From ac0ded1e0a1e717d093dcc941f203f44c55db9b3 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Tue, 15 Jan 2019 17:38:43 -0500 Subject: [PATCH] Patch for the Revoked bit set in DNSKEY Flag A patch to parse the Revoked KSK flag combination in DNSKEY RR. --- src/analyzer/protocol/dns/DNS.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index bf0c1a52b1..370a9bbc23 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -924,8 +924,10 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, //Evaluating the size of remaining bytes for Public Key BroString* key = ExtractStream(data, len, rdlength - 4); - if ( dflags != 256 and dflags != 257 and dflags != 0 ) + if ( dflags != 256 and dflags != 257 and dflags != 0 and dflags != 385 ) analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", fmt("%d", dflags)); + if ( dflags == 385 ) + analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", fmt("%d", dflags)); if ( dprotocol != 3 ) analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol));