From ef09d9230f12a3cb8825c9ec2fd1a7fc8beb57e9 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 30 Jun 2025 15:56:21 +1000
Subject: [PATCH] Check deprecated algorithms in dnssec-policy

(cherry picked from commit 86fb638085cf6487fa3b3af6f96ebfdca26c0fa8)
---
 .../system/checkconf/kasp-deprecated.conf     | 19 +++++++++++++++++++
 bin/tests/system/checkconf/tests.sh           |  9 +++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 bin/tests/system/checkconf/kasp-deprecated.conf

diff --git a/bin/tests/system/checkconf/kasp-deprecated.conf b/bin/tests/system/checkconf/kasp-deprecated.conf
new file mode 100644
index 0000000000..3f8d4849b2
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-deprecated.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy deprecated {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+		csk lifetime unlimited algorithm nsec3rsasha1;
+	};
+};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 695067fe74..3bb772e4d5 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -712,6 +712,15 @@ if [ $lines -ne 5 ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking named-checkconf kasp deprecated algorithms ($n)"
+ret=0
+$CHECKCONF kasp-deprecated.conf >checkconf.out$n 2>&1 || ret=1
+grep "dnssec-policy: DNSSEC algorithm rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: DNSSEC algorithm nsec3rsasha1 is deprecated" checkconf.out$n >/dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "check that a good 'kasp' configuration is accepted ($n)"
 ret=0