From: Matt Corallo <git@bluematt.me>
Date: Tue, 9 Jul 2024 20:33:37 +0000 (+0000)
Subject: Ignore spurious `RRSig`s which sign `DNSKEY`s with a ZSK
X-Git-Tag: v0.5.5~5
X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=cc7d4e144873bbb8b37d48057642bb9b7ce1de22;p=dnssec-prover

Ignore spurious `RRSig`s which sign `DNSKEY`s with a ZSK

There's no reason to include an `RRSig` signing `DNSKEY`s with a
ZSK - validators only care about the KSK signing `DNSKEY`s, hence
*Key*-Signing Key. However, OVH appears to include such signatures
anyway, which we must ignore.

Here we do so by pre-filtering the `RRSig`s we try to validate by
key tag before calling `verify_rrsig`. This causes us to calculate
the key tag a few extra times, but that's not a huge deal.
---

diff --git a/src/validation.rs b/src/validation.rs
index fc188a4..3509651 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -187,6 +187,12 @@ where RI: IntoIterator<IntoIter = R>, R: Iterator<Item = &'r RRSig>,
 
 	let mut found_unsupported_alg = false;
 	for sig in sigs {
+		if !validated_dnskeys.iter().any(|key| key.key_tag() == sig.key_tag) {
+			// Some DNS servers include spurious RRSig records signed by the ZSK covering the
+			// DNSKEY set (looking at you OVH). This is harmless (but wasteful) and we should
+			// ignore such signatures rather than immediately failing.
+			continue;
+		}
 		match verify_rrsig(sig, validated_dnskeys.iter().copied(), records.clone()) {
 			Ok(()) => return Ok(sig),
 			Err(ValidationError::UnsupportedAlgorithm) => {