Skip to content

Detect insane dnssec-policies

named-checkconf should warn if a crazy policy is configured. This is a twofold piece of work:

  1. Determine what are crazy policies (multiple keys with same role and algorithm, very short key lifetime, ...).
  2. Implement the checks:

Keys:

  • Error if there is no KSK. Error if there is no ZSK. There should always be a set of keys that such that there is at least one key with the KSK role and one with the ZSK role. This may be the same key (CSK). #3142 (closed)
  • Warn if multiple keys with the same role and algorithm are configured.
  • Warn if key lifetimes are less than one month (30 days).

Signature timings:

  • Error if the signature refresh is larger than the signature validity.

Rollover timings:

  • Error if the lifetime of a key is shorter than the rollover process duration.
Edited by Matthijs Mekking
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information