Detect insane dnssec-policies
named-checkconf should warn if a crazy policy is configured. This is a twofold piece of work:
- Determine what are crazy policies (multiple keys with same role and algorithm, very short key lifetime, ...).
- Implement the checks:
Error if there is no KSK. Error if there is no ZSK. There should always be a set of keys that such that there is at least one key with the KSK role and one with the ZSK role. This may be the same key (CSK). #3142 (closed)
Warn if multiple keys with the same role and algorithm are configured.
Warn if key lifetimes are less than one month (30 days).
Error if the signature refresh is larger than the signature validity.
Error if the lifetime of a key is shorter than the rollover process duration.