From 30ca20f720ad0887772a79e7abb25b4fa0e4b5b0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 9 Feb 2018 12:04:45 +1100 Subject: [PATCH] 4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670] (cherry picked from commit baef0ca9886bb67d7c6a2ae0405e504ccdc0fb9f) --- CHANGES | 5 + bin/named/server.c | 12 +- .../system/checkconf/check-dlv-ksk-key.conf | 9 + .../system/checkconf/check-root-ksk-2010.conf | 13 ++ .../system/checkconf/check-root-ksk-2017.conf | 16 ++ .../system/checkconf/check-root-ksk-both.conf | 28 +++ bin/tests/system/checkconf/tests.sh | 29 +++ lib/bind9/check.c | 169 +++++++++++++++++- 8 files changed, 272 insertions(+), 9 deletions(-) create mode 100644 bin/tests/system/checkconf/check-dlv-ksk-key.conf create mode 100644 bin/tests/system/checkconf/check-root-ksk-2010.conf create mode 100644 bin/tests/system/checkconf/check-root-ksk-2017.conf create mode 100644 bin/tests/system/checkconf/check-root-ksk-both.conf diff --git a/CHANGES b/CHANGES index 10f6a3c211..392e88d0f7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4889. [func] Warn about the use of old root keys without the new + root key being present. Warn about dlv.isc.org's + key being present. Warn about both managed and + trusted root keys being present. [RT #43670] + 4888. [test] Initialize sockets correctly in sample-update so that the nsupdate system test will run on Windows. [RT #47097] diff --git a/bin/named/server.c b/bin/named/server.c index 20a6e31388..0524f9cc61 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -7406,9 +7406,9 @@ load_configuration(const char *filename, ns_server_t *server, if (access(server->bindkeysfile, R_OK) == 0) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "reading built-in trusted " - "keys from file '%s'", server->bindkeysfile); + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "reading built-in trust anchors " + "from file '%s'", server->bindkeysfile); CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &bindkeys_parser)); @@ -7418,9 +7418,9 @@ load_configuration(const char *filename, ns_server_t *server, CHECK(result); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, - NS_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s' using built-in keys", - server->bindkeysfile); + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "unable to open '%s'; using built-in keys " + "instead", server->bindkeysfile); } /* Ensure exclusive access to configuration data. */ diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf new file mode 100644 index 0000000000..1ee566d13f --- /dev/null +++ b/bin/tests/system/checkconf/check-dlv-ksk-key.conf @@ -0,0 +1,9 @@ +trusted-keys { + dlv.isc.org 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE + n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8 + +jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ + 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG + xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR + x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL + KjHzpT59k/VStTDN0YUuWrBNh"; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf new file mode 100644 index 0000000000..54a1b9ff0b --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -0,0 +1,13 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf new file mode 100644 index 0000000000..7d83d4b16c --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -0,0 +1,16 @@ +trusted-keys { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf new file mode 100644 index 0000000000..091c9afbef --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -0,0 +1,28 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 495f381f3c..274bcf362b 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -352,5 +352,34 @@ $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2017 ICANN ROOT KSK alone does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the dlv.isc.org KSK generates a warning ($n)" +ret=0 +$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 06bf36a74a..01b838323c 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2804,9 +2804,13 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +#define ROOT_KSK_2010 0x1 +#define ROOT_KSK_2017 0x2 +#define DLV_KSK_KEY 0x4 + static isc_result_t check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, - isc_log_t *logctx) + unsigned int *keyflags, isc_log_t *logctx) { const char *keystr, *keynamestr; dns_fixedname_t fkeyname; @@ -2884,6 +2888,128 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, keynamestr); } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) { + static const unsigned char root_ksk_2010[] = { + 0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9, + 0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80, + 0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd, + 0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec, + 0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70, + 0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf, + 0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82, + 0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18, + 0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc, + 0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32, + 0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51, + 0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb, + 0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5, + 0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8, + 0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4, + 0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4, + 0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e, + 0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33, + 0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9, + 0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04, + 0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73, + 0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33, + 0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9, + 0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e, + 0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e, + 0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad, + 0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9, + 0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14, + 0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e, + 0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5, + 0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49, + 0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52, + 0x4d, 0x62, 0x87, 0x3d }; + static const unsigned char root_ksk_2017[] = { + 0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09, + 0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5, + 0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53, + 0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4, + 0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5, + 0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa, + 0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59, + 0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98, + 0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1, + 0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f, + 0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35, + 0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8, + 0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17, + 0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f, + 0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb, + 0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32, + 0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac, + 0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b, + 0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6, + 0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3, + 0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e, + 0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75, + 0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7, + 0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d, + 0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f, + 0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d, + 0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a, + 0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68, + 0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7, + 0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1, + 0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63, + 0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51, + 0x35, 0x7b, 0xe1, 0xb5 }; + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) && + !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) { + *keyflags |= ROOT_KSK_2010; + } + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) && + !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) { + *keyflags |= ROOT_KSK_2017; + } + } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) { + static const unsigned char dlviscorgkey[] = { + 0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef, + 0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5, + 0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e, + 0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61, + 0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94, + 0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd, + 0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8, + 0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e, + 0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2, + 0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56, + 0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b, + 0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb, + 0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2, + 0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef, + 0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9, + 0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65, + 0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b, + 0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b, + 0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01, + 0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c, + 0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64, + 0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00, + 0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6, + 0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c, + 0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64, + 0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35, + 0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57, + 0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd, + 0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a, + 0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8, + 0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f, + 0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61, + 0x4b, 0x96, 0xac, 0x13, 0x61 }; + if (flags == 257 && proto == 3 && alg == 5 && + isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) && + !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) { + *keyflags |= DLV_KSK_KEY; + } + } + return (result); } @@ -2970,6 +3096,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *opts = NULL; isc_boolean_t enablednssec, enablevalidation; const char *valstr = "no"; + unsigned int tflags, mflags; /* * Get global options block @@ -3153,6 +3280,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (keys == NULL) (void)cfg_map_get(config, "trusted-keys", &keys); + tflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3162,18 +3290,32 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_FALSE, logctx); + tresult = check_trusted_key(obj, ISC_FALSE, &tflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for root from 2010 without updated " + "trusted-key from 2017"); + } + + if ((tflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + keys = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "managed-keys", &keys); if (keys == NULL) (void)cfg_map_get(config, "managed-keys", &keys); + mflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3183,12 +3325,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_TRUE, logctx); + tresult = check_trusted_key(obj, ISC_TRUE, &mflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for root from 2010 without updated " + "managed-key from 2017"); + } + + if ((mflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + + if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 && + (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0) + { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "both trusted-keys and managed-keys for the ICANN " + "root are present"); + } + /* * Check options. */