Warn if key lengths are out of range/predefined

2020-02-06 17:43:54 +01:00
parent ae6bf1979d
commit 8c0db909ee
8 changed files with 120 additions and 19 deletions
--- a/bin/tests/system/checkconf/kasp-ignore-keylen.conf
+++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "warn-length" {
+	keys {
+		// Algorithm 13 has predefined length, warn about length param.
+		csk lifetime unlimited algorithm 13 2048;
+		// Algorithm 5 length out of range, warn about length param.
+		csk lifetime unlimited algorithm 5 4097;
+	};
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "warn-length";
+};
+