Implement a new policy check, ksk-exists.

This closes #41.

Requested by:	DENIC

common.h

@@ -21,7 +21,7 @@ struct file_info
 
 extern struct file_info *file_info;
 
-#define N_POLICY_CHECKS 9
+#define N_POLICY_CHECKS 10
 
 #define POLICY_SINGLE_NS 0
 #define POLICY_CNAME_OTHER_DATA 1
@@ -32,6 +32,7 @@ extern struct file_info *file_info;
 #define POLICY_DNAME 6
 #define POLICY_DNSKEY 7
 #define POLICY_TLSA_HOST 8
+#define POLICY_KSK_EXISTS 9
 
 #define MAX_TIMES_TO_CHECK 32
 

dnskey.c

@@ -20,13 +20,16 @@
 #include "carp.h"
 #include "rr.h"
 
+static struct rr_dnskey *all_dns_keys = NULL;
+
 static struct rr* dnskey_parse(char *name, long ttl, int type, char *s)
 {
 	struct rr_dnskey *rr = getmem(sizeof(*rr));
 	struct binary_data key;
 	int flags, proto, algorithm;
 	unsigned int ac;
 	int i;
+	static struct rr *result;
 
 	flags = extract_integer(&s, "flags");
 	if (flags < 0) return NULL;
@@ -68,11 +71,17 @@ static struct rr* dnskey_parse(char *name, long ttl, int type, char *s)
 
 	rr->pkey_built = 0;
 	rr->pkey = NULL;
+	rr->key_type = KEY_TYPE_UNUSED;
 
 	if (*s) {
 		return bitch("garbage after valid DNSKEY data");
 	}
-	return store_record(type, name, ttl, rr);
+	result = store_record(type, name, ttl, rr);
+	if (result) {
+		rr->next_key = all_dns_keys;
+		all_dns_keys = rr;
+	}
+	return result;
 }
 
 static char* dnskey_human(struct rr *rrv)
@@ -187,3 +196,18 @@ int dnskey_build_pkey(struct rr_dnskey *rr)
 	return rr->pkey ? 1 : 0;
 }
 
+void
+dnskey_ksk_policy_check(void)
+{
+	struct rr_dnskey *rr = all_dns_keys;
+	int ksk_found = 0;
+
+	while (rr) {
+		if (rr->key_type == KEY_TYPE_KSK)
+			ksk_found = 1;
+		rr = rr->next_key;
+	}
+	if (!ksk_found)
+		moan(all_dns_keys->rr.file_name, all_dns_keys->rr.line, "No KSK found");
+}
+

main.c

@@ -248,6 +248,8 @@ void usage(char *err)
 	fprintf(stderr, "\t\t\tmx-alias\n");
 	fprintf(stderr, "\t\t\tns-alias\n");
 	fprintf(stderr, "\t\t\trp-txt-exists\n");
+	fprintf(stderr, "\t\t\ttlsa-host\n");
+	fprintf(stderr, "\t\t\tksk-exists\n");
 	fprintf(stderr, "\t\t\tall\n");
 
 	fprintf(stderr, "\t-n N\t\tuse N worker threads\n");
@@ -369,6 +371,8 @@ main(int argc, char **argv)
 				G.opt.policy_checks[POLICY_RP_TXT_EXISTS] = 1;
 			} else if (strcmp(optarg, "tlsa-host") == 0) {
 				G.opt.policy_checks[POLICY_TLSA_HOST] = 1;
+			} else if (strcmp(optarg, "ksk-exists") == 0) {
+				G.opt.policy_checks[POLICY_KSK_EXISTS] = 1;
 			} else {
 				usage("unknown policy name");
 			}
@@ -417,6 +421,9 @@ main(int argc, char **argv)
 		if (first_nsec3) nsec3_validate(&first_nsec3->rr);
 		perform_remaining_nsec3checks();
 	}
+	if (G.dnssec_active && G.opt.policy_checks[POLICY_KSK_EXISTS]) {
+		dnskey_ksk_policy_check();
+	}
 	gettimeofday(&stop, NULL);
 	if (G.opt.summary) {
 		printf("records found:       %d\n", G.stats.rr_count);

rr.h

@@ -458,10 +458,18 @@ struct rr_dnskey
 	uint16_t key_tag;
 	int pkey_built;
 	void *pkey;
+	/* extras */
+	int key_type;
+	struct rr_dnskey *next_key;
 };
 extern struct rr_methods dnskey_methods;
 
+#define KEY_TYPE_UNUSED 0
+#define KEY_TYPE_KSK    1
+#define KEY_TYPE_ZSK    2
+
 int dnskey_build_pkey(struct rr_dnskey *rr);
+void dnskey_ksk_policy_check(void);
 
 struct rr_ds
 {

rrsig.c

@@ -434,6 +434,12 @@ void verify_all_keys(void)
 		unsigned long e = 0;
 		for (i = 0; i < k->n_keys; i++) {
 			if (k->to_verify[i].ok) {
+				if (k->to_verify[i].rr->rr.rr_set->named_rr->flags & NAME_FLAG_APEX) {
+					if (k->to_verify[i].key->key_type == KEY_TYPE_UNUSED)
+						k->to_verify[i].key->key_type = KEY_TYPE_KSK;
+				} else {
+					k->to_verify[i].key->key_type = KEY_TYPE_ZSK;
+				}
 				ok = 1;
 				break;
 			} else {

t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.key

@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 7686, for example.sec.
+; Created: 20150630133112 (Tue Jun 30 15:31:12 2015)
+; Publish: 20150630133112 (Tue Jun 30 15:31:12 2015)
+; Activate: 20150630133112 (Tue Jun 30 15:31:12 2015)
+example.sec. IN DNSKEY 257 3 7 AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4pxrizfz3S1cC4XbSyRW5 loj5SSHVveUmmIV90MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw4SAC Fiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9y7QRiLacI6naULzgP3h4PsdQ SQmw3/TWy973M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9dcRjPo7u J2OuUsnbu/5N3vWYLciSBUnY27FUvbFLkVIq072wjUMIb0Xc2EgYGRFK yV2MMckLvoD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQNF45QLU02kmvw B4iyIzIk9O0=

t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.private

@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: yItaCXDXt23wQMA3zwGtBgIhoY+J8LinGuLN/PdLVwLhdtLJFbmWiPlJIdW95SaYhX3QxMQ6EYINRWr+qJgbs2BM0efdiKrJFTeyKvDhIAIWLCWf96PEUOlCR4BtkwLNTwVCFMgHUr3LtBGItpwjqdpQvOA/eHg+x1BJCbDf9NbL3vcz6UfPCSBWrowvjYvXysYbSyfUpAM1Kz/qx311xGM+ju4nY65Sydu7/k3e9ZgtyJIFSdjbsVS9sUuRUirTvbCNQwhvRdzYSBgZEUrJXYwxyQu+gPu89yUETQqu/1878Hb8pexs5tODPibmJA0XjlAtTTaSa/AHiLIjMiT07Q==
+PublicExponent: AQAB
+PrivateExponent: d5kDfRXaz/20hikcH0v0j9y9icg8j17P6WzRQ8eHGsERDPfwDBC+AboJLzB1Ky+1TgcWdgJATyisGXYRoSH1gygvKA+LQnH3sbuheZJl79zOtE1L9TepYEd7y4B/2GiXYETWf+Y619Fwpla+nYjIjAcylzF1KLctWVg79peROEXC0zb+IxWQFIBpe7OzTZ1qxG8ymm6uiu9KXH6qQi3BLSarxj5rY+tO8oj0qQNOGkbSVsXFax0arZ0qMRFT5UooOm+2Yl8Q9Z/PC52qwNqkSDZ2QeoYTJx5tDFhuVJxXhioxGIueA4QuCRA4cRL2U5ZnCYcQa10JFE2O4N990eLUQ==
+Prime1: 5LW1fl8ky4bBaIPg48Cq8bXQIvaK5syFTvzzMopuTeD6PGwOByuzc4u9KLVrDRebjeYfNVkqXIJAHMjolOr4jURWp2Q3FUrewqdgyY2ULSLMmQo0+dHkvjJIs2A/6vNme+MtFms6msJjyzj3EhLf32djvCH+jWStP3Vb/jopYWs=
+Prime2: 4HlJJB25JSLygHd0GWi8yu0z3FaYhWXnIs8bwpT8er1lH+tsBeYI8ughuX9h19STMRnBhAh0ZlQaKHOrPTsdVOFQJWr6aUbWIAhv5m+ij1IFsQ58DKnsYP0DXiNkR7K4pXO8yzPTo9UfaMCJAKYipENTgpfb43sVBQnDIGr9oQc=
+Exponent1: aJpK9g9h7swlLT4T31bBWGeFWFhWUxT7a5L5UAZMSMY67OOmztTH8HLbAwFmgshnVtEHOQkc/M59sCybY3DMWSAGWezV3KEvnOucstJUEQi3ds9aR2AeNHcfFRtSYI0ONF9EwdotJZb+uXXGWrfTOIQ681LA7746FqoAdxf20R0=
+Exponent2: QlFS3Iqzglc60d14vXEGJeXCZpxm3zJmARCzIN+nYBPIZo/FEFEP38PZAtaxb3RsMBtt4rYkvX6nY8AYnTRzy/ntFcDvTl8RL9GOTcQ5gKI48EBZQdyJ63WUoyFNpSkWCDuTUW10X3i9mNMZJsnufh0t9O0sl55rbVue/Frfp80=
+Coefficient: aLnGdfeRJ3nSjmbby8IDkJ+W+gFGOHd3XAMDSNP9D8kn6B3JyAfY6FDSg0+Bh+F80PFNGsESkYimXlWr3B6NlC0Gq99hPSV8yU2pYHq3TPVB0tWOAkNVIXM9icEH9wshCQH7wD7cPDWvhhgcgo64nYOGYeK6sjTL7XDtRanvbP8=
+Created: 20150630133112
+Publish: 20150630133112
+Activate: 20150630133112

t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.key

@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 64232, for example.sec.
+; Created: 20150630133105 (Tue Jun 30 15:31:05 2015)
+; Publish: 20150630133105 (Tue Jun 30 15:31:05 2015)
+; Activate: 20150630133105 (Tue Jun 30 15:31:05 2015)
+example.sec. IN DNSKEY 256 3 7 AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVcIWJ73npEFjvDe0jJfLjk ghnij4tMfDI8MPIZ6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a2Iff xQ5NDRHSpUw27yJoQfI5gUqvor+wGTNCUWx2OU0Y1BOy1whHtVbDl1gt 1R6/8mOZ

t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.private

@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: owFi7VBcGLoAgjfcUrBakeE6QYyFxVwhYnveekQWO8N7SMl8uOSCGeKPi0x8Mjww8hnrHBUtiwSyHGwM0QkkZ1nV1S98kPFIK/xanRrYh9/FDk0NEdKlTDbvImhB8jmBSq+iv7AZM0JRbHY5TRjUE7LXCEe1VsOXWC3VHr/yY5k=
+PublicExponent: AQAB
+PrivateExponent: ATf/b1rMdXreihq00QF0i+atMtREI8eekEfwz+U2bVf20gJ/pjo/JsZk4FvACfgdPZIoCdu2rXVph4DfT6jL1t7sDY/9mfcMd2Zge6eB8Kat3QpdDu4qClgkXFTYFLj2lQ5Bm/b+YbQ8fiPlZovp7YGFodmsjfnNvbT7UiOiSKE=
+Prime1: 1wNWdr5FIrew1NTzpbeClZr5NIIoRBpEPsSDCBZpbRDZ944LcjWgrJpVlG1klkp/cR/zcSzrq+637rva30jglQ==
+Prime2: whQSB4wqB87wyYrewJLU5qFY5Up/YiZ0iyD4m4OIQMk/K7eXtuqFuSOP4xTR4WAWHIyRixa1F85/eh7y6+9h9Q==
+Exponent1: XjHZJEYw9Yex0VvFrdjaPX5aJJXM3CEButnOabGf2Cckxl4VR6CU1mj6iv7trSXP9RhBR1idmoIHVHA57832jQ==
+Exponent2: dtzn9etoSoP5gNYmevbyoZWr5jJsNeardhJpcIVsS5F1uQamSob0A2G+XCuCJ3A72pxU/0SXAM+dz2NpEAr6iQ==
+Coefficient: egVfeiBCmggrVDolCSvAIg+XEb+YmLcD1SLT5qFLuqCtPKWGDx9lGMbqbx5s2gzeeoAPL1r34pohHNLMCqCNdw==
+Created: 20150630133105
+Publish: 20150630133105
+Activate: 20150630133105

t/issues/41-ksk-policy-check/dsset-example.sec.

@@ -0,0 +1,2 @@
+example.sec.		IN DS 7686 7 1 51B9CD8F901235705C6D353ADA23736AE954B4DE
+example.sec.		IN DS 7686 7 2 9EC80B8BAD67C66954B8FE726E06CA7840282C7F444BE51A916ED11C 36908A3F

t/issues/41-ksk-policy-check/example.sec

@@ -0,0 +1,12 @@
+$TTL    1d
+@       IN      SOA     ns.example.sec. hostmaster.example.sec. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+                IN      NS      ns1.example.net.
+subA            IN      NS      ns1.example.net.
+subb            IN      NS      ns1.example.net.
+subC            IN      NS      ns1.example.net.
+myMX	IN	MX 5 mx.example.net.

t/issues/41-ksk-policy-check/example.sec.signed

@@ -0,0 +1,131 @@
+; File written on Tue Jun 30 15:31:27 2015
+; dnssec_signzone version 9.9.7
+example.sec.		86400	IN SOA	ns.example.sec. hostmaster.example.sec. (
+					1          ; serial
+					604800     ; refresh (1 week)
+					86400      ; retry (1 day)
+					2419200    ; expire (4 weeks)
+					604800     ; minimum (1 week)
+					)
+			86400	RRSIG	SOA 7 2 86400 (
+					20150730123127 20150630123127 64232 example.sec.
+					b1Qs5d/0a4IDAvFPVvDKqWpir4189XoPOD4E
+					804eiNXRLP2ShkEUBPil44+6Ikwup5Im24XU
+					PLnmStjUFHVniicvwbwT/IY4etXR4xNoBHUc
+					BU8LiADPpZGfJ1tC/s/IHLcPbX21OltyYzi0
+					++z9gxZGy4vCG5gYCH0vm+Q96fY= )
+			86400	NS	ns1.example.net.
+			86400	RRSIG	NS 7 2 86400 (
+					20150730123127 20150630123127 64232 example.sec.
+					gyqsk3xSnKefnjTOVzJS4sdDFiJ5cPEupSkP
+					+LGXGRDGrclY6V9mkfddQz3MkeCCjujvQNAi
+					NpZllyzFj221se5bHLAVydkT0jhl2jgp8bsL
+					DBk15FGa7SXcwtpXn5rkDvR1/wmS7M/aYnrY
+					3j5dTSSsOlZQLENWBEtct9QSNbU= )
+			86400	DNSKEY	256 3 7 (
+					AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVc
+					IWJ73npEFjvDe0jJfLjkghnij4tMfDI8MPIZ
+					6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a
+					2IffxQ5NDRHSpUw27yJoQfI5gUqvor+wGTNC
+					UWx2OU0Y1BOy1whHtVbDl1gt1R6/8mOZ
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 64232
+			86400	DNSKEY	257 3 7 (
+					AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4
+					pxrizfz3S1cC4XbSyRW5loj5SSHVveUmmIV9
+					0MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw
+					4SACFiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9
+					y7QRiLacI6naULzgP3h4PsdQSQmw3/TWy973
+					M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9
+					dcRjPo7uJ2OuUsnbu/5N3vWYLciSBUnY27FU
+					vbFLkVIq072wjUMIb0Xc2EgYGRFKyV2MMckL
+					voD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQN
+					F45QLU02kmvwB4iyIzIk9O0=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 7686
+			86400	RRSIG	DNSKEY 7 2 86400 (
+					20150730123127 20150630123127 7686 example.sec.
+					YQ42WBCr7e4MR51W+d6Awkxdff7tTNiA1qfJ
+					wsst0UiNXKAv504YRcS6B34u4CfG59lWWtcd
+					+xBHU7Zuox5nehsLEkFAneD1YrJLkgVw03nZ
+					NzDNWFvlxfQ2/tJ7vGbjKG2cEwUnbJKl+Kcl
+					JTAc5JzZegfM75M0Z4Yi9NiDjicpHbaICtKJ
+					5WZ6T5nVFo1nl2xCq2CiXiR1+jGKARUW+btO
+					NzHMApLQszDo7CMgvYJoHy0CHAV1Uc7Ka4zO
+					P3dVYkwu1Puk+gixhNUqo+UhKgLB2JUYdci7
+					cQ1JR9RzqEXzyZgGpLmXCOEOc8KD2c2dDN5L
+					uvOV40OrWhST/bAQ+Q== )
+			86400	RRSIG	DNSKEY 7 2 86400 (
+					20150730123127 20150630123127 64232 example.sec.
+					lKX35bocQ1iR4VTW0Es+2bZ2qX1ON7OGU1fO
+					Pb0ZqueG2GYgI63VE4Jv3WeOmGg/Tkjvsdb6
+					bMHVuVpxHvQKRqqzfaQmY7nzoDe53LfSJewj
+					p2TvdhvpPRroEZGXXPmVl46R/p+jlYMJd47T
+					o0oqB/BvQPUS61a5NThagGq6vJM= )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20150730123127 20150630123127 64232 example.sec.
+					hNJlc3JuGYBpnYEZQrhqNwrIL2fBegnnR4ii
+					TOW+0Km2maqF5ZZMxBZ7x54gW4T0amXXz89+
+					uE+l02eknf/FgM81FFOrQvJul0toOzKW9g67
+					e2VwQAwcw7g6H06cSsypXM/h9wvsNQpoSdx0
+					rq6qU2ruYM9NmJf+xUzUk38AFUw= )
+subA.example.sec.	86400	IN NS	ns1.example.net.
+subb.example.sec.	86400	IN NS	ns1.example.net.
+subC.example.sec.	86400	IN NS	ns1.example.net.
+93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ.example.sec. 604800 IN	NSEC3 1 0 10 - (
+					CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ
+					NS )
+			604800	RRSIG	NSEC3 7 3 604800 (
+					20150730123127 20150630123127 64232 example.sec.
+					JRhyC3PbmnvYBkXzV5GmIBnj5LJTnrVeC1t3
+					v6t6o+3udfPZRecHw2cApf/Oed8H9jCeox77
+					vA13/fLXui635CYAcqXYxVgO4g0au1d1S6lo
+					N2Pw96JXDNhIqyVBVj1Ii2ZOQLWXZ8YgZRQ6
+					lxgww8m0QGC8FjEnzR8z2liSG88= )
+3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM.example.sec. 604800 IN	NSEC3 1 0 10 - (
+					93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ
+					NS )
+			604800	RRSIG	NSEC3 7 3 604800 (
+					20150730123127 20150630123127 64232 example.sec.
+					B9L5NrHjO/J6FDmv7DjT1xq/f8jiB2WTEXSl
+					bFeUVcTivoyvdyfNNTH+YlzJesqTtQ9GaEPQ
+					ouzw7XbdyvtJ//GD+vrO/7XwfrVmkckQgEVl
+					zPm70TksAkwLzj0uY6WBIGIPq/KJMM14f6El
+					ct5w2KtgvF9sazFP+KMchU5Be3Q= )
+myMX.example.sec.	86400	IN MX	5 mx.example.net.
+			86400	RRSIG	MX 7 3 86400 (
+					20150730123127 20150630123127 64232 example.sec.
+					lh8vFwFg77gLtLyXbzqzYSlebkzn3yAlXHU2
+					/hgiyUWYcuZa5E33Ul+ZrUJPCGLaUQs3X+yL
+					p/uk6LP2dnMaf/X1mow/tyYNtIdn0MhTYNqs
+					WmYV1Ga/NSoErtoHYoNgeqV1w0Q/nfhipMdX
+					RekpxVR6RUUt2d3LS8UIH+pEYd8= )
+CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ.example.sec. 604800 IN	NSEC3 1 0 10 - (
+					JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV
+					MX RRSIG )
+			604800	RRSIG	NSEC3 7 3 604800 (
+					20150730123127 20150630123127 64232 example.sec.
+					menCNV7RkbVWmfhuPfoYHfHCEtvQmVb3+p/x
+					WYVymu5hXUPQ2+K4Ns0jQ+om4GuTmXmm1DYY
+					IjIXv4jthJoD6jydqN6Hr+tr0ewxr6mHXj3I
+					RizTBuw4zcgPUrIRVQStkMtwyjN4Nlznhg7I
+					txZ14uH1G4U1DgkR2oC6YZsSqi8= )
+JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV.example.sec. 604800 IN	NSEC3 1 0 10 - (
+					NLF2NKFTCGVVRC4C941FOOCD00TPI9DV
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+			604800	RRSIG	NSEC3 7 3 604800 (
+					20150730123127 20150630123127 64232 example.sec.
+					ggLIoKQYmI9GeBkSccVdE87G1QQwGGO0HlrN
+					dg9Ah5QiWWjZ5icSOU4vyEm0XiqkFCrGEAq0
+					9L4HMOFuELMa28dAhVxOvZldbXizXUSCbWCS
+					miYFLOIKcQ9IcmzeEgg+uJzHdAyYSSK2Jb+0
+					YYuoXOhiZwzluj+u2i6kbf6wDY4= )
+NLF2NKFTCGVVRC4C941FOOCD00TPI9DV.example.sec. 604800 IN	NSEC3 1 0 10 - (
+					3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM
+					NS )
+			604800	RRSIG	NSEC3 7 3 604800 (
+					20150730123127 20150630123127 64232 example.sec.
+					buRQJjfJDIbRFZFr8s7odGSxqnrSHXXN/AAu
+					tbG1k2L7WD+DGYFiRnR5Uia/C2oL186PqBtT
+					R8oDKf/4zr5qOsZz9xYabaBqG98JVXwPTiFk
+					JBoc7sFcwGJ16hj9Zey05aNs1h5RZm6BL8W0
+					9bRF3qIezckG0VA+U7ASTLNH4ME= )

t/test.pl

@@ -227,6 +227,19 @@
 run('./validns', @threads, '-t1345815800', 't/issues/25-nsec/example.sec.signed');
 is(rc, 0, 'issue 25 did not come back');
 
+# issue 41: https://github.com/tobez/validns/issues/41
+run('./validns', @threads, '-t1345815800', '-pksk-exists', 't/issues/25-nsec/example.sec.signed');
+isnt(rc, 0, 'KSK policy check fails');
+@e = split /\n/, stderr;
+like(shift @e, qr/\bNo KSK found\b/, "KSK policy check produces expected error output");
+is(+@e, 0, "no unaccounted errors for KSK policy check");
+
+run('./validns', @threads, '-t1435671103', '-pksk-exists', 't/issues/41-ksk-policy-check/example.sec.signed');
+is(rc, 0, 'signed zone with KSK parses ok when KSK policy check is active');
+
+run('./validns', @threads, '-pksk-exists', 't/zones/galaxyplus.org');
+is(rc, 0, 'unsigned zone ignores KSK policy checks');
+
 # issue 26: https://github.com/tobez/validns/issues/26
 run('./validns', @threads, '-t1349357570', 't/issues/26-spurios-glue/example.sec.signed.no-optout');
 is(rc, 0, 'issue 26 did not come back (NSEC3 NO optout)');

usage.mdwn

@@ -48,6 +48,7 @@ Coming soon.
 	- ns-alias
 	- rp-txt-exists
 	- tlsa-host
+	- ksk-exists
 	- all
 
 -n *N*
@@ -130,6 +131,7 @@ Other basic checks include:
 - TXT domain name mentioned in RP record must have
   a corresponding TXT record if it is within the zone
 - domain name of a TLSA record must be a proper prefixed DNS name
+- a KSK key must exist in a signed zone
 
 # BUGS
 

validns.1

@@ -1,4 +1,4 @@
-.TH VALIDNS 1 "April 2011" 
+.TH "VALIDNS" "1" "April 2011" "" ""
 .SH NAME
 .PP
 validns \- DNS and DSNSEC zone file validator
@@ -53,6 +53,8 @@ rp\-txt\-exists
 .IP \[bu] 2
 tlsa\-host
 .IP \[bu] 2
+ksk\-exists
+.IP \[bu] 2
 all
 .RE
 .TP
@@ -178,6 +180,8 @@ TXT domain name mentioned in RP record must have a corresponding TXT
 record if it is within the zone
 .IP \[bu] 2
 domain name of a TLSA record must be a proper prefixed DNS name
+.IP \[bu] 2
+a KSK key must exist in a signed zone
 .SH BUGS
 .IP \[bu] 2
 textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be enclosed in