From: Mark Andrews Date: Fri, 9 Feb 2018 01:04:45 +0000 (+1100) Subject: 4889. [func] Warn about the use of old root keys without the new X-Git-Tag: v9.12.1rc1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=303f4e8b5d49ad2934da34944f6c0fd2ceeff341;p=thirdparty%2Fbind9.git 4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670] (cherry picked from commit baef0ca9886bb67d7c6a2ae0405e504ccdc0fb9f) --- diff --git a/CHANGES b/CHANGES index 5b8d240e2b6..5f1cd59f101 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4889. [func] Warn about the use of old root keys without the new + root key being present. Warn about dlv.isc.org's + key being present. Warn about both managed and + trusted root keys being present. [RT #43670] + --- 9.12.1b1 released --- 4888. [test] Initialize sockets correctly in sample-update so diff --git a/bin/named/server.c b/bin/named/server.c index 99d4432ca0d..ae084762c23 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -7818,8 +7818,8 @@ load_configuration(const char *filename, named_server_t *server, if (access(server->bindkeysfile, R_OK) == 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "reading built-in trusted " - "keys from file '%s'", server->bindkeysfile); + "reading built-in trust anchors " + "from file '%s'", server->bindkeysfile); CHECK(cfg_parser_create(named_g_mctx, named_g_lctx, &bindkeys_parser)); @@ -7830,8 +7830,8 @@ load_configuration(const char *filename, named_server_t *server, } else { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s' using built-in keys", - server->bindkeysfile); + "unable to open '%s'; using built-in keys " + "instead", server->bindkeysfile); } /* Ensure exclusive access to configuration data. */ diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf new file mode 100644 index 00000000000..1ee566d13f4 --- /dev/null +++ b/bin/tests/system/checkconf/check-dlv-ksk-key.conf @@ -0,0 +1,9 @@ +trusted-keys { + dlv.isc.org 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE + n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8 + +jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ + 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG + xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR + x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL + KjHzpT59k/VStTDN0YUuWrBNh"; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf new file mode 100644 index 00000000000..54a1b9ff0b7 --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -0,0 +1,13 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf new file mode 100644 index 00000000000..7d83d4b16cf --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -0,0 +1,16 @@ +trusted-keys { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf new file mode 100644 index 00000000000..091c9afbefc --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -0,0 +1,28 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 245481c8ea6..4f252a4668e 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -362,5 +362,34 @@ $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2017 ICANN ROOT KSK alone does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the dlv.isc.org KSK generates a warning ($n)" +ret=0 +$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 5184ca6b062..fb34ad6b286 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2904,9 +2904,13 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +#define ROOT_KSK_2010 0x1 +#define ROOT_KSK_2017 0x2 +#define DLV_KSK_KEY 0x4 + static isc_result_t check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, - isc_log_t *logctx) + unsigned int *keyflags, isc_log_t *logctx) { const char *keystr, *keynamestr; dns_fixedname_t fkeyname; @@ -2984,6 +2988,128 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, keynamestr); } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) { + static const unsigned char root_ksk_2010[] = { + 0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9, + 0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80, + 0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd, + 0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec, + 0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70, + 0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf, + 0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82, + 0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18, + 0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc, + 0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32, + 0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51, + 0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb, + 0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5, + 0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8, + 0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4, + 0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4, + 0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e, + 0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33, + 0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9, + 0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04, + 0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73, + 0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33, + 0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9, + 0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e, + 0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e, + 0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad, + 0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9, + 0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14, + 0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e, + 0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5, + 0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49, + 0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52, + 0x4d, 0x62, 0x87, 0x3d }; + static const unsigned char root_ksk_2017[] = { + 0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09, + 0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5, + 0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53, + 0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4, + 0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5, + 0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa, + 0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59, + 0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98, + 0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1, + 0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f, + 0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35, + 0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8, + 0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17, + 0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f, + 0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb, + 0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32, + 0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac, + 0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b, + 0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6, + 0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3, + 0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e, + 0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75, + 0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7, + 0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d, + 0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f, + 0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d, + 0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a, + 0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68, + 0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7, + 0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1, + 0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63, + 0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51, + 0x35, 0x7b, 0xe1, 0xb5 }; + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) && + !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) { + *keyflags |= ROOT_KSK_2010; + } + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) && + !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) { + *keyflags |= ROOT_KSK_2017; + } + } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) { + static const unsigned char dlviscorgkey[] = { + 0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef, + 0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5, + 0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e, + 0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61, + 0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94, + 0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd, + 0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8, + 0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e, + 0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2, + 0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56, + 0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b, + 0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb, + 0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2, + 0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef, + 0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9, + 0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65, + 0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b, + 0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b, + 0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01, + 0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c, + 0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64, + 0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00, + 0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6, + 0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c, + 0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64, + 0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35, + 0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57, + 0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd, + 0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a, + 0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8, + 0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f, + 0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61, + 0x4b, 0x96, 0xac, 0x13, 0x61 }; + if (flags == 257 && proto == 3 && alg == 5 && + isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) && + !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) { + *keyflags |= DLV_KSK_KEY; + } + } + return (result); } @@ -3070,6 +3196,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *opts = NULL; isc_boolean_t enablednssec, enablevalidation; const char *valstr = "no"; + unsigned int tflags, mflags; /* * Get global options block @@ -3253,6 +3380,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (keys == NULL) (void)cfg_map_get(config, "trusted-keys", &keys); + tflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3262,18 +3390,32 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_FALSE, logctx); + tresult = check_trusted_key(obj, ISC_FALSE, &tflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for root from 2010 without updated " + "trusted-key from 2017"); + } + + if ((tflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + keys = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "managed-keys", &keys); if (keys == NULL) (void)cfg_map_get(config, "managed-keys", &keys); + mflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3283,12 +3425,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_TRUE, logctx); + tresult = check_trusted_key(obj, ISC_TRUE, &mflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for root from 2010 without updated " + "managed-key from 2017"); + } + + if ((mflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + + if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 && + (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0) + { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "both trusted-keys and managed-keys for the ICANN " + "root are present"); + } + /* * Check options. */