From 8b8e867071af6fedc55cd2f6d8271e2f50ae50d7 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 7 Jan 2019 14:49:48 +0100
Subject: [PATCH] auth: error on DNSSEC default misconfiguration

This commit ensures `pdns_server` does not start when there is a
misconfiguration in default-[kz]sk-algorithm:

 * Either is set to an unknown algorithm
 * When using RSA, key size is unset
 * zsk is set but ksk is not
 * zsk is not set to the same as the ksk
---
 pdns/common_startup.cc | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index b0999fa3b6..1dd7c0956f 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -558,16 +558,32 @@ void mainthread()
   catch(...) {}
 
   // Some sanity checking on default key settings
+  bool hadKeyError = false;
   for (const string& algotype : {"ksk", "zsk"}) {
     int algo, size;
     if (::arg()["default-"+algotype+"-algorithm"].empty())
       continue;
     algo = DNSSECKeeper::shorthand2algorithm(::arg()["default-"+algotype+"-algorithm"]);
     size = ::arg().asNum("default-"+algotype+"-size");
-    if (algo == -1)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
-    else if (algo <= 10 && size == 0)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+    if (algo == -1) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
+      hadKeyError = true;
+    }
+    else if (algo <= 10 && size == 0) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+      hadKeyError = true;
+    }
+  }
+  if (hadKeyError) {
+    exit(1);
+  }
+  if (::arg()["default-ksk-algorithm"].empty() && !::arg()["default-zsk-algorithm"].empty()) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm is set, but default-ksk-algorithm is not set."<<endl;
+    exit(1);
+  }
+  if (!::arg()["default-zsk-algorithm"].empty() && ::arg()["default-zsk-algorithm"] != ::arg()["default-ksk-algorithm"]) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm ("<<::arg()["default-zsk-algorithm"]<<"), when set, can not be different from default-ksk-algorithm ("<<::arg()["default-ksk-algorithm"]<<")."<<endl;
+    exit(1);
   }
 
   // NOW SAFE TO CREATE THREADS!
-- 
2.47.2