Change nsec3param salt config to saltlen

Upon request from Mark, change the configuration of salt to salt length. Introduce a new function 'dns_zone_checknsec3aram' that can be used upon reconfiguration to check if the existing NSEC3 parameters are in sync with the configuration. If a salt is used that matches the configured salt length, don't change the NSEC3 parameters. (cherry picked from commit 6f97bb6b1f)
2020-10-23 15:02:19 +02:00
parent d35dab3db8
commit 52d3bf5f31
21 changed files with 204 additions and 114 deletions
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -22,7 +22,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
-	nsec3param iterations 5 optout no salt "deadbeef";
+	nsec3param iterations 5 optout no salt-length 8;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -509,14 +509,6 @@ grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < che
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

-n=`expr $n + 1`
-echo_i "checking named-checkconf kasp nsec3 salt errors ($n)"
-ret=0
-$CHECKCONF kasp-bad-nsec3-salt.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: bad nsec3 salt pepper" < checkconf.out$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
-
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
 ret=0