RFC 5011 will crash resolver if key is rolled to an unsupported algorithm
Reported by: Matthijs Mekking matthijs@isc.org
PANIC if kresd performs 5011 and retrieves an unsupported algorithm
Summary
tldr; When refreshing trust anchors and kresd receives an unsupported DNSSEC algorithm, kresd will exit with a PANIC:
PANIC: unprotected error in call to Lua API (/usr/local/lib/kdns_modules/trust_anchors.lua:208: invalid RR: 5011.isc.pletterpet.nl. 60 DNSKEY 257 3 16 GjgC97LCct7HZhArY9KRvynmXLKF/OGPCOX8jVqNaQ5Tj58lqxaNQ/tx2l8sftpLHHQj9KOsRzjN: invalid key algorithm)
Knot resolver versions used
knot-resolver-3.2.1
Steps to reproduce
-
Set up an authoritative zone, DNSSEC signed with a supported algorithm, for example RSA-SHA256 (8).
-
Start Knot resolver with a trust anchor file that contains the KSK for the authoritative zone.
kresd -c config.test
-
Update the authoritative zone, add a new algorithm that is not supported by BIND, for example Ed448 (16).
-
Wait until kresd refreshes trust anchors.
You should hit the same error if you do step 2 and the authoritative server already has the DNSKEY with the unsupported algorithm in the zone.
What is the current bug behavior?
The Knot resolver will exit with a PANIC.
What is the expected correct behavior?
The Knot resolver will log an error (or warning) and ignore the new key.
Relevant configuration files
config.test:
net = { '127.0.0.1', '::1' }
trust_anchors.config('trustanchors.conf', 0)
modules = { 'hints > iterate', 'stats', 'predict', }
cache.size = 10 * MB