File bind-9.18-CVE-2025-8677.patch of Package bind.41290
commit 0df8da69d0c17ab54aceca766d21741a9f8af1a6
Author: Michał Kępień <michal@isc.org>
Date: Thu Oct 2 12:58:05 2025 +0200
[9.18] [CVE-2025-8677] sec: usr: DNSSEC validation fails if matching but invalid DNSKEY is found
Previously, if a matching but cryptographically invalid key was encountered during
DNSSEC validation, the key was skipped and not counted
towards validation failures. :iscman:`named` now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead of
continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention.
Backport of MR !821
Closes isc-projects/bind9#5343
Merge branch '5343-security-count-invalid-keys-into-validation-fails-9.18' into 'v9.18.40-release'
See merge request isc-private/bind9!843
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 712fc0755a..582058b3a7 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -431,6 +431,8 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
result = select_signing_key(val, rdataset);
if (result == ISC_R_SUCCESS) {
val->keyset = &val->frdataset;
+ } else {
+ val->failed = true;
}
}
result = validate_answer(val, true);
@@ -1161,6 +1163,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
goto done;
}
dst_key_free(&val->key);
+ } else {
+ break;
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
@@ -1285,13 +1289,15 @@ seek_dnskey(dns_validator_t *val) {
"keyset with trust %s",
dns_trust_totext(val->frdataset.trust));
result = select_signing_key(val, val->keyset);
- if (result != ISC_R_SUCCESS) {
+ if (result == ISC_R_NOTFOUND) {
/*
- * Either the key we're looking for is not
- * in the rrset, or something bad happened.
- * Give up.
+ * The key we're looking for is not
+ * in the rrset
*/
result = DNS_R_CONTINUE;
+ } else if (result != ISC_R_SUCCESS) {
+ /* Something bad happened. Give up. */
+ break;
}
}
break;
@@ -1411,7 +1417,7 @@ selfsigned_dnskey(dns_validator_t *val) {
result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
&dstkey);
if (result != ISC_R_SUCCESS) {
- continue;
+ return result;
}
/*
@@ -1680,10 +1686,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
val->event->name, keyrdata, val->view->mctx,
&dstkey);
if (result != ISC_R_SUCCESS) {
- /*
- * This really shouldn't happen, but...
- */
- continue;
+ return result;
}
}
result = verify(val, dstkey, &rdata, sig.keyid);
