From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 7 Jan 2019 13:49:48 +0000 (+0100)
Subject: auth: error on DNSSEC default misconfiguration
X-Git-Tag: rec-4.2.0-alpha1~19^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8b8e867071af6fedc55cd2f6d8271e2f50ae50d7;p=thirdparty%2Fpdns.git

auth: error on DNSSEC default misconfiguration

This commit ensures `pdns_server` does not start when there is a
misconfiguration in default-[kz]sk-algorithm:

 * Either is set to an unknown algorithm
 * When using RSA, key size is unset
 * zsk is set but ksk is not
 * zsk is not set to the same as the ksk
---

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index b0999fa3b6..1dd7c0956f 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -558,16 +558,32 @@ void mainthread()
   catch(...) {}
 
   // Some sanity checking on default key settings
+  bool hadKeyError = false;
   for (const string& algotype : {"ksk", "zsk"}) {
     int algo, size;
     if (::arg()["default-"+algotype+"-algorithm"].empty())
       continue;
     algo = DNSSECKeeper::shorthand2algorithm(::arg()["default-"+algotype+"-algorithm"]);
     size = ::arg().asNum("default-"+algotype+"-size");
-    if (algo == -1)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
-    else if (algo <= 10 && size == 0)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+    if (algo == -1) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
+      hadKeyError = true;
+    }
+    else if (algo <= 10 && size == 0) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+      hadKeyError = true;
+    }
+  }
+  if (hadKeyError) {
+    exit(1);
+  }
+  if (::arg()["default-ksk-algorithm"].empty() && !::arg()["default-zsk-algorithm"].empty()) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm is set, but default-ksk-algorithm is not set."<<endl;
+    exit(1);
+  }
+  if (!::arg()["default-zsk-algorithm"].empty() && ::arg()["default-zsk-algorithm"] != ::arg()["default-ksk-algorithm"]) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm ("<<::arg()["default-zsk-algorithm"]<<"), when set, can not be different from default-ksk-algorithm ("<<::arg()["default-ksk-algorithm"]<<")."<<endl;
+    exit(1);
   }
 
   // NOW SAFE TO CREATE THREADS!