update key checks in lib/bind9/check.c and fix checkconf test

- any use of trusted or static keys for the root zone will now elicit a warning, regardless of what the keys may be - ditto for any use of a key for dlv.isc.org, static or managed
2025-08-30 05:57:52 +00:00 · 2018-10-03 11:46:06 -07:00 · 2018-10-03 11:46:06 -07:00 · 82f5bce1bb
commit 82f5bce1bb
parent a00e54cf0e
8 changed files with 198 additions and 83 deletions
--- a/bin/tests/system/checkconf/check-root-ksk-2010.conf
+++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf
@ -14,7 +14,7 @@ managed-keys {
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from
 	# the root zone.
-	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
--- a/bin/tests/system/checkconf/check-root-ksk-2017.conf
+++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf
@ -17,7 +17,7 @@ managed-keys {
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
-	. static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
--- a/bin/tests/system/checkconf/check-root-ksk-both.conf
+++ b/bin/tests/system/checkconf/check-root-ksk-both.conf
@ -14,7 +14,7 @@ managed-keys {
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from
 	# the root zone.
-	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
@ -29,7 +29,7 @@ managed-keys {
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
-	. static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
--- a/bin/tests/system/checkconf/check-root-mixed-key.conf
+++ b/bin/tests/system/checkconf/check-root-mixed-key.conf
@ -0,0 +1,39 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 managed-keys {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from
 	# the root zone.
 	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
 		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
 		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
 		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
 		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
 		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
 		QxA+Uk1ihz0=";
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers
 	# being set up for the first time can use the contents of this
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
 	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
 		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };
--- a/bin/tests/system/checkconf/check-root-static-key.conf
+++ b/bin/tests/system/checkconf/check-root-static-key.conf
@ -0,0 +1,27 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 managed-keys {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers
 	# being set up for the first time can use the contents of this
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
 	. static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
 		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };
--- a/bin/tests/system/checkconf/check-root-trusted-key.conf
+++ b/bin/tests/system/checkconf/check-root-trusted-key.conf
@ -0,0 +1,27 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 trusted-keys {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers
 	# being set up for the first time can use the contents of this
 	# file as initializing keys; thereafter, the keys in the
 	# managed key database will be trusted and maintained
 	# automatically.
 	. 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
 		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
 		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
 		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -383,7 +383,7 @@ echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK gener
 ret=0
 $CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
 [ -s checkconf.out$n ] || ret=1
-grep "static key for root from 2010 without updated key" checkconf.out$n > /dev/null || ret=1
+grep "key without the updated" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
@ -402,11 +402,32 @@ $CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 echo_i "check that a static root key generates a warning ($n)"
 ret=0
 $CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
 grep "static-key entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 echo_i "check that a trusted-keys entry for root generates a warning ($n)"
 ret=0
 $CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
 grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 echo_i "check that mixed static-key and initial-key for root generates a warning ($n)"
 ret=0
 $CHECKCONF check-root-mixed-key.conf > checkconf.out$n 2>/dev/null || ret=1
 grep "both initial-key and static-key" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
 ret=0
 $CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
 [ -s checkconf.out$n ] || ret=1
-grep "static key for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
+grep "entry for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@ -3055,9 +3055,12 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	return (result);
 }
-#define ROOT_KSK_2010	0x1
+#define ROOT_KSK_STATIC		0x01
-#define ROOT_KSK_2017	0x2
+#define ROOT_KSK_MANAGED	0x02
-#define DLV_KSK_KEY	0x4
+#define ROOT_KSK_ANY		0x03
 #define ROOT_KSK_2010		0x04
 #define ROOT_KSK_2017		0x08
 #define DLV_KSK_KEY		0x10
 static isc_result_t
 check_trusted_key(const cfg_obj_t *key, bool managed,
@ -3134,10 +3137,12 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
 		if ((alg == DST_ALG_RSASHA1) &&
 		    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
 		{
 			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
 				    "%s key '%s' has a weak exponent",
 				    managed ? "initializing" : "static",
 				    keynamestr);
 		}
 	}
 	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) {
@ -3174,7 +3179,8 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
 			0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5,
 			0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49,
 			0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52,
-			0x4d, 0x62, 0x87, 0x3d };
+			0x4d, 0x62, 0x87, 0x3d
 		};
 		static const unsigned char root_ksk_2017[] = {
 			0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09,
 			0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5,
@ -3208,58 +3214,34 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
 			0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1,
 			0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63,
 			0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51,
-			0x35, 0x7b, 0xe1, 0xb5 };
+			0x35, 0x7b, 0xe1, 0xb5
 		};
 		/*
 		 * Flag any use of a root key, regardless of content.
 		 */
 		*keyflags |= (managed ? ROOT_KSK_MANAGED : ROOT_KSK_STATIC);
 		if (flags == 257 && proto == 3 && alg == 8 &&
 		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) &&
-		    !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) {
+		    !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010)))
 		{
 			*keyflags |= ROOT_KSK_2010;
 		}
 		if (flags == 257 && proto == 3 && alg == 8 &&
 		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) &&
-		    !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) {
+		    !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017)))
 		{
 			*keyflags |= ROOT_KSK_2017;
 		}
 	}
-	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) {
+
-		static const unsigned char dlviscorgkey[] = {
+	/*
-			0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef,
+	 * Flag any use of dlv.isc.org, regardless of content.
-			0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5,
+	 */
-			0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e,
+	if (dns_name_equal(keyname, &dlviscorg)) {
-			0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61,
+		*keyflags |= DLV_KSK_KEY;
 			0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94,
 			0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd,
 			0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8,
 			0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e,
 			0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2,
 			0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56,
 			0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b,
 			0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb,
 			0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2,
 			0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef,
 			0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9,
 			0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65,
 			0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b,
 			0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b,
 			0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01,
 			0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c,
 			0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64,
 			0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00,
 			0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6,
 			0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c,
 			0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64,
 			0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35,
 			0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57,
 			0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd,
 			0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a,
 			0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8,
 			0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f,
 			0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61,
 			0x4b, 0x96, 0xac, 0x13, 0x61 };
 		if (flags == 257 && proto == 3 && alg == 5 &&
 		    isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) &&
 		    !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) {
 			*keyflags |= DLV_KSK_KEY;
 		}
 	}
 	return (result);
@ -3686,10 +3668,12 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	 * Check trusted-keys and managed-keys.
 	 */
 	tkeys = NULL;
-	if (voptions != NULL)
+	if (voptions != NULL) {
 		(void)cfg_map_get(voptions, "trusted-keys", &tkeys);
-	if (tkeys == NULL)
+	}
 	if (tkeys == NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &tkeys);
 	}
 	tflags = 0;
 	for (element = cfg_list_first(tkeys);
@ -3699,33 +3683,37 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		const cfg_obj_t *keylist = cfg_listelt_value(element);
 		for (element2 = cfg_list_first(keylist);
 		     element2 != NULL;
-		     element2 = cfg_list_next(element2)) {
+		     element2 = cfg_list_next(element2))
 		{
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, false, &tflags,
+			tresult = check_trusted_key(obj, false,
-						    logctx);
+						    &tflags, logctx);
-			if (tresult != ISC_R_SUCCESS)
+			if (tresult != ISC_R_SUCCESS) {
 				result = tresult;
 			}
 		}
 	}
-	if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
+	if ((tflags & ROOT_KSK_STATIC) != 0) {
-		cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "trusted-key for root from 2010 without updated "
+			    "trusted-keys entry for the root zone "
-			    "trusted-key from 2017: THIS WILL FAIL AFTER "
+			    "WILL FAIL after key rollover - use "
-			    "KEY ROLLOVER");
+			    "managed-keys with initial-key instead.");
 	}
 	if ((tflags & DLV_KSK_KEY) != 0) {
-		cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "trusted-key for dlv.isc.org still present; "
+			    "trusted-keys entry for dlv.isc.org is still "
-			    "dlv.isc.org has been shut down");
+			    "present: dlv.isc.org has been shut down");
 	}
 	mkeys = NULL;
-	if (voptions != NULL)
+	if (voptions != NULL) {
 		(void)cfg_map_get(voptions, "managed-keys", &mkeys);
-	if (mkeys == NULL)
+	}
 	if (keys == NULL) {
 		(void)cfg_map_get(config, "managed-keys", &mkeys);
 	}
 	mflags = 0;
 	for (element = cfg_list_first(mkeys);
@ -3740,31 +3728,44 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			obj = cfg_listelt_value(element2);
 			tresult = check_trusted_key(obj, true, &mflags,
 						    logctx);
-			if (tresult != ISC_R_SUCCESS)
+			if (tresult != ISC_R_SUCCESS) {
 				result = tresult;
 			}
 		}
 	}
 	if ((mflags & ROOT_KSK_STATIC) != 0) {
 		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
 			    "managed-keys static-key entry for the root zone "
 			    "WILL FAIL after key rollover - use "
 			    "managed-keys with initial-key instead.");
 	}
 	if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
-		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "managed-key for root from 2010 without updated "
+			    "managed-keys initial-key entry for the root zone "
-			    "managed-key from 2017");
+			    "uses the 2010 key without the updated "
 			    "2017 key");
 	}
 	if ((tflags & ROOT_KSK_ANY) != 0 && (mflags & ROOT_KSK_ANY) != 0) {
 		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
 			    "both trusted-keys and managed-keys for the "
 			    "root zone are present");
 	}
 	if ((mflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
 		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
 			    "both initial-key and static-key entries for the "
 			    "root zone are present");
 	}
 	if ((mflags & DLV_KSK_KEY) != 0) {
-		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "managed-key for dlv.isc.org still present; "
+			    "managed-keys entry for dlv.isc.org still present; "
 			    "dlv.isc.org has been shut down");
 	}
 	if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
 	    (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
 	{
 		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
 			    "both trusted-keys and managed-keys for the ICANN "
 			    "root are present");
 	}
 	obj = NULL;
 	if (voptions != NULL) {
 		(void)cfg_map_get(voptions, "dnssec-validation", &obj);