Merge branch 'patch-1' of https://github.com/fatemabw/zeek

* 'patch-1' of https://github.com/fatemabw/zeek: Patch for the Revoked bit set in DNSKEY Flag
2025-10-02 06:38:20 +00:00 · 2019-01-16 10:57:10 -06:00 · 2019-01-16 10:57:10 -06:00 · 5eab9b9d47
commit 5eab9b9d47
parent 5062f45d94 ac0ded1e0a
3 changed files with 13 additions and 2 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@

+2.6-80 | 2019-01-16 11:14:47 -0600
+
+  * Patch to recognized the Revoked bit in DNSKEY Flag (Fatema BW)
+
 2.6-77 | 2019-01-15 14:24:55 -0600

  * GH-170: fix segfault triggered by invalid pattern symbols (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.6-77
+2.6-80
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -924,9 +924,16 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 	//Evaluating the size of remaining bytes for Public Key
 	BroString* key = ExtractStream(data, len, rdlength - 4);

-	if ( dflags != 256 and dflags != 257 and dflags != 0 )
+	// flags bit  7: zone key
+	// flags bit  8: revoked
+	// flags bit 15: Secure Entry Point, key signing key
+	if ( (dflags & 0xfe7e) != 0 )
 		analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", fmt("%d", dflags));

+	// flags bit 7, 8, and 15 all set
+	if ( (dflags & 0x0181) == 0x0181 )
+		analyzer->Weird("DNSSEC_DNSKEY_Revoked_KSK", fmt("%d", dflags));
+
 	if ( dprotocol != 3 )
 		analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol));
 @ -1 +1 @@
 .6-77
 .6-80