As zone signing assumes, but does not check, that the zone is ordered…

…, add a check in debug builds (not in release builds as it is too costly) if the zone is correctly sorted before signing.
NLnetLabs · Jan 9, 2025 · b1f7a20 · b1f7a20
1 parent 681456a
commit b1f7a20
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/sign/mod.rs b/src/sign/mod.rs
@@ -392,6 +392,15 @@ where
 
 //------------ sign_zone() ---------------------------------------------------
 
+/// DNSSEC sign the given zone records.
+///
+/// Assumes that the given zone records are sorted according to
+/// [`CanonicalOrd`]. The behaviour is undefined otherwise.
+///
+/// # Panics
+///
+/// This function will panic in debug builds if the given zone is not sorted
+/// according to [`CanonicalOrd`].
 pub fn sign_zone<N, Octs, S, DSK, Inner, KeyStrat, Sort, HP, T>(
     mut in_out: SignableZoneInOut<N, Octs, S, T, Sort>,
     apex: &N,
@@ -435,6 +444,8 @@ where
         return Err(SigningError::NoSoaFound);
     };
 
+    debug_assert!(in_out.as_slice().is_sorted_by(CanonicalOrd::canonical_le));
+
     // RFC 9077 updated RFC 4034 (NSEC) and RFC 5155 (NSEC3) to say that
     // the "TTL of the NSEC(3) RR that is returned MUST be the lesser of
     // the MINIMUM field of the SOA record and the TTL of the SOA itself".