[PR #2131] [MERGED] Only DNSKEY zone keys are allowed to match DS RR #2827

New issue

Closed

opened 2026-03-16 11:10:21 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:10:21 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2131
Author: @justahero
Created: 1/25/2024
Status: ✅ Merged
Merged: 1/27/2024
Merged by: @bluejekyll

Base: main ← Head: sebastian/validate-zone-in-ds-dnskey

📝 Commits (1)

3810ca0 Only DNSKEY zone keys are allowed to match DS RR

📊 Changes

1 file changed (+23 additions, -1 deletions)

View changed files

📝 crates/proto/src/rr/dnssec/rdata/ds.rs (+23 -1)

📄 Description

In RFC 4034 section 5.2 Processing of DS RRs When Validating Responses it states:

The DNSKEY RR referred to in the DS RR MUST be a DNSSEC zone key.

This PR modifies the verification that a corresponding DNSKEY for a DS RR not only matches the digest, but also is zone key (in method DS::covers). I checked other RFCs (RFC 6840 & RFC 8499) for any amendments that the addition of zone key check has been retracted.

There is a zone key check in the validation logic of DnsSecHandle but it may not be invoked for all DNSKEY verification paths.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2131 **Author:** [@justahero](https://github.com/justahero) **Created:** 1/25/2024 **Status:** ✅ Merged **Merged:** 1/27/2024 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `sebastian/validate-zone-in-ds-dnskey` --- ### 📝 Commits (1) - [`3810ca0`](https://github.com/hickory-dns/hickory-dns/commit/3810ca040c63a8f1db72b58725c01c3ed0bc3bf2) Only DNSKEY zone keys are allowed to match DS RR ### 📊 Changes **1 file changed** (+23 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `crates/proto/src/rr/dnssec/rdata/ds.rs` (+23 -1) </details> ### 📄 Description In [RFC 4034]() section [5.2 Processing of DS RRs When Validating Responses](https://datatracker.ietf.org/doc/html/rfc4034#section-5.2) it states: > The DNSKEY RR referred to in the DS RR MUST be a DNSSEC zone key. This PR modifies the verification that a corresponding DNSKEY for a DS RR not only matches the digest, but also is zone key (in method [DS::covers](https://github.com/hickory-dns/hickory-dns/blob/5b4b915d49391dd0fe6c60d383b8e5dedfe2e4bc/crates/proto/src/rr/dnssec/rdata/ds.rs#L182)). I checked other RFCs ([RFC 6840](https://www.rfc-editor.org/rfc/rfc6840) & [RFC 8499](https://www.rfc-editor.org/rfc/rfc8499)) for any amendments that the addition of zone key check has been retracted. There is a zone key check in the validation logic of [`DnsSecHandle`](https://github.com/hickory-dns/hickory-dns/blob/main/crates/proto/src/xfer/dnssec_dns_handle.rs#L773) but it may not be invoked for all DNSKEY verification paths. [RFC 4034]: https://datatracker.ietf.org/doc/html/rfc4034 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>