diff --git a/bin/tests/system/checkconf/kasp-warning.conf b/bin/tests/system/checkconf/kasp-warning.conf index 765c09b14a..4c05b5ad02 100644 --- a/bin/tests/system/checkconf/kasp-warning.conf +++ b/bin/tests/system/checkconf/kasp-warning.conf @@ -32,6 +32,13 @@ dnssec-policy "warn2" { }; }; +dnssec-policy "warn3" { + keys { + // This policy has a key with a very short lifetime. + csk lifetime PT2591999S algorithm rsasha256; + }; +}; + zone "warn1.example.net" { type primary; file "warn1.example.db"; @@ -44,3 +51,9 @@ zone "warn2.example.net" { dnssec-policy "warn2"; }; +zone "warn3.example.net" { + type primary; + file "warn3.example.db"; + dnssec-policy "warn3"; +}; + diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 807c79b5dc..5abda873fd 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -544,8 +544,9 @@ grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.ou grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1 +grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1 lines=$(wc -l < "checkconf.out$n") -if [ $lines != 4 ]; then ret=1; fi +if [ $lines != 5 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 97c8a1466c..70c2511490 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -108,6 +108,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, if (cfg_obj_isduration(obj)) { key->lifetime = cfg_obj_asduration(obj); } + if (key->lifetime > 0 && key->lifetime < 30 * (24 * 3600)) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "dnssec-policy: key lifetime is shorter " + "than 30 days"); + } obj = cfg_tuple_get(config, "algorithm"); alg.base = cfg_obj_asstring(obj);