16 @@ check_apex
 check_subdomain
 dnssec_verify
 
+#
+# A zone with special characters.
+#
+set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# It is non-trivial to adapt the tests to deal with all possible different
+# escaping characters, so we will just try to verify the zone.
+dnssec_verify
+
 #
 # Zone: dynamic.kasp
 #

From 53657591fa7532600b147876a9c702ebf8fdc7f9 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 20 Nov 2023 08:32:29 +0100
Subject: [PATCH 3/3] Add CHANGES

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 38316bc6cc..8a0bf7f59f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6287.	[bug]		Recognize escapes when reading the public key from file.
+			[GL !8502]
+
 6286.	[bug]		Dig +yaml will now report "no servers could be reached"
 			on TCP connection failure as well as for UDP timeouts.
 			[GL #4396]