From a08a4beec453c9c65f3b2be31859e33a973c436c Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Fri, 1 Sep 2017 08:52:13 +0200
Subject: mw/dnssec: warn when keys don't sign zones (#1011)

fail startup when dnssec middleware has keys configured that can't be
used to sign any of the responses it should sign.

More tests added, including ones that actually trigger setup failures.
---
 middleware/dnssec/setup.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'middleware/dnssec/setup.go')

diff --git a/middleware/dnssec/setup.go b/middleware/dnssec/setup.go
index 28dff4432..90425b711 100644
--- a/middleware/dnssec/setup.go
+++ b/middleware/dnssec/setup.go
@@ -1,6 +1,7 @@
 package dnssec
 
 import (
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -75,6 +76,22 @@ func dnssecParse(c *caddy.Controller) ([]string, []*DNSKEY, int, error) {
 	for i := range zones {
 		zones[i] = middleware.Host(zones[i]).Normalize()
 	}
+
+	// Check if each keys owner name can actually sign the zones we want them to sign
+	for _, k := range keys {
+		kname := middleware.Name(k.K.Header().Name)
+		ok := false
+		for i := range zones {
+			if kname.Matches(zones[i]) {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return zones, keys, capacity, fmt.Errorf("key %s (keyid: %d) can not sign any of the zones", string(kname), k.keytag)
+		}
+	}
+
 	return zones, keys, capacity, nil
 }
 
@@ -87,6 +104,10 @@ func keyParse(c *caddy.Controller) ([]*DNSKEY, error) {
 	value := c.Val()
 	if value == "file" {
 		ks := c.RemainingArgs()
+		if len(ks) == 0 {
+			return nil, c.ArgErr()
+		}
+
 		for _, k := range ks {
 			base := k
 			// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205
-- 
cgit v1.2.3