BIND 10 trac2387, updated. dfd5516cd85bfda7bab56d161082d2ce74330e2b [2387] Permit missing key data in DNSKEY RDATA

BIND 10 source code commits bind10-changes at lists.isc.org
Wed Apr 3 07:09:09 UTC 2013 

The branch, trac2387 has been updated
       via  dfd5516cd85bfda7bab56d161082d2ce74330e2b (commit)
      from  4778557e13c231f1bd2cde5d0950b68de920d8cd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dfd5516cd85bfda7bab56d161082d2ce74330e2b
Author: Mukund Sivaraman <muks at isc.org>
Date:   Wed Apr 3 12:32:33 2013 +0530

    [2387] Permit missing key data in DNSKEY RDATA

-----------------------------------------------------------------------

Summary of changes:
 src/lib/dns/rdata/generic/dnskey_48.cc     |   30 +++++++++++++++-------------
 src/lib/dns/tests/rdata_dnskey_unittest.cc |   16 ++++++++-------
 2 files changed, 25 insertions(+), 21 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/lib/dns/rdata/generic/dnskey_48.cc b/src/lib/dns/rdata/generic/dnskey_48.cc
index e53f797..a903623 100644
--- a/src/lib/dns/rdata/generic/dnskey_48.cc
+++ b/src/lib/dns/rdata/generic/dnskey_48.cc
@@ -98,14 +98,16 @@ DNSKEY::DNSKEY(InputBuffer& buffer, size_t rdata_len) {
     const uint16_t algorithm = buffer.readUint8();
 
     rdata_len -= 4;
-    // Though the size of the public key is algorithm-dependent, we
-    // assume that it should not be empty.
-    if (rdata_len < 1) {
-        isc_throw(InvalidRdataLength, "DNSKEY keydata too short");
-    }
 
-    vector<uint8_t> keydata(rdata_len);
-    buffer.readData(&keydata[0], rdata_len);
+    vector<uint8_t> keydata;
+    // If key data is missing, it's OK. BIND 9 seems to accept such
+    // cases. What we should do could be debatable, but since this field
+    // is algorithm dependent and our implementation doesn't reject
+    // unknown algorithms, we are lenient here.
+    if (rdata_len > 0) {
+        keydata.resize(rdata_len);
+        buffer.readData(&keydata[0], rdata_len);
+    }
 
     // See RFC 4034 appendix B.1 for why the key data has to be at least
     // 3 bytes long with RSA/MD5.
@@ -178,14 +180,14 @@ DNSKEY::constructFromLexer(MasterLexer& lexer) {
 
     lexer.ungetToken();
 
-    // Check that some key data was read before end of input was
-    // reached.
-    if (keydata_str.size() == 0) {
-        isc_throw(InvalidRdataText, "Missing DNSKEY digest");
-    }
-
     vector<uint8_t> keydata;
-    decodeBase64(keydata_str, keydata);
+    // If key data is missing, it's OK. BIND 9 seems to accept such
+    // cases. What we should do could be debatable, but since this field
+    // is algorithm dependent and our implementation doesn't reject
+    // unknown algorithms, we are lenient here.
+    if (keydata_str.size() > 0) {
+        decodeBase64(keydata_str, keydata);
+    }
 
     // See RFC 4034 appendix B.1 for why the key data has to be at least
     // 3 bytes long with RSA/MD5.
diff --git a/src/lib/dns/tests/rdata_dnskey_unittest.cc b/src/lib/dns/tests/rdata_dnskey_unittest.cc
index e99fc58..8e90c15 100644
--- a/src/lib/dns/tests/rdata_dnskey_unittest.cc
+++ b/src/lib/dns/tests/rdata_dnskey_unittest.cc
@@ -99,8 +99,8 @@ TEST_F(Rdata_DNSKEY_Test, fromText) {
     // Delimited number in key data is OK
     checkFromText_None("257 3 5 YmluZDEwLmlzYy 5 vcmc=");
 
-    // Key data missing
-    checkFromText_InvalidText("257 3 5");
+    // Missing keydata is OK
+    EXPECT_NO_THROW(const generic::DNSKEY rdata_dnskey3("257 3 5"));
 
     // Flags field out of range
     checkFromText_InvalidText("65536 3 5 YmluZDEwLmlzYy5vcmc=");
@@ -171,11 +171,13 @@ TEST_F(Rdata_DNSKEY_Test, createFromWire) {
     EXPECT_EQ(0, rdata_dnskey.compare(
                   *rdataFactoryFromFile(RRType("DNSKEY"), RRClass("IN"),
                                         "rdata_dnskey_fromWire.wire")));
-    // Empty keydata should throw
-    EXPECT_THROW(rdataFactoryFromFile
-                 (RRType("DNSKEY"), RRClass("IN"),
-                  "rdata_dnskey_empty_keydata_fromWire.wire"),
-                 InvalidRdataLength);
+
+    // Missing keydata is OK
+    const generic::DNSKEY rdata_dnskey_missing_keydata("257 3 5");
+    EXPECT_EQ(0, rdata_dnskey_missing_keydata.compare(
+        *rdataFactoryFromFile(RRType("DNSKEY"), RRClass("IN"),
+                              "rdata_dnskey_empty_keydata_fromWire.wire")));
+
     // Short keydata for RSA/MD5 should throw
     EXPECT_THROW(rdataFactoryFromFile
                  (RRType("DNSKEY"), RRClass("IN"),

More information about the bind10-changes mailing list