upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 11:20:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

chg: nil: Minor logging improvements for key lifetime

Browse source 
Closes #5736

Merge branch '5736-minor-logging-improvements-dnssec-policy-key-lifetime' into 'main'

See merge request isc-projects/bind9!11532
This commit is contained in:
Matthijs Mekking 2026-02-06 16:59:05 +00:00
commit aa8fdfde2d
2 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/tests/system/checkconf/tests.sh
View file

@ -680,7 +680,7 @@ grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: key lifetime is shorter than the recommended 30 days" <checkconf.out$n >/dev/null || ret=1
lines=$(wc -l <"checkconf.out$n")
if [ $lines -ne 5 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi

13
lib/isccfg/kaspconf.c
View file

@ -120,6 +120,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
isc_result_t result;
dns_kasp_key_t *key = NULL;
const cfg_obj_t *tagrange = NULL;
uint32_t min_lifetime = UINT32_MAX;
/* Create a new key reference. */
dns_kasp_key_create(kasp, &key);
@ -199,18 +200,22 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
cfg_obj_log(obj, ISC_LOG_WARNING,
"dnssec-policy: key "
"lifetime is "
"shorter than 30 days");
"shorter than the "
"recommended 30 days");
}
}
if ((key->role & DNS_KASP_KEY_ROLE_KSK) != 0 &&
key->lifetime <= ksk_min_lifetime)
{
error = true;
min_lifetime = ksk_min_lifetime;
}
if ((key->role & DNS_KASP_KEY_ROLE_ZSK) != 0 &&
key->lifetime <= zsk_min_lifetime)
{
error = true;
min_lifetime = ISC_MIN(min_lifetime,
zsk_min_lifetime);
}
if (error) {
if (log_errors) {
@ -219,7 +224,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
"lifetime is "
"shorter than the time it "
"takes to "
"do a rollover");
"do a rollover (lifetime "
"with these parameters "
"must be higher than %u "
"seconds)",
min_lifetime);
}
CLEANUP(ISC_R_FAILURE);
}