Minor logging improvements for key lifetime

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index aec7b136396b158b4eb06937d7bbc7c4d31b6967..a1f6a7430f3da8646f955fd2d3e63a941a7e318f 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -680,7 +680,7 @@ grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out
 grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
-grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: key lifetime is shorter than the recommended 30 days" <checkconf.out$n >/dev/null || ret=1
 lines=$(wc -l <"checkconf.out$n")
 if [ $lines -ne 5 ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index fbd70aae43f49154544a895a3da11f9e79830b42..6593f78145a23734a8d0461473aaf0e982505d5e 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -120,6 +120,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
        isc_result_t result;
        dns_kasp_key_t *key = NULL;
        const cfg_obj_t *tagrange = NULL;
+       uint32_t min_lifetime = UINT32_MAX;
 
        /* Create a new key reference. */
        dns_kasp_key_create(kasp, &key);
@@ -199,18 +200,22 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                                        cfg_obj_log(obj, ISC_LOG_WARNING,
                                                    "dnssec-policy: key "
                                                    "lifetime is "
-                                                   "shorter than 30 days");
+                                                   "shorter than the "
+                                                   "recommended 30 days");
                                }
                        }
                        if ((key->role & DNS_KASP_KEY_ROLE_KSK) != 0 &&
                            key->lifetime <= ksk_min_lifetime)
                        {
                                error = true;
+                               min_lifetime = ksk_min_lifetime;
                        }
                        if ((key->role & DNS_KASP_KEY_ROLE_ZSK) != 0 &&
                            key->lifetime <= zsk_min_lifetime)
                        {
                                error = true;
+                               min_lifetime = ISC_MIN(min_lifetime,
+                                                      zsk_min_lifetime);
                        }
                        if (error) {
                                if (log_errors) {
@@ -219,7 +224,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                                                    "lifetime is "
                                                    "shorter than the time it "
                                                    "takes to "
-                                                   "do a rollover");
+                                                   "do a rollover (lifetime "
+                                                   "with these parameters "
+                                                   "must be higher than %u "
+                                                   "seconds)",
+                                                   min_lifetime);
                                }
                                CLEANUP(ISC_R_FAILURE);
                        }