From abfd3689bf8b5a40ea8c7e4eaba41c2a270acc2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Va=C5=A1ek?= <david.vasek@nic.cz>
Date: Wed, 25 Mar 2026 16:21:57 +0100
Subject: [PATCH] dnssec: allow params2dnskey() to be used with incomplete
 (i.e. trash) keys

---
 src/knot/dnssec/kasp/kasp_zone.c | 37 +++++++++++++++++++-------------
 src/knot/dnssec/kasp/kasp_zone.h |  3 +++
 2 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/src/knot/dnssec/kasp/kasp_zone.c b/src/knot/dnssec/kasp/kasp_zone.c
index a8d0b1ab6..f1668020a 100644
--- a/src/knot/dnssec/kasp/kasp_zone.c
+++ b/src/knot/dnssec/kasp/kasp_zone.c
@@ -59,15 +59,20 @@ static int dnskey_guess_flags(dnssec_key_t *key, uint16_t keytag)
 }
 
 static int params2dnskey(const knot_dname_t *dname, key_params_t *params,
-			 dnssec_key_t **key_ptr)
+                         dnssec_key_t **key_ptr)
 {
 	assert(dname);
 	assert(params);
 	assert(key_ptr);
 
-	int ret = key_params_check(params);
-	if (ret != KNOT_EOK) {
-		return ret;
+	const bool trash = (params->dname != NULL);
+	int ret;
+	if (!trash) {
+		// Trash keys don't contain pubkey data.
+		ret = key_params_check(params);
+		if (ret != KNOT_EOK) {
+			return ret;
+		}
 	}
 
 	dnssec_key_t *key = NULL;
@@ -84,16 +89,18 @@ static int params2dnskey(const knot_dname_t *dname, key_params_t *params,
 
 	dnssec_key_set_algorithm(key, params->algorithm);
 
-	ret = dnssec_key_set_pubkey(key, &params->public_key);
-	if (ret != KNOT_EOK) {
-		dnssec_key_free(key);
-		return ret;
-	}
+	if (!trash) {
+		ret = dnssec_key_set_pubkey(key, &params->public_key);
+		if (ret != KNOT_EOK) {
+			dnssec_key_free(key);
+			return ret;
+		}
 
-	ret = dnskey_guess_flags(key, params->keytag);
-	if (ret != KNOT_EOK) {
-		dnssec_key_free(key);
-		return ret;
+		ret = dnskey_guess_flags(key, params->keytag);
+		if (ret != KNOT_EOK) {
+			dnssec_key_free(key);
+			return ret;
+		}
 	}
 
 	*key_ptr = key;
@@ -101,8 +108,8 @@ static int params2dnskey(const knot_dname_t *dname, key_params_t *params,
 	return KNOT_EOK;
 }
 
-static int params2kaspkey(const knot_dname_t *dname, key_params_t *params,
-			  knot_kasp_key_t *key)
+int params2kaspkey(const knot_dname_t *dname, key_params_t *params,
+                   knot_kasp_key_t *key)
 {
 	assert(dname != NULL);
 	assert(params != NULL);
diff --git a/src/knot/dnssec/kasp/kasp_zone.h b/src/knot/dnssec/kasp/kasp_zone.h
index 1c65d2e04..4ddb6dc7a 100644
--- a/src/knot/dnssec/kasp/kasp_zone.h
+++ b/src/knot/dnssec/kasp/kasp_zone.h
@@ -19,6 +19,9 @@ typedef struct {
 	knot_time_t nsec3_salt_created;
 } knot_kasp_zone_t;
 
+int params2kaspkey(const knot_dname_t *dname, key_params_t *params,
+                   knot_kasp_key_t *key);
+
 int kasp_zone_load(knot_kasp_zone_t *zone,
                    const knot_dname_t *zone_name,
                    knot_lmdb_db_t *kdb,