You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Verify function does not fully comply with RFC 4035 Section 5.3.1, leading to improper validation of RRSIG records. Specifically, the following constraints are not enforced:
Owner Name Mismatch:
The RRSIG owner name (rr.Hdr.Name) must match the RRset owner name. Currently, this validation is missing.
Signer Name Validation:
The RRSIG SignerName must correspond to the zone containing the RRset. The current implementation only checks against the DNSKEY name, which is insufficient.
Labels Field Validation:
The number of labels in the RRset owner name must be greater than or equal to the Labels field in the RRSIG. This validation is absent.
Steps to Reproduce
Modify TestSignVerify in dnssec_test.go as one of follows, then run the test:
Change soa.Hdr.Name to example.com..
Change sig.Hdr.Name to example.com..
Change soa.Hdr.Name to nl.
Expected Behavior
The test should fail due to:
Owner name mismatch.
Invalid SignerName.
Labels field mismatch.
Actual Behavior
The test passes incorrectly, indicating the constraints are not being enforced.
Description
The
Verify
function does not fully comply with RFC 4035 Section 5.3.1, leading to improper validation of RRSIG records. Specifically, the following constraints are not enforced:Owner Name Mismatch:
rr.Hdr.Name
) must match the RRset owner name. Currently, this validation is missing.Signer Name Validation:
SignerName
must correspond to the zone containing the RRset. The current implementation only checks against theDNSKEY
name, which is insufficient.Labels Field Validation:
Labels
field in the RRSIG. This validation is absent.Steps to Reproduce
Modify
TestSignVerify
indnssec_test.go
as one of follows, then run the test:soa.Hdr.Name
toexample.com.
.sig.Hdr.Name
toexample.com.
.soa.Hdr.Name
tonl.
Expected Behavior
The test should fail due to:
SignerName
.Actual Behavior
The test passes incorrectly, indicating the constraints are not being enforced.
References
The text was updated successfully, but these errors were encountered: