From: Matt Corallo Date: Tue, 9 Jul 2024 20:33:37 +0000 (+0000) Subject: Ignore spurious `RRSig`s which sign `DNSKEY`s with a ZSK X-Git-Tag: v0.5.5~5 X-Git-Url: http://git.bitcoin.ninja/?a=commitdiff_plain;h=cc7d4e144873bbb8b37d48057642bb9b7ce1de22;p=dnssec-prover Ignore spurious `RRSig`s which sign `DNSKEY`s with a ZSK There's no reason to include an `RRSig` signing `DNSKEY`s with a ZSK - validators only care about the KSK signing `DNSKEY`s, hence *Key*-Signing Key. However, OVH appears to include such signatures anyway, which we must ignore. Here we do so by pre-filtering the `RRSig`s we try to validate by key tag before calling `verify_rrsig`. This causes us to calculate the key tag a few extra times, but that's not a huge deal. --- diff --git a/src/validation.rs b/src/validation.rs index fc188a4..3509651 100644 --- a/src/validation.rs +++ b/src/validation.rs @@ -187,6 +187,12 @@ where RI: IntoIterator, R: Iterator, let mut found_unsupported_alg = false; for sig in sigs { + if !validated_dnskeys.iter().any(|key| key.key_tag() == sig.key_tag) { + // Some DNS servers include spurious RRSig records signed by the ZSK covering the + // DNSKEY set (looking at you OVH). This is harmless (but wasteful) and we should + // ignore such signatures rather than immediately failing. + continue; + } match verify_rrsig(sig, validated_dnskeys.iter().copied(), records.clone()) { Ok(()) => return Ok(sig), Err(ValidationError::UnsupportedAlgorithm) => {