Handle unknown DS hash algos correctly.

When we can validate a DS RRset, but don't speak the hash algo it contains, treat that the same as an NSEC/3 proving that the DS doesn't exist. 4025 5.2

Handle unknown DS hash algos correctly.
When we can validate a DS RRset, but don't speak the hash algo it contains, treat that the same as an NSEC/3 proving that the DS doesn't exist. 4025 5.2
67ab3285 · Simon Kelley · 41a8d9e9 · 67ab3285
Commit 67ab3285 authored Nov 20, 2015 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

src/dnssec.c src/dnssec.c +13 -0

No files found.
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
  if (crecp->flags & F_NEG)
    return STAT_INSECURE_DS;
+  /* 4035 5.2 
+     If the validator does not support any of the algorithms listed in an
+     authenticated DS RRset, then the resolver has no supported
+     authentication path leading from the parent to the child.  The
+     resolver should treat this case as it would the case of an
+     authenticated NSEC RRset proving that no DS RRset exists,  */
+  for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
+    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
+      break;
+  if (!recp1)
+    return STAT_INSECURE_DS;
  /* NOTE, we need to find ONE DNSKEY which matches the DS */
  for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) 
    {