From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 6 Feb 2026 13:32:08 +0000 (+0100)
Subject: Minor logging improvements for key lifetime
X-Git-Tag: v9.21.19~34^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5f934b7a17bedd9d348a349508894afcc6ea1f9;p=thirdparty%2Fbind9.git

Minor logging improvements for key lifetime
---

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index aec7b136396..a1f6a7430f3 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -680,7 +680,7 @@ grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out
 grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1
 grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
-grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: key lifetime is shorter than the recommended 30 days" <checkconf.out$n >/dev/null || ret=1
 lines=$(wc -l <"checkconf.out$n")
 if [ $lines -ne 5 ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index fbd70aae43f..6593f78145a 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -120,6 +120,7 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 	isc_result_t result;
 	dns_kasp_key_t *key = NULL;
 	const cfg_obj_t *tagrange = NULL;
+	uint32_t min_lifetime = UINT32_MAX;
 
 	/* Create a new key reference. */
 	dns_kasp_key_create(kasp, &key);
@@ -199,18 +200,22 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 					cfg_obj_log(obj, ISC_LOG_WARNING,
 						    "dnssec-policy: key "
 						    "lifetime is "
-						    "shorter than 30 days");
+						    "shorter than the "
+						    "recommended 30 days");
 				}
 			}
 			if ((key->role & DNS_KASP_KEY_ROLE_KSK) != 0 &&
 			    key->lifetime <= ksk_min_lifetime)
 			{
 				error = true;
+				min_lifetime = ksk_min_lifetime;
 			}
 			if ((key->role & DNS_KASP_KEY_ROLE_ZSK) != 0 &&
 			    key->lifetime <= zsk_min_lifetime)
 			{
 				error = true;
+				min_lifetime = ISC_MIN(min_lifetime,
+						       zsk_min_lifetime);
 			}
 			if (error) {
 				if (log_errors) {
@@ -219,7 +224,11 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
 						    "lifetime is "
 						    "shorter than the time it "
 						    "takes to "
-						    "do a rollover");
+						    "do a rollover (lifetime "
+						    "with these parameters "
+						    "must be higher than %u "
+						    "seconds)",
+						    min_lifetime);
 				}
 				CLEANUP(ISC_R_FAILURE);
 			}