ValidationFailure 'unknown key' is never thrown

Matthäus Wander

unread,

Dec 14, 2014, 9:43:21 AM12/14/14

to dnspyth...@googlegroups.com

In dnssec.py, function _find_candidate_keys returns None when a matching
DNSKEY has not been found.
Function _validate_rrsig catches None inside of for-loop.
However, this catch will never be evaluated because None is not iterable
with a for-loop:

> File "C:\(...)\dns\dnssec.py", line 233, in _validate_rrsig
> for candidate_key in _find_candidate_keys(keys, rrsig):
> TypeError: 'NoneType' object is not iterable

Minor issue, you get a TypeError exception instead of ValidationFailure.
Suggestion for fix is attached.

unknown_key.patch

Matthäus Wander

unread,

Dec 16, 2014, 12:18:56 PM12/16/14

to dnspyth...@googlegroups.com

* Matthäus Wander [2014-12-14 15:43]:

Related issue: _find_candidate_keys returns [] when the signer name
exists in key dictionary but algorithm or key tag do not match for
whatever reason. _validate_rrsig will return a generic ValidationFailure
'verify failure'.

Attached patch changes behavior to raise ValidationFailure 'unknown key'
when algorithm or key tag do not match.

unknown_key2.patch

Matthäus Wander

unread,

Dec 16, 2014, 12:24:17 PM12/16/14

to dnspyth...@googlegroups.com

* Matthäus Wander [2014-12-16 18:18]:

> Attached patch changes behavior to raise ValidationFailure 'unknown key'
> when algorithm or key tag do not match.