bind/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch

From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <github@pletterpet.nl>
Date: Tue, 18 Dec 2018 12:14:04 +0100
Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone

dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
---
 lib/dns/dnssec.c             |  8 ++++++++
 lib/dns/include/dns/dnssec.h |  2 +-
 lib/dns/nsec3.c              | 11 ++++++++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index c12ecac..e255b6e 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
+
+		/* Skip unsupported algorithms */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			goto skip;
+
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 50930b6..e60375e 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
- * metadata, onto 'keylist'.
+ * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *	Requires:
  *\li		'keylist' is not NULL
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 861e909..f30d695 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
-
 		dns_rdataset_current(&rdataset, &rdata);
+
+		/* Skip unsupported algorithms when
+		 * calculating the maximum iterations.
+		 */
+		REQUIRE(rdata.type == dns_rdatatype_key ||
+			rdata.type == dns_rdatatype_dnskey);
+		REQUIRE(rdata.length > 3);
+		if (!dst_algorithm_supported(rdata.data[3]))
+			continue;
+
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
-- 
1.8.3.1
init 2019-12-28 09:41:34 +08:00			`From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001`
			`From: Matthijs Mekking <github@pletterpet.nl>`
			`Date: Tue, 18 Dec 2018 12:14:04 +0100`
			`Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone`

			`dnssec-signzone should sign a zonefile that contains a DNSKEY record`
			`with an unsupported algorithm. Current behavior is that it will`
			`fail, hitting a fatal error. The fix detects unsupported algorithms`
			`and will not try to add it to the keylist.`

			`Also when determining the maximum iterations for NSEC3, don't take`
			`into account DNSKEY records in the zonefile with an unsupported`
			`algorithm.`
			`---`
			`lib/dns/dnssec.c \| 8 ++++++++`
			`lib/dns/include/dns/dnssec.h \| 2 +-`
			`lib/dns/nsec3.c \| 11 ++++++++++-`
			`3 files changed, 19 insertions(+), 2 deletions(-)`

			`diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c`
			`index c12ecac..e255b6e 100644`
			`--- a/lib/dns/dnssec.c`
			`+++ b/lib/dns/dnssec.c`
			`@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,`
			`result = dns_rdataset_next(&keys)) {`
			`dns_rdata_reset(&rdata);`
			`dns_rdataset_current(&keys, &rdata);`
			`+`
			`+ /* Skip unsupported algorithms */`
			`+ REQUIRE(rdata.type == dns_rdatatype_key \|\|`
			`+ rdata.type == dns_rdatatype_dnskey);`
			`+ REQUIRE(rdata.length > 3);`
			`+ if (!dst_algorithm_supported(rdata.data[3]))`
			`+ goto skip;`
			`+`
			`RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));`
			`dst_key_setttl(pubkey, keys.ttl);`

			`diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h`
			`index 50930b6..e60375e 100644`
			`--- a/lib/dns/include/dns/dnssec.h`
			`+++ b/lib/dns/include/dns/dnssec.h`
			`@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t origin, const char directory,`
			`/*%<`
			`* Search 'directory' for K* key files matching the name in 'origin'.`
			`* Append all such keys, along with use hints gleaned from their`
			`- * metadata, onto 'keylist'.`
			`+ * metadata, onto 'keylist'. Skip any unsupported algorithms.`
			`*`
			`* Requires:`
			`*\li 'keylist' is not NULL`
			`diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c`
			`index 861e909..f30d695 100644`
			`--- a/lib/dns/nsec3.c`
			`+++ b/lib/dns/nsec3.c`
			`@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t db, dns_dbversion_t version,`
			`result == ISC_R_SUCCESS;`
			`result = dns_rdataset_next(&rdataset)) {`
			`dns_rdata_t rdata = DNS_RDATA_INIT;`
			`-`
			`dns_rdataset_current(&rdataset, &rdata);`
			`+`
			`+ /* Skip unsupported algorithms when`
			`+ * calculating the maximum iterations.`
			`+ */`
			`+ REQUIRE(rdata.type == dns_rdatatype_key \|\|`
			`+ rdata.type == dns_rdatatype_dnskey);`
			`+ REQUIRE(rdata.length > 3);`
			`+ if (!dst_algorithm_supported(rdata.data[3]))`
			`+ continue;`
			`+`
			`isc_buffer_init(&buffer, rdata.data, rdata.length);`
			`isc_buffer_add(&buffer, rdata.length);`
			`CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,`
			`--`
			`1.8.3.1`