Replace INSIST in KSR DNSKEY parser with a structured error

A DNSKEY record appearing before any ';; KeySigningRequest' header in a KSR file made dnssec-ksr abort on INSIST(rdatalist != NULL), which is the wrong tool for a malformed-input case. Issue a fatal() naming the file and line instead so pipelines see a clean exit status and an actionable message; the now-unreachable NULL check on the rdatalist->ttl update goes away too. Assisted-by: Claude:claude-opus-4-7
2026-05-28 04:34:54 -04:00 · 2026-04-30 06:43:50 +02:00 · 2026-04-30 06:43:50 +02:00 · b4200ba259
commit b4200ba259
parent a925af7ce6
2 changed files with 22 additions and 2 deletions
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@ -1244,7 +1244,11 @@ sign(ksr_ctx_t *ksr) {
 			isc_region_t r;
 			u_char rdatabuf[DST_KEY_MAXSIZE];

-			INSIST(rdatalist != NULL);
+			if (rdatalist == NULL) {
+				fatal("bad KSR file %s(%lu): DNSKEY record "
+				      "before ';; KeySigningRequest' header",
+				      ksr->file, isc_lex_getsourceline(lex));
+			}

 			rdata = isc_mem_get(isc_g_mctx, sizeof(*rdata));
 			dns_rdata_init(rdata);
@ -1261,7 +1265,7 @@ sign(ksr_ctx_t *ksr) {
 			isc_buffer_usedregion(newbuf, &r);
 			dns_rdata_fromregion(rdata, dns_rdataclass_in,
 					     dns_rdatatype_dnskey, &r);
-			if (rdatalist != NULL && ttl < rdatalist->ttl) {
+			if (ttl < rdatalist->ttl) {
 				rdatalist->ttl = ttl;
 			}

--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@ -651,6 +651,22 @@ def test_ksr_errors():
    )
    assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in cmd.err

+    # check that 'dnssec-ksr sign' rejects a KSR whose first record
+    # is a DNSKEY without a preceding ';; KeySigningRequest' header,
+    # rather than aborting on an INSIST assertion
+    bad_ksr = "common.test.bad.ksr"
+    with open(bad_ksr, "w", encoding="utf-8") as f:
+        f.write(". 3600 IN DNSKEY 257 3 8 AwEAAa==\n")
+    cmd = ksr(
+        "common.test",
+        "common",
+        "sign",
+        options=f"-K ns1/offline -f {bad_ksr} -i now -e +1y",
+        raise_on_exception=False,
+    )
+    assert cmd.rc == 1
+    assert "DNSKEY record before ';; KeySigningRequest' header" in cmd.err
+

 def test_ksr_common(ns1):
    # common test cases (1)