4889. [func] Warn about the use of old root keys without the new

root key being present.  Warn about dlv.isc.org's
                        key being present. Warn about both managed and
                        trusted root keys being present. [RT #43670]

CHANGES

@@ -1,3 +1,8 @@
+4889.	[func]		Warn about the use of old root keys without the new
+			root key being present.  Warn about dlv.isc.org's
+			key being present. Warn about both managed and
+			trusted root keys being present. [RT #43670]
+
 4888.	[test]		Initialize sockets correctly in sample-update so
 			that the nsupdate system test will run on Windows.
 			[RT #47097]

bin/named/server.c

@@ -7820,8 +7820,8 @@ load_configuration(const char *filename, named_server_t *server,
 	if (access(server->bindkeysfile, R_OK) == 0) {
 		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reading built-in trusted "
-			      "keys from file '%s'", server->bindkeysfile);
+			      "reading built-in trust anchors "
+			      "from file '%s'", server->bindkeysfile);
 
 		CHECK(cfg_parser_create(named_g_mctx, named_g_lctx,
 					&bindkeys_parser));
@@ -7832,8 +7832,8 @@ load_configuration(const char *filename, named_server_t *server,
 	} else {
 		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "unable to open '%s' using built-in keys",
-			      server->bindkeysfile);
+			      "unable to open '%s'; using built-in keys "
+			      "instead", server->bindkeysfile);
 	}
 
 	/* Ensure exclusive access to configuration data. */

bin/tests/system/checkconf/check-dlv-ksk-key.conf

@@ -0,0 +1,9 @@
+trusted-keys {
+	dlv.isc.org 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
+	        n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+		+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
+		2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG
+		xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR
+		x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL
+		KjHzpT59k/VStTDN0YUuWrBNh";
+};

bin/tests/system/checkconf/check-root-ksk-2010.conf

@@ -0,0 +1,13 @@
+trusted-keys {
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+};

bin/tests/system/checkconf/check-root-ksk-2017.conf

@@ -0,0 +1,16 @@
+trusted-keys {
+        # This key (20326) was published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};

bin/tests/system/checkconf/check-root-ksk-both.conf

@@ -0,0 +1,28 @@
+trusted-keys {
+        # This key (19036) is to be phased out starting in 2017. It will
+        # remain in the root zone for some time after its successor key
+        # has been added. It will remain this file until it is removed from
+        # the root zone.
+        . 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+                QxA+Uk1ihz0=";
+
+        # This key (20326) was published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+                R1AkUTV74bU=";
+};

bin/tests/system/checkconf/tests.sh

@@ -362,5 +362,34 @@ $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I: check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+echo "I: check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+echo "I: check that the 2017 ICANN ROOT KSK alone does not warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
+echo "I: check that the dlv.isc.org KSK generates a warning ($n)"
+ret=0
+$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/bind9/check.c

@@ -2908,9 +2908,13 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	return (result);
 }
 
+#define ROOT_KSK_2010	0x1
+#define ROOT_KSK_2017	0x2
+#define DLV_KSK_KEY	0x4
+
 static isc_result_t
 check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
-		  isc_log_t *logctx)
+		  unsigned int *keyflags, isc_log_t *logctx)
 {
 	const char *keystr, *keynamestr;
 	dns_fixedname_t fkeyname;
@@ -2988,6 +2992,128 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
 				    keynamestr);
 	}
 
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) {
+		static const unsigned char root_ksk_2010[] = {
+			0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9,
+			0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80,
+			0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd,
+			0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec,
+			0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70,
+			0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf,
+			0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82,
+			0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18,
+			0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc,
+			0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32,
+			0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51,
+			0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb,
+			0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5,
+			0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8,
+			0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4,
+			0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4,
+			0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e,
+			0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33,
+			0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9,
+			0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04,
+			0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73,
+			0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33,
+			0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9,
+			0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e,
+			0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e,
+			0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad,
+			0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9,
+			0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14,
+			0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e,
+			0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5,
+			0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49,
+			0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52,
+			0x4d, 0x62, 0x87, 0x3d };
+		static const unsigned char root_ksk_2017[] = {
+			0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09,
+			0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5,
+			0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53,
+			0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4,
+			0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5,
+			0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa,
+			0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59,
+			0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98,
+			0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1,
+			0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f,
+			0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35,
+			0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8,
+			0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17,
+			0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f,
+			0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb,
+			0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32,
+			0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac,
+			0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b,
+			0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6,
+			0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3,
+			0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e,
+			0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75,
+			0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7,
+			0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d,
+			0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f,
+			0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d,
+			0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a,
+			0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68,
+			0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7,
+			0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1,
+			0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63,
+			0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51,
+			0x35, 0x7b, 0xe1, 0xb5 };
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) &&
+		    !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) {
+			*keyflags |= ROOT_KSK_2010;
+		}
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) &&
+		    !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) {
+			*keyflags |= ROOT_KSK_2017;
+		}
+	}
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) {
+		static const unsigned char dlviscorgkey[] = {
+			0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef,
+			0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5,
+			0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e,
+			0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61,
+			0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94,
+			0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd,
+			0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8,
+			0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e,
+			0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2,
+			0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56,
+			0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b,
+			0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb,
+			0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2,
+			0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef,
+			0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9,
+			0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65,
+			0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b,
+			0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b,
+			0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01,
+			0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c,
+			0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64,
+			0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00,
+			0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6,
+			0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c,
+			0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64,
+			0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35,
+			0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57,
+			0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd,
+			0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a,
+			0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8,
+			0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f,
+			0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61,
+			0x4b, 0x96, 0xac, 0x13, 0x61 };
+		if (flags == 257 && proto == 3 && alg == 5 &&
+		    isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) &&
+		    !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) {
+			*keyflags |= DLV_KSK_KEY;
+		}
+	}
+
 	return (result);
 }
 
@@ -3077,6 +3203,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	const cfg_obj_t *opts = NULL;
 	isc_boolean_t enablednssec, enablevalidation;
 	const char *valstr = "no";
+	unsigned int tflags, mflags;
 
 	/*
 	 * Get global options block
@@ -3260,6 +3387,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (keys == NULL)
 		(void)cfg_map_get(config, "trusted-keys", &keys);
 
+	tflags = 0;
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -3269,18 +3397,32 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2)) {
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_FALSE, logctx);
+			tresult = check_trusted_key(obj, ISC_FALSE, &tflags,
+						    logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
 	}
 
+	if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for root from 2010 without updated "
+			    "trusted-key from 2017");
+	}
+
+	if ((tflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
 	keys = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "managed-keys", &keys);
 	if (keys == NULL)
 		(void)cfg_map_get(config, "managed-keys", &keys);
 
+	mflags = 0;
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -3290,12 +3432,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2)) {
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_TRUE, logctx);
+			tresult = check_trusted_key(obj, ISC_TRUE, &mflags,
+						    logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
 	}
 
+	if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for root from 2010 without updated "
+			    "managed-key from 2017");
+	}
+
+	if ((mflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
+	if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
+	    (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
+	{
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and managed-keys for the ICANN "
+			    "root are present");
+	}
+
 	/*
 	 * Check options.
 	 */