};
};
+dnssec-policy "warn3" {
+ keys {
+ // This policy has a key with a very short lifetime.
+ csk lifetime PT2591999S algorithm rsasha256;
+ };
+};
+
zone "warn1.example.net" {
type primary;
file "warn1.example.db";
dnssec-policy "warn2";
};
+zone "warn3.example.net" {
+ type primary;
+ file "warn3.example.db";
+ dnssec-policy "warn3";
+};
+
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
-if [ $lines != 4 ]; then ret=1; fi
+if [ $lines != 5 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
if (cfg_obj_isduration(obj)) {
key->lifetime = cfg_obj_asduration(obj);
}
+ if (key->lifetime > 0 && key->lifetime < 30 * (24 * 3600)) {
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "dnssec-policy: key lifetime is shorter "
+ "than 30 days");
+ }
obj = cfg_tuple_get(config, "algorithm");
alg.base = cfg_obj_asstring(obj);
projects / thirdparty / bind9.git / commitdiff
