resolved: refuse revoked DNSKEYs in trust anchor

author: Lennart Poettering <lennart@poettering.net> 2016-01-03 17:57:44 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-03 17:57:44 +0100
commit: 2a0d751be498be89e18f130ca02b2197f83b6baa (patch)
tree: c89efc18051783c969935a42cd802c5c6d2a6e68
parent: 28b8191e2f391f043d380d47eb79ed9ff66f14bd (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 03c5b9406e..bcb31bd426 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -188,6 +188,14 @@ static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, u
                 r = safe_atou16(flags, &f);
                 if (r < 0)
                         return log_warning_errno(r, "Failed to parse DNSKEY flags field %s on line %s:%u", flags, path, line);
+                if ((f & DNSKEY_FLAG_ZONE_KEY) == 0) {
+                        log_warning("DNSKEY lacks zone key bit set on line %s:%u", path, line);
+                        return -EINVAL;
+                }
+                if ((f & DNSKEY_FLAG_REVOKE)) {
+                        log_warning("DNSKEY is already revoked on line %s:%u", path, line);
+                        return -EINVAL;
+                }
 
                 a = dnssec_algorithm_from_string(algorithm);
                 if (a < 0) {
author	Lennart Poettering <lennart@poettering.net>	2016-01-03 17:57:44 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-03 17:57:44 +0100
commit	2a0d751be498be89e18f130ca02b2197f83b6baa (patch)
tree	c89efc18051783c969935a42cd802c5c6d2a6e68
parent	28b8191e2f391f043d380d47eb79ed9ff66f14bd (diff)