bind9

mirror of https://github.com/isc-projects/bind9.git synced 2026-06-15 01:00:06 -04:00

History

Ondřej Surý 8b2c490811 Enforce strict RSA DNSKEY shape during DNSSEC validation A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus size up to OpenSSL's compile-time ceiling, and accepted any public exponent the wire format could carry. RSA verification cost grows sharply with the modulus length, so an authoritative server could publish an oversized DNSKEY to make each signature check on the resolver many times more expensive than for a normally sized key. The intended verify-time cap had no effect because the helper it called returned the public-exponent bit length rather than the modulus bit length, so the test was always satisfied. Replace it with an honest modulus-range check and a stricter exponent check that accepts only odd exponents in the closed range [3, 2^32 + 1] (covering every Fermat prime up to F5 and the odd intermediate values seen in deployed keys), reject anything outside those bounds at every RSA key load path so an invalid key never reaches the verifier, and keep the same checks at the verifier as a backstop against future load paths.	2026-06-08 18:00:27 +02:00
..
isc	Enforce strict RSA DNSKEY shape during DNSSEC validation	2026-06-08 18:00:27 +02:00
.clang-format	Add separate .clang-format files for headers	2020-02-14 09:31:05 +01:00

Ondřej Surý 8b2c490811 Enforce strict RSA DNSKEY shape during DNSSEC validation

A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus
size up to OpenSSL's compile-time ceiling, and accepted any public
exponent the wire format could carry.  RSA verification cost grows
sharply with the modulus length, so an authoritative server could
publish an oversized DNSKEY to make each signature check on the
resolver many times more expensive than for a normally sized key.

The intended verify-time cap had no effect because the helper it called
returned the public-exponent bit length rather than the modulus bit
length, so the test was always satisfied.  Replace it with an honest
modulus-range check and a stricter exponent check that accepts only odd
exponents in the closed range [3, 2^32 + 1] (covering every Fermat
prime up to F5 and the odd intermediate values seen in deployed keys),
reject anything outside those bounds at every RSA key load path so an
invalid key never reaches the verifier, and keep the same checks at the
verifier as a backstop against future load paths.

2026-06-08 18:00:27 +02:00

isc

Enforce strict RSA DNSKEY shape during DNSSEC validation

2026-06-08 18:00:27 +02:00

.clang-format

Add separate .clang-format files for headers

2020-02-14 09:31:05 +01:00