From b50a95e40ba2e1ffcb087199121c803589acc984 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Thu, 13 Mar 2025 12:31:03 +0100
Subject: [PATCH] libdnssec: ignore reserved bits in DNSKEY flags

Otherwise Knot Resolver would be breaking a MUST at the very end of
https://datatracker.ietf.org/doc/html/rfc4034#section-2.1.1

Real-life example:
https://mailarchive.ietf.org/arch/msg/dd/W4lOTgd8-3NF0pbjtqP7YUz6Puk/
---
 src/libdnssec/key/dnskey.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libdnssec/key/dnskey.c b/src/libdnssec/key/dnskey.c
index 6360700acb..9a3a665e16 100644
--- a/src/libdnssec/key/dnskey.c
+++ b/src/libdnssec/key/dnskey.c
@@ -64,7 +64,7 @@ int dnskey_rdata_to_crypto_key(const dnssec_binary_t *rdata, gnutls_pubkey_t *ke
 	flags_hi = wire_ctx_read_u8(&wire);
 	wire_ctx_set_offset(&wire, DNSKEY_RDATA_OFFSET_PROTOCOL);
 	protocol = wire_ctx_read_u8(&wire);
-	if (flags_hi != 0x1 || protocol != 0x3) {
+	if (!(flags_hi & 0x1) || protocol != 0x3) {
 		return DNSSEC_INVALID_PUBLIC_KEY;
 	}
 
-- 
GitLab