mw/dnssec: warn when keys don't sign zones (#1011)

fail startup when dnssec middleware has keys configured that can't be used to sign any of the responses it should sign. More tests added, including ones that actually trigger setup failures.
2025-10-31 02:03:20 -04:00 · 2017-09-01 08:52:13 +02:00
parent 5eccfa2d1e
commit a08a4beec4
2 changed files with 82 additions and 9 deletions
--- a/middleware/dnssec/setup.go
+++ b/middleware/dnssec/setup.go
@@ -1,6 +1,7 @@
 package dnssec

 import (
+	"fmt"
 	"strconv"
 	"strings"

@@ -75,6 +76,22 @@ func dnssecParse(c *caddy.Controller) ([]string, []*DNSKEY, int, error) {
 	for i := range zones {
 		zones[i] = middleware.Host(zones[i]).Normalize()
 	}
+
+	// Check if each keys owner name can actually sign the zones we want them to sign
+	for _, k := range keys {
+		kname := middleware.Name(k.K.Header().Name)
+		ok := false
+		for i := range zones {
+			if kname.Matches(zones[i]) {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return zones, keys, capacity, fmt.Errorf("key %s (keyid: %d) can not sign any of the zones", string(kname), k.keytag)
+		}
+	}
+
 	return zones, keys, capacity, nil
 }

@@ -87,6 +104,10 @@ func keyParse(c *caddy.Controller) ([]*DNSKEY, error) {
 	value := c.Val()
 	if value == "file" {
 		ks := c.RemainingArgs()
+		if len(ks) == 0 {
+			return nil, c.ArgErr()
+		}
+
 		for _, k := range ks {
 			base := k
 			// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205