From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 18 Sep 2017 08:14:28 +0000 (+0200)
Subject: auth: Warn on startup if default key size is req'd
X-Git-Tag: rec-4.1.0-rc1~32^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=82ee5aa5c5b77213924a917eb7d97126aa083300;p=pdns

auth: Warn on startup if default key size is req'd
---

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index ef6689adb..336426a86 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -28,6 +28,7 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 #include "dynhandler.hh"
+#include "dnsseckeeper.hh"
 
 #ifdef HAVE_SYSTEMD
 #include <systemd/sd-daemon.h>
@@ -524,6 +525,17 @@ void mainthread()
   }
   catch(...) {}
 
+  // Some sanity checking on default key settings
+  for (const string& algotype : {"ksk", "zsk"}) {
+    int algo, size;
+    algo = DNSSECKeeper::shorthand2algorithm(::arg()["default-"+algotype+"-algorithm"]);
+    size = ::arg().asNum("default-"+algotype+"-size");
+    if (algo == -1)
+      L<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm set to unknown algorithm: "<<::arg()["default-"+algotype+"-algorithm"]<<endl;
+    else if (algo <= 10 && size == 0)
+      L<<Logger::Warning<<"Warning: default-"<<algotype<<"-algorithm is set to an algorithm("<<::arg()["default-"+algotype+"-algorithm"]<<") that requires a non-zero default-"<<algotype<<"-size!"<<endl;
+  }
+
   // NOW SAFE TO CREATE THREADS!
   dl->go();
 
diff --git a/pdns/common_startup.hh b/pdns/common_startup.hh
index 25e98a493..a46e2ba1f 100644
--- a/pdns/common_startup.hh
+++ b/pdns/common_startup.hh
@@ -34,6 +34,7 @@
 #include "nameserver.hh"
 #include "statbag.hh"
 #include "tcpreceiver.hh"
+#include "dnsseckeeper.hh"
 
 extern ArgvMap theArg;
 extern StatBag S;  //!< Statistics are gathered across PDNS via the StatBag class S