Improve RSA key warnings

diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index d0a65e6489d1c0f0b2c66dfd3ed2ba5faa4d9526..452025398c37d559347f8553c63998cc49253459 100644 (file)
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -216,6 +216,7 @@ private:
 
 void OpenSSLRSADNSCryptoKeyEngine::create(unsigned int bits)
 {
+  // When changing the bitsizes, also edit them in ::checkKey and pdnsutil.cc
   if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (bits < 512 || bits > 4096)) {
     /* RFC3110 */
     throw runtime_error(getName()+" RSASHA1 key generation failed for invalid bits size " + std::to_string(bits));
@@ -540,6 +541,16 @@ void OpenSSLRSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map
 
 bool OpenSSLRSADNSCryptoKeyEngine::checkKey() const
 {
+  // When changing the bitsizes, also edit them in ::create and pdnsutil.cc
+  if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (getBits() < 512 || getBits()> 4096)) {
+    return false;
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA256 && (getBits() < 512 || getBits() > 4096)) {
+    return false;
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA512 && (getBits() < 1024 || getBits() > 4096)) {
+    return false;
+  }
   return (RSA_check_key(d_key) == 1);
 }
 

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 7b237e9153a27cf81df6ba466223828f1d802b49..5c98023ea5a1b4f7e1699abac6a69e305c2267b7 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -279,6 +279,26 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vect
   if (!validKeys) {
     numerrors++;
     cout<<"[Error] zone '" << zone << "' has at least one invalid DNS Private Key." << endl;
+    vector<DNSBackend::KeyData> dbkeyset;
+    B.getDomainKeys(zone, dbkeyset);
+
+    for(const DNSBackend::KeyData &keydata : dbkeyset) {
+      DNSKEYRecordContent dkrc;
+      shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkrc, keydata.content));
+      string msg;
+      if ((dke->getAlgorithm() == DNSSECKeeper::RSASHA1 || dke->getAlgorithm() == DNSSECKeeper::RSASHA1NSEC3SHA1) && (dke->getBits() < 512 || dke->getBits() > 4096)) {
+        msg = "512 and 4096";
+      }
+      if (dke->getAlgorithm() == DNSSECKeeper::RSASHA256 && (dke->getBits() < 512 || dke->getBits() > 4096)) {
+        msg = "512 and 4096";
+      }
+      if (dke->getAlgorithm() == DNSSECKeeper::RSASHA512 && (dke->getBits() < 1024 || dke->getBits() > 4096)) {
+        msg = "1024 and 4096";
+      }
+      if (!msg.empty()) {
+        cout<<"[Error] zone '" << zone << "' key with algorithm " << DNSSECKeeper::algorithm2name(dke->getAlgorithm()) << " has a keysize of " << dke->getBits() << ", which is not between " << msg << endl;
+      }
+    }
   }
 
   // Check for delegation in parent zone