DNSSEC validation tweak.

A zone which has at least one key with an algorithm we don't support should be considered as insecure.
2025-12-19 10:18:25 +00:00 · 2015-12-16 13:41:58 +00:00
parent c2bcd1e183
commit 2dbba34b2c
1 changed files with 54 additions and 28 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -763,10 +763,10 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
   STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname)
   STAT_NEED_DS  need DS to complete validation (name is returned in keyname)
-   if key is non-NULL, use that key, which has the algo and tag given in the params of those names,
+   If key is non-NULL, use that key, which has the algo and tag given in the params of those names,
   otherwise find the key in the cache.
-   name is unchanged on exit. keyname is used as workspace and trashed.
+   Name is unchanged on exit. keyname is used as workspace and trashed.
   Call explore_rrset first to find and count RRs and sigs.
 */
@@ -919,6 +919,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
  return STAT_BOGUS;
 }
 /* The DNS packet is expected to contain the answer to a DNSKEY query.
   Put all DNSKEYs in the answer which are valid into the cache.
   return codes:
@@ -1834,12 +1835,12 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
   STAT_SECURE      zone is signed.
   STAT_INSECURE    zone proved unsigned.
   STAT_NEED_DS     require DS record of name returned in keyname.
-   
+   STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname.
   name returned unaltered.
 */
 static int zone_status(char *name, int class, char *keyname, time_t now)
 {
-  int name_start = strlen(name);
+  int secure_ds, name_start = strlen(name);
  struct crec *crecp;
  char *p;
@@ -1850,6 +1851,9 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
      if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DS)))
 	return STAT_NEED_DS;
      else
 	{
 	  secure_ds = 0;
 	  do 
 	    {
 	      if (crecp->uid == (unsigned int)class)
@@ -1867,9 +1871,31 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
 		    }
 		  else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crecp->addr.ds.algo))
 		    return STAT_INSECURE; /* algo we can't use - insecure */
 		  else
 		    secure_ds = 1;
 		}
 	    }
 	  while ((crecp = cache_find_by_name(crecp, keyname, now, F_DS)));
 	}
      if (secure_ds)
 	{
 	  /* We've found only DS records that attest to the DNSKEY RRset in the zone, so we believe
 	     that RRset is good. Furthermore the DNSKEY whose hash is proved by the DS record is
 	     one we can use. However the DNSKEY RRset may contain more than one key and
 	     one of the other keys may use an algorithm we don't support. If that's 
 	     the case the zone is insecure for us. */
 	  if (!(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
 	    return STAT_NEED_KEY;
 	  do 
 	    {
 	      if (crecp->uid == (unsigned int)class && !algo_digest_name(crecp->addr.key.algo))
 		return STAT_INSECURE;
 	    }
 	  while ((crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
 	}
      if (name_start == 0)
 	break;