check all RSA algorithms for weak keys

lib/dns/zone.c

@@ -3220,8 +3220,6 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	isc_result_t result;
-	bool logit, foundrsa = false;
-	const char *algorithm;
 
 	result = dns_db_findnode(db, &zone->origin, false, &node);
 	if (result != ISC_R_SUCCESS) {
@@ -3260,20 +3258,42 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 		 * a more conservative choice would be 65537 (F4, the fourth
 		 * fermat number).
 		 */
-		if (dnskey.algorithm == DST_ALG_RSASHA1 &&
+		if (dnskey.datalen > 1 && dnskey.data[0] == 1 &&
-		    dnskey.datalen > 1 && dnskey.data[0] == 1 &&
 		    dnskey.data[1] == 3)
 		{
-			if (dnskey.algorithm == DST_ALG_RSASHA1) {
+			const char *algorithm = "";
-				logit = !foundrsa;
+			isc_region_t r;
-				foundrsa = true;
+			bool logit = true;
+
+			dns_rdata_toregion(&rdata, &r);
+
+			switch (dnskey.algorithm) {
+			case DNS_KEYALG_RSAMD5:
+				algorithm = "RSAMD5";
+				break;
+			case DNS_KEYALG_RSASHA1:
 				algorithm = "RSASHA1";
+				break;
+			case DNS_KEYALG_NSEC3RSASHA1:
+				algorithm = "NSEC3RSASHA1";
+				break;
+			case DNS_KEYALG_RSASHA256:
+				algorithm = "RSASHA236";
+				break;
+			case DNS_KEYALG_RSASHA512:
+				algorithm = "RSASHA512";
+				break;
+			default:
+				logit = false;
+				break;
 			}
+
 			if (logit) {
 				dnssec_log(zone, ISC_LOG_WARNING,
 					   "weak %s (%u) key found "
-					   "(exponent=3)", algorithm,
+					   "(exponent=3, id=%u)", algorithm,
-					   dnskey.algorithm);
+					   dnskey.algorithm,
+					   dst_region_computeid(&r));
 			}
 		}
 		dns_rdata_reset(&rdata);