Improve dnssec-keygen warnings when unnecessary parameters are ignored
Summary
The specific instance that inspires this bug report is that these commands
dnssec-keygen -b 2048 -a ECDSAP256SHA256 -f KSK example.com
dnssec-keygen -b 2048 -a ECDSAP256SHA256 example.com
.. don't generate a warning that the -b 2048 is ignored because key algorithm ECDSAP256SHA256 has a predefined length
There may be other scenarios worth checking at the same time?
BIND version affected
Noted against 9.16.28 (a long time ago), but the situation I don't think has changed.
Steps to reproduce
See above - just do it?
What is the current bug behavior?
No warning. dnssec-keygen goes its own sweet way and uses its built-in default length for this key
What is the expected correct behavior?
It would have been really helpful to have known that the keys didn't have the requested length - this caused a bunch of other problems during migration to dnssec-policy using these keys!
What actually happened is that after restarting named and switching to dnssec-policy with these parameters:
ksk lifetime unlimited algorithm ECDSAP256SHA256 2048;
zsk lifetime unlimited algorithm ECDSAP256SHA256 2048;
named didn't recognise the existing keys as matching the policy and generated new ones for the zone, retiring the old keys - which is just what you don't want when migrating your existing zone's configuration and not intending to abruptly re-sign it with new keys (aargh!)
In fact, named-checkconf does fuss about the 2048:
/etc/namedb/named.conf:54: dnssec-policy: key algorithm ECDSAP256SHA256 has predefined length; ignoring length value 2048
/etc/namedb/named.conf:55: dnssec-policy: key algorithm ECDSAP256SHA256 has predefined length; ignoring length value 2048
So perhaps this is another small bug too - if the length is irrelevant and ignored - why did it not just recognise the existing keys?
It was perfectly happy with the same keys and with:
ksk lifetime unlimited algorithm ECDSAP256SHA256;
zsk lifetime unlimited algorithm ECDSAP256SHA256;