warn for bad trust anchors.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index 922c2393b1edb1a22196c4be8bfd6a1ddd58990d..d57a1f444287fdaa3d2f69949d5dc2f81fdb930f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+19 February 2009: Wouter
+       - unbound-checkconf and unbound print warnings when trust anchors
+         have unsupported algorithms.
+
  18 February 2009: Wouter
         - more cycle detection. Also for target queries.
         - fixup bug where during deletion of the mesh queries the callbacks
diff --git a/validator/val_anchor.c b/validator/val_anchor.c

index 7060da82e0f346545aec52de88d6be54c2dcab89..1f4b68d38f26949176d50334fdf6b32bb738be0b 100644 (file)
--- a/validator/val_anchor.c
+++ b/validator/val_anchor.c
@@ -40,6 +40,7 @@
   */
  #include "config.h"
  #include "validator/val_anchor.h"
+#include "validator/val_sigcrypt.h"
  #include "util/data/packed_rrset.h"
  #include "util/data/dname.h"
  #include "util/log.h"
@@ -819,6 +820,40 @@ anchors_assemble(struct val_anchors* anchors, struct trust_anchor* ta)
         return 1;
  }
  
+/**
+ * Check DS algos for support, warn if not.
+ * @param ta: trust anchor
+ * @return true if all anchors are supported.
+ */
+static int
+anchors_ds_is_supported(struct trust_anchor* ta)
+{
+       size_t i;
+       for(i=0; i<ta->numDS; i++) {
+               if(!ds_digest_algo_is_supported(ta->ds_rrset, i))
+                       return 0;
+               if(!ds_key_algo_is_supported(ta->ds_rrset, i))
+                       return 0;
+       }
+       return 1;
+}
+
+/**
+ * Check DNSKEY algos for support, warn if not.
+ * @param ta: trust anchor
+ * @return true if all anchors are supported.
+ */
+static int
+anchors_dnskey_is_supported(struct trust_anchor* ta)
+{
+       size_t i;
+       for(i=0; i<ta->numDNSKEY; i++) {
+               if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
+                       return 0;
+       }
+       return 1;
+}
+
  /**
   * Assemble the rrsets in the anchors, ready for use by validator.
   * @param anchors: trust anchor storage.
@@ -833,6 +868,16 @@ anchors_assemble_rrsets(struct val_anchors* anchors)
                         log_err("out of memory");
                         return 0;
                 }
+               if(!anchors_ds_is_supported(ta)) {
+                       log_nametypeclass(0, "warning: unsupported "
+                               "algorithm for trust anchor", 
+                               ta->name, LDNS_RR_TYPE_DS, ta->dclass);
+               }
+               if(!anchors_dnskey_is_supported(ta)) {
+                       log_nametypeclass(0, "warning: unsupported "
+                               "algorithm for trust anchor", 
+                               ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass);
+               }
         }
         return 1;
  }
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 19 Feb 2009 09:01:39 +0000 (09:01 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/val_anchor.c		patch \| blob \| blame \| history