3
4
Fork
You've already forked validns
5

fix: suppress DS/CDS/DLV cascade on unsupported algorithm #114

Merged
jelu merged 7 commits from tobez/validns:fix-issue-104-ds-cds-dlv-cascade into main 2026年05月11日 11:50:52 +02:00
Collaborator
Copy link

A DS, CDS, or DLV record whose algorithm field is unrecognized or disabled by the system crypto policy currently triggers a cascade of follow-on errors: each RRSIG covering the record is reported as orphaned, and the NSEC bitmap (or NSEC3 opt-out chain) is reported as referring to a non-existing record. The root-cause message itself omits the domain name and record type. Roy Arends reported this for a TLD-shaped zone where every signed delegation to a child with an unsupported algorithm produces three lines instead of one.

extract_algorithm now reports its status via a flags out-parameter and no longer rejects the record on the caller's behalf. DS, CDS, and DLV parsers keep the record (with rr->algorithm set to the raw integer) and emit one record-level message in the unrecognized-algorithm case; the policy-disabled case stays silent at the record level since the existing one-shot global warning is sufficient. Other callers (DNSKEY, RRSIG, CERT) preserve their current drop-and-bitch behavior via mechanical caller updates.

Tests cover NSEC and NSEC3-opt-out variants for the unrecognized-algorithm path, plus a SHA-1-disabled variant for the policy-disabled path (activates on RHEL9-style platforms via the existing $sha1_disabled gate).

Fixes: #104

A DS, CDS, or DLV record whose algorithm field is unrecognized or disabled by the system crypto policy currently triggers a cascade of follow-on errors: each RRSIG covering the record is reported as orphaned, and the NSEC bitmap (or NSEC3 opt-out chain) is reported as referring to a non-existing record. The root-cause message itself omits the domain name and record type. Roy Arends reported this for a TLD-shaped zone where every signed delegation to a child with an unsupported algorithm produces three lines instead of one. `extract_algorithm` now reports its status via a flags out-parameter and no longer rejects the record on the caller's behalf. DS, CDS, and DLV parsers keep the record (with `rr->algorithm` set to the raw integer) and emit one record-level message in the unrecognized-algorithm case; the policy-disabled case stays silent at the record level since the existing one-shot global warning is sufficient. Other callers (DNSKEY, RRSIG, CERT) preserve their current drop-and-bitch behavior via mechanical caller updates. Tests cover NSEC and NSEC3-opt-out variants for the unrecognized-algorithm path, plus a SHA-1-disabled variant for the policy-disabled path (activates on RHEL9-style platforms via the existing `$sha1_disabled` gate). Fixes: https://codeberg.org/DNS-OARC/validns/issues/104
chore: add changelog entry for issue #104 fix
All checks were successful
builds.sr.ht/freebsd Job completed
builds.sr.ht/openbsd Job completed
test / debian (pull_request) Successful in 41s
test / ubuntu (pull_request) Successful in 42s
test / centos (pull_request) Successful in 55s
test / scan-build (pull_request) Successful in 1m6s
5e1eaf655b
Owner
Copy link

@tobez why generate signatures with 4y validation if you're specifying what now() it should check against?

@tobez why generate signatures with 4y validation if you're specifying what `now()` it should check against?
Author
Collaborator
Copy link

@jelu wrote in #114 (comment):

@tobez why generate signatures with 4y validation if you're specifying what now() it should check against?

Because it is a test zone and it does not matter at all for the functionality in question.

@jelu wrote in https://codeberg.org/DNS-OARC/validns/pulls/114#issuecomment-14653422: > @tobez why generate signatures with 4y validation if you're specifying what `now()` it should check against? Because it is a test zone and it does not matter at all for the functionality in question.
Owner
Copy link

@tobez wrote in #114 (comment):

Because it is a test zone and it does not matter at all for the functionality in question.

OK, just that comments like # Signing window: wide enough that test-time stays inside it for years. is kinda weird since you could essentially have a signing window in seconds because you're always defining now().

@tobez wrote in https://codeberg.org/DNS-OARC/validns/pulls/114#issuecomment-14654487: > Because it is a test zone and it does not matter at all for the functionality in question. OK, just that comments like `# Signing window: wide enough that test-time stays inside it for years.` is kinda weird since you could essentially have a signing window in seconds because you're always defining `now()`.
Owner
Copy link

#build

#build
Author
Collaborator
Copy link

@jelu wrote in #114 (comment):

@tobez wrote in #114 (comment):

Because it is a test zone and it does not matter at all for the functionality in question.

OK, just that comments like # Signing window: wide enough that test-time stays inside it for years. is kinda weird since you could essentially have a signing window in seconds because you're always defining now().

I agree, the comment is misleading - I will add it to a future clean-up task.

@jelu wrote in https://codeberg.org/DNS-OARC/validns/pulls/114#issuecomment-14654961: > @tobez wrote in #114 (comment): > > > Because it is a test zone and it does not matter at all for the functionality in question. > > OK, just that comments like `# Signing window: wide enough that test-time stays inside it for years.` is kinda weird since you could essentially have a signing window in seconds because you're always defining `now()`. I agree, the comment is misleading - I will add it to a future clean-up task.
Owner
Copy link

@tobez wrote in #114 (comment):

I agree, the comment is misleading - I will add it to a future clean-up task.

Thanks, and sorry for merging too quickly :)

@tobez wrote in https://codeberg.org/DNS-OARC/validns/pulls/114#issuecomment-14655561: > I agree, the comment is misleading - I will add it to a future clean-up task. Thanks, and sorry for merging too quickly :)
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
DNS-OARC/validns!114
Reference in a new issue
DNS-OARC/validns
No description provided.
Delete branch "tobez/validns:fix-issue-104-ds-cds-dlv-cascade"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?