diff --git a/CHANGES b/CHANGES index a4db48c89f..234be1e4bc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4889. [func] Warn about the use of old root keys without the new + root key being present. Warn about dlv.isc.org's + key being present. Warn about both managed and + trusted root keys being present. [RT #43670] + 4888. [test] Initialize sockets correctly in sample-update so that the nsupdate system test will run on Windows. [RT #47097] diff --git a/bin/named/server.c b/bin/named/server.c index 04cbb0f947..68aca3559f 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -7820,8 +7820,8 @@ load_configuration(const char *filename, named_server_t *server, if (access(server->bindkeysfile, R_OK) == 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "reading built-in trusted " - "keys from file '%s'", server->bindkeysfile); + "reading built-in trust anchors " + "from file '%s'", server->bindkeysfile); CHECK(cfg_parser_create(named_g_mctx, named_g_lctx, &bindkeys_parser)); @@ -7832,8 +7832,8 @@ load_configuration(const char *filename, named_server_t *server, } else { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s' using built-in keys", - server->bindkeysfile); + "unable to open '%s'; using built-in keys " + "instead", server->bindkeysfile); } /* Ensure exclusive access to configuration data. */ diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf new file mode 100644 index 0000000000..1ee566d13f --- /dev/null +++ b/bin/tests/system/checkconf/check-dlv-ksk-key.conf @@ -0,0 +1,9 @@ +trusted-keys { + dlv.isc.org 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE + n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8 + +jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ + 2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG + xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR + x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL + KjHzpT59k/VStTDN0YUuWrBNh"; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf new file mode 100644 index 0000000000..54a1b9ff0b --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -0,0 +1,13 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf new file mode 100644 index 0000000000..7d83d4b16c --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -0,0 +1,16 @@ +trusted-keys { + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf new file mode 100644 index 0000000000..091c9afbef --- /dev/null +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -0,0 +1,28 @@ +trusted-keys { + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) was published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 245481c8ea..4f252a4668 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -362,5 +362,34 @@ $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I: check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the 2017 ICANN ROOT KSK alone does not warning ($n)" +ret=0 +$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + +echo "I: check that the dlv.isc.org KSK generates a warning ($n)" +ret=0 +$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi +status=`expr $status + $ret` + echo "I:exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d7e410060e..b91c418a31 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -2908,9 +2908,13 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, return (result); } +#define ROOT_KSK_2010 0x1 +#define ROOT_KSK_2017 0x2 +#define DLV_KSK_KEY 0x4 + static isc_result_t check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, - isc_log_t *logctx) + unsigned int *keyflags, isc_log_t *logctx) { const char *keystr, *keynamestr; dns_fixedname_t fkeyname; @@ -2988,6 +2992,128 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed, keynamestr); } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) { + static const unsigned char root_ksk_2010[] = { + 0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9, + 0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80, + 0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd, + 0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec, + 0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70, + 0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf, + 0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82, + 0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18, + 0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc, + 0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32, + 0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51, + 0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb, + 0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5, + 0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8, + 0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4, + 0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4, + 0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e, + 0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33, + 0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9, + 0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04, + 0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73, + 0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33, + 0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9, + 0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e, + 0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e, + 0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad, + 0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9, + 0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14, + 0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e, + 0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5, + 0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49, + 0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52, + 0x4d, 0x62, 0x87, 0x3d }; + static const unsigned char root_ksk_2017[] = { + 0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09, + 0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5, + 0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53, + 0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4, + 0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5, + 0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa, + 0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59, + 0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98, + 0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1, + 0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f, + 0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35, + 0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8, + 0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17, + 0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f, + 0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb, + 0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32, + 0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac, + 0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b, + 0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6, + 0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3, + 0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e, + 0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75, + 0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7, + 0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d, + 0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f, + 0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d, + 0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a, + 0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68, + 0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7, + 0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1, + 0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63, + 0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51, + 0x35, 0x7b, 0xe1, 0xb5 }; + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) && + !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) { + *keyflags |= ROOT_KSK_2010; + } + if (flags == 257 && proto == 3 && alg == 8 && + isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) && + !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) { + *keyflags |= ROOT_KSK_2017; + } + } + if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) { + static const unsigned char dlviscorgkey[] = { + 0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef, + 0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5, + 0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e, + 0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61, + 0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94, + 0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd, + 0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8, + 0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e, + 0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2, + 0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56, + 0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b, + 0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb, + 0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2, + 0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef, + 0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9, + 0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65, + 0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b, + 0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b, + 0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01, + 0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c, + 0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64, + 0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00, + 0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6, + 0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c, + 0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64, + 0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35, + 0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57, + 0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd, + 0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a, + 0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8, + 0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f, + 0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61, + 0x4b, 0x96, 0xac, 0x13, 0x61 }; + if (flags == 257 && proto == 3 && alg == 5 && + isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) && + !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) { + *keyflags |= DLV_KSK_KEY; + } + } + return (result); } @@ -3077,6 +3203,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *opts = NULL; isc_boolean_t enablednssec, enablevalidation; const char *valstr = "no"; + unsigned int tflags, mflags; /* * Get global options block @@ -3260,6 +3387,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (keys == NULL) (void)cfg_map_get(config, "trusted-keys", &keys); + tflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3269,18 +3397,32 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_FALSE, logctx); + tresult = check_trusted_key(obj, ISC_FALSE, &tflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for root from 2010 without updated " + "trusted-key from 2017"); + } + + if ((tflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "trusted-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + keys = NULL; if (voptions != NULL) (void)cfg_map_get(voptions, "managed-keys", &keys); if (keys == NULL) (void)cfg_map_get(config, "managed-keys", &keys); + mflags = 0; for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) @@ -3290,12 +3432,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 != NULL; element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trusted_key(obj, ISC_TRUE, logctx); + tresult = check_trusted_key(obj, ISC_TRUE, &mflags, + logctx); if (tresult != ISC_R_SUCCESS) result = tresult; } } + if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for root from 2010 without updated " + "managed-key from 2017"); + } + + if ((mflags & DLV_KSK_KEY) != 0) { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "managed-key for dlv.isc.org still present; " + "dlv.isc.org has been shut down"); + } + + if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 && + (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0) + { + cfg_obj_log(keys, logctx, ISC_LOG_WARNING, + "both trusted-keys and managed-keys for the ICANN " + "root are present"); + } + /* * Check options. */