Require local KEYs for SIG(0) verification

This is additional hardening. There is no known use-case for KEY RRs from DNS cache and it potentially allows attackers to put weird keys into cache.
2025-08-30 14:07:59 +00:00 · 2024-06-04 18:41:44 +02:00
parent d69fab1530
commit 9370acd3a7
1 changed files with 1 additions and 3 deletions
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3323,11 +3323,9 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 					     0, false, &keyset, NULL);

 		if (result != ISC_R_SUCCESS) {
-			/* XXXBEW Should possibly create a fetch here */
 			result = DNS_R_KEYUNAUTHORIZED;
 			goto freesig;
-		} else if (keyset.trust < dns_trust_secure) {
-			/* XXXBEW Should call a validator here */
+		} else if (keyset.trust < dns_trust_ultimate) {
 			result = DNS_R_KEYUNAUTHORIZED;
 			goto freesig;
 		}