Error if signatures-refresh is too high

The signatures-refresh should not near the signatures-validity value,
to prevent operational instability. Same is true when checking against
signatures-validity-dnskey.

(cherry picked from commit 82fd89107f2cb784aabc798fbb65bbb44e608c2c)

diff --git a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
new file mode 100644 (file)
index 0000000..dd907dd
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-sigrefresh" {
+       keys {
+               csk lifetime unlimited algorithm 13;
+       };
+
+       signatures-validity P10D;
+       signatures-validity-dnskey P20D;
+       signatures-refresh P9DT1S;
+};
+
+dnssec-policy "bad-sigrefresh-dnskey" {
+       keys {
+               csk lifetime unlimited algorithm 13;
+       };
+
+       signatures-validity P20D;
+       signatures-validity-dnskey P10D;
+       signatures-refresh P9DT1S;
+};
+
+zone "sigrefresh.example.net" {
+       type primary;
+       file "sigrefresh.example.db";
+       dnssec-policy "bad-sigrefresh";
+};
+
+zone "dnskey.example.net" {
+       type primary;
+       file "dnskey.example.db";
+       dnssec-policy "bad-sigrefresh-dnskey";
+};

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 5abda873fdc882016e4b3e35f57aabafae884b8b..21b41f09e5941216f24b1426eb115a98358747fc 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -528,6 +528,17 @@ grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < ch
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp predefined key length ($n)"
 ret=0

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 70c2511490b48958aa745297e2625c18408a2591..de538690b65ecadb1d2ba37534e342b60fab1c82 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -268,6 +268,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
        const char *kaspname = NULL;
        dns_kasp_t *kasp = NULL;
        size_t i = 0;
+       uint32_t sigrefresh = 0, sigvalidity = 0;
 
        REQUIRE(kaspp != NULL && *kaspp == NULL);
 
@@ -308,13 +309,36 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
        maps[i] = NULL;
 
        /* Configuration: Signatures */
-       dns_kasp_setsigrefresh(kasp, get_duration(maps, "signatures-refresh",
-                                                 DNS_KASP_SIG_REFRESH));
-       dns_kasp_setsigvalidity(kasp, get_duration(maps, "signatures-validity",
-                                                  DNS_KASP_SIG_VALIDITY));
-       dns_kasp_setsigvalidity_dnskey(
-               kasp, get_duration(maps, "signatures-validity-dnskey",
-                                  DNS_KASP_SIG_VALIDITY_DNSKEY));
+       sigrefresh = get_duration(maps, "signatures-refresh",
+                                 DNS_KASP_SIG_REFRESH);
+       dns_kasp_setsigrefresh(kasp, sigrefresh);
+
+       sigvalidity = get_duration(maps, "signatures-validity",
+                                  DNS_KASP_SIG_VALIDITY);
+       if (sigrefresh >= (sigvalidity * 0.9)) {
+               cfg_obj_log(config, logctx, ISC_LOG_ERROR,
+                           "dnssec-policy: policy '%s' signatures-refresh "
+                           "must be at most 90%% of the signatures-validity",
+                           kaspname);
+               result = ISC_R_FAILURE;
+       }
+       dns_kasp_setsigvalidity(kasp, sigvalidity);
+
+       sigvalidity = get_duration(maps, "signatures-validity-dnskey",
+                                  DNS_KASP_SIG_VALIDITY_DNSKEY);
+       if (sigrefresh >= (sigvalidity * 0.9)) {
+               cfg_obj_log(
+                       config, logctx, ISC_LOG_ERROR,
+                       "dnssec-policy: policy '%s' signatures-refresh must be "
+                       "at most 90%% of the signatures-validity-dnskey",
+                       kaspname);
+               result = ISC_R_FAILURE;
+       }
+       dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
+
+       if (result != ISC_R_SUCCESS) {
+               goto cleanup;
+       }
 
        /* Configuration: Keys */
        dns_kasp_setdnskeyttl(