From dfee0e64ed54aad2d82758ec86559d44570d7220 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 28 May 2025 13:59:04 +1000 Subject: [PATCH] Check that the specified DS digest is supported dnssec-dsfromkey and dnssec-cds failed to properly check if the specified DS digest type is supported or not. --- bin/dnssec/dnssectool.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index cb42bb710a..91a6c47554 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -361,7 +361,10 @@ strtodsdigest(const char *str) { r.length = strlen(str); result = dns_dsdigest_fromtext(&alg, &r); if (result != ISC_R_SUCCESS) { - fatal("unknown DS algorithm %s", str); + fatal("unknown DS digest %s", str); + } + if (!dst_ds_digest_supported(alg)) { + fatal("unsupported DS digest %s", str); } return alg; }