auth: error on DNSSEC default misconfiguration

This commit ensures `pdns_server` does not start when there is a
misconfiguration in default-[kz]sk-algorithm:

 * Either is set to an unknown algorithm
 * When using RSA, key size is unset
 * zsk is set but ksk is not
 * zsk is not set to the same as the ksk

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index b0999fa3b60fccd363e70f9456a52391ade4521a..1dd7c0956fcf27e52dcd5be40098af9cf9be174a 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -558,16 +558,32 @@ void mainthread()
   catch(...) {}
 
   // Some sanity checking on default key settings
+  bool hadKeyError = false;
   for (const string& algotype : {"ksk", "zsk"}) {
     int algo, size;
     if (::arg()["default-"+algotype+"-algorithm"].empty())
       continue;
     algo = DNSSECKeeper::shorthand2algorithm(::arg()["default-"+algotype+"-algorithm"]);
     size = ::arg().asNum("default-"+algotype+"-size");
-    if (algo == -1)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
-    else if (algo <= 10 && size == 0)
-      g_log<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+    if (algo == -1) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
+      hadKeyError = true;
+    }
+    else if (algo <= 10 && size == 0) {
+      g_log<<Logger::Error<<"Error: default-"<<algotype<<"-algorithm is set to an algorithm ("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+      hadKeyError = true;
+    }
+  }
+  if (hadKeyError) {
+    exit(1);
+  }
+  if (::arg()["default-ksk-algorithm"].empty() && !::arg()["default-zsk-algorithm"].empty()) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm is set, but default-ksk-algorithm is not set."<<endl;
+    exit(1);
+  }
+  if (!::arg()["default-zsk-algorithm"].empty() && ::arg()["default-zsk-algorithm"] != ::arg()["default-ksk-algorithm"]) {
+    g_log<<Logger::Error<<"Error: default-zsk-algorithm ("<<::arg()["default-zsk-algorithm"]<<"), when set, can not be different from default-ksk-algorithm ("<<::arg()["default-ksk-algorithm"]<<")."<<endl;
+    exit(1);
   }
 
   // NOW SAFE TO CREATE THREADS!