[PR #2399] [MERGED] ensure DNSKEY is validated with a KSK #3013

New issue

Closed

opened 2026-03-16 11:20:24 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:20:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2399
Author: @japaric
Created: 8/30/2024
Status: ✅ Merged
Merged: 9/3/2024
Merged by: @listochkin

Base: main ← Head: ja-ensure-dnskey-is-signed-with-ksk

📝 Commits (4)

ab828ed dns-test: double sign the DNSKEY record set
609ff76 dns-test: add DNSKEY::calculate_key_tag
ebd3019 conformance: DNSKEY was signed with ZSK
24e1c22 do not validate DNSKEY RRSIGs using a ZSK

📊 Changes

9 files changed (+149 additions, -7 deletions)

View changed files

📝 conformance/Cargo.lock (+9 -2)
📝 conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/bogus.rs (+97 -2)
📝 conformance/packages/dns-test/Cargo.toml (+1 -0)
📝 conformance/packages/dns-test/src/record.rs (+32 -0)
📝 conformance/packages/dns-test/src/zone_file/signer.rs (+1 -1)
📝 crates/proto/src/rr/dnssec/rdata/dnskey.rs (+6 -0)
📝 crates/proto/src/xfer/dnssec_dns_handle.rs (+2 -0)
📝 tests/ede-dot-com/Cargo.lock (+1 -0)
📝 tests/ede-dot-com/src/lib.rs (+0 -2)

📄 Description

ports and fixes no-rrsig-ksk from ede-dot-com

this fixes the last two false positive scenarios in ede-dot-com

I think I spotted at least two more places where the lack of DNSKEY checks ("is this a ZSK?", "is this a KSK?") could cause issues. None of the remaining scenarios in ede-dot-com hits those paths so I'll try to write some tests first before I add any additional check to the DNSSEC validation code.

fixes #2389

~~this PR depends on #2396 so opening as a draft PR until that gets merged~~

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2399 **Author:** [@japaric](https://github.com/japaric) **Created:** 8/30/2024 **Status:** ✅ Merged **Merged:** 9/3/2024 **Merged by:** [@listochkin](https://github.com/listochkin) **Base:** `main` ← **Head:** `ja-ensure-dnskey-is-signed-with-ksk` --- ### 📝 Commits (4) - [`ab828ed`](https://github.com/hickory-dns/hickory-dns/commit/ab828ede1b93449f0f56fd19d16b50d29580bfe8) dns-test: double sign the DNSKEY record set - [`609ff76`](https://github.com/hickory-dns/hickory-dns/commit/609ff76a4108bbe3f984c7ba27beb6300517b527) dns-test: add DNSKEY::calculate_key_tag - [`ebd3019`](https://github.com/hickory-dns/hickory-dns/commit/ebd301989f7f1035b5e3d4706ffe7f7a3bc67232) conformance: DNSKEY was signed with ZSK - [`24e1c22`](https://github.com/hickory-dns/hickory-dns/commit/24e1c2215c960993b2baa8cb51ab5f86885a578d) do not validate DNSKEY RRSIGs using a ZSK ### 📊 Changes **9 files changed** (+149 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `conformance/Cargo.lock` (+9 -2) 📝 `conformance/packages/conformance-tests/src/resolver/dnssec/scenarios/bogus.rs` (+97 -2) 📝 `conformance/packages/dns-test/Cargo.toml` (+1 -0) 📝 `conformance/packages/dns-test/src/record.rs` (+32 -0) 📝 `conformance/packages/dns-test/src/zone_file/signer.rs` (+1 -1) 📝 `crates/proto/src/rr/dnssec/rdata/dnskey.rs` (+6 -0) 📝 `crates/proto/src/xfer/dnssec_dns_handle.rs` (+2 -0) 📝 `tests/ede-dot-com/Cargo.lock` (+1 -0) 📝 `tests/ede-dot-com/src/lib.rs` (+0 -2) </details> ### 📄 Description ports and fixes `no-rrsig-ksk` from `ede-dot-com` this fixes the last two false positive scenarios in `ede-dot-com` I think I spotted at least two more places where the lack of DNSKEY checks ("is this a ZSK?", "is this a KSK?") could cause issues. None of the remaining scenarios in `ede-dot-com` hits those paths so I'll try to write some tests first before I add any additional check to the DNSSEC validation code. fixes #2389 ~~this PR depends on #2396 so opening as a draft PR until that gets merged~~ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>