Warn if key lifetime is short

Log a warning if the key lifetime is less than 30 days.

bin/tests/system/checkconf/kasp-warning.conf

@@ -32,6 +32,13 @@ dnssec-policy "warn2" {
 	};
 };
 
+dnssec-policy "warn3" {
+	keys {
+		// This policy has a key with a very short lifetime.
+		csk lifetime PT2591999S algorithm rsasha256;
+	};
+};
+
 zone "warn1.example.net" {
 	type primary;
 	file "warn1.example.db";
@@ -44,3 +51,9 @@ zone "warn2.example.net" {
 	dnssec-policy "warn2";
 };
 
+zone "warn3.example.net" {
+	type primary;
+	file "warn3.example.db";
+	dnssec-policy "warn3";
+};
+

bin/tests/system/checkconf/tests.sh

@@ -544,8 +544,9 @@ grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.ou
 grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1
 lines=$(wc -l < "checkconf.out$n")
-if [ $lines != 4 ]; then ret=1; fi
+if [ $lines != 5 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 

lib/isccfg/kaspconf.c

@@ -108,6 +108,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 		if (cfg_obj_isduration(obj)) {
 			key->lifetime = cfg_obj_asduration(obj);
 		}
+		if (key->lifetime > 0 && key->lifetime < 30 * (24 * 3600)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "dnssec-policy: key lifetime is shorter "
+				    "than 30 days");
+		}
 
 		obj = cfg_tuple_get(config, "algorithm");
 		alg.base = cfg_obj_asstring(obj);