Deprecate SHA-1 CDS records

This affects CDS records generated by `named` and `dnssec-signzone` based on `-P sync` and `-D sync` key timing instructions. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
2026-04-15 22:09:31 -04:00 · 2019-01-30 18:25:21 +00:00 · 2019-01-30 18:25:21 +00:00 · 8785f6fa34
commit 8785f6fa34
parent d8f2eb249a
1 changed files with 46 additions and 29 deletions
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@ -1909,8 +1909,8 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 	for (key = ISC_LIST_HEAD(*keys);
 	     key != NULL;
 	     key = ISC_LIST_NEXT(key, link)) {
-		dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
-		dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+		dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+		dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
 		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
 		dns_name_t *origin = dst_key_name(key->key);

@ -1918,69 +1918,83 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 				   &cdnskeyrdata));

 		/*
+		 * We construct the SHA-1 version of the record so we can
+		 * delete any old records generated by previous versions of
+		 * BIND. We only add SHA-256 records.
+		 *
 		 * XXXMPA we need to be able to specify the DS algorithms
 		 * to be used here and below with rmkeys.
 		 */
 		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
 					 DNS_DSDIGEST_SHA1, dsbuf1,
-					 &cdsrdata1));
+					 &cds_sha1));
 		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
 					 DNS_DSDIGEST_SHA256, dsbuf2,
-					 &cdsrdata2));
+					 &cds_sha256));

 		/*
 		 * Now that the we have created the DS records convert
 		 * the rdata to CDNSKEY and CDS for comparison.
 		 */
 		cdnskeyrdata.type = dns_rdatatype_cdnskey;
-		cdsrdata1.type = dns_rdatatype_cds;
-		cdsrdata2.type = dns_rdatatype_cds;
+		cds_sha1.type = dns_rdatatype_cds;
+		cds_sha256.type = dns_rdatatype_cds;

 		if (syncpublish(key->key, now)) {
 			if (!dns_rdataset_isassociated(cdnskey) ||
 			    !exists(cdnskey, &cdnskeyrdata))
+			{
 				RETERR(publish(&cdnskeyrdata, diff, origin,
 					       ttl, mctx));
+			}
+			/* Only publish SHA-256 (SHA-1 is deprecated) */
 			if (!dns_rdataset_isassociated(cds) ||
-			    !exists(cds, &cdsrdata1))
-				RETERR(publish(&cdsrdata1, diff, origin,
-					       ttl, mctx));
-			if (!dns_rdataset_isassociated(cds) ||
-			    !exists(cds, &cdsrdata2))
-				RETERR(publish(&cdsrdata2, diff, origin,
+			    !exists(cds, &cds_sha256))
+			{
+				RETERR(publish(&cds_sha256, diff, origin,
 					       ttl, mctx));
+			}
 		}

 		if (dns_rdataset_isassociated(cds) &&
-		    syncdelete(key->key, now)) {
-			if (exists(cds, &cdsrdata1))
-				RETERR(delrdata(&cdsrdata1, diff, origin,
+		    syncdelete(key->key, now))
+		{
+			/* Delete both SHA-1 and SHA-256 */
+			if (exists(cds, &cds_sha1)) {
+				RETERR(delrdata(&cds_sha1, diff, origin,
 						cds->ttl, mctx));
-			if (exists(cds, &cdsrdata2))
-				RETERR(delrdata(&cdsrdata2, diff, origin,
+			}
+			if (exists(cds, &cds_sha256)) {
+				RETERR(delrdata(&cds_sha256, diff, origin,
 						cds->ttl, mctx));
+			}
 		}

 		if (dns_rdataset_isassociated(cdnskey) &&
-		    syncdelete(key->key, now)) {
-			if (exists(cdnskey, &cdnskeyrdata))
+		    syncdelete(key->key, now))
+		{
+			if (exists(cdnskey, &cdnskeyrdata)) {
 				RETERR(delrdata(&cdnskeyrdata, diff, origin,
 						cdnskey->ttl, mctx));
+			}
 		}
 	}

 	if (!dns_rdataset_isassociated(cds) &&
 	    !dns_rdataset_isassociated(cdnskey))
+	{
 		return (ISC_R_SUCCESS);
+	}

 	/*
 	 * Unconditionaly remove CDS/DNSKEY records for removed keys.
 	 */
 	for (key = ISC_LIST_HEAD(*rmkeys);
 	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
-		dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
+		dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
 		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
 		dns_name_t *origin = dst_key_name(key->key);

@ -1990,22 +2004,25 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
 		if (dns_rdataset_isassociated(cds)) {
 			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
 						 DNS_DSDIGEST_SHA1, dsbuf1,
-						 &cdsrdata1));
+						 &cds_sha1));
 			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
 						 DNS_DSDIGEST_SHA256, dsbuf2,
-						 &cdsrdata2));
-			if (exists(cds, &cdsrdata1))
-				RETERR(delrdata(&cdsrdata1, diff, origin,
+						 &cds_sha256));
+			if (exists(cds, &cds_sha1)) {
+				RETERR(delrdata(&cds_sha1, diff, origin,
 						cds->ttl, mctx));
-			if (exists(cds, &cdsrdata2))
-				RETERR(delrdata(&cdsrdata2, diff, origin,
+			}
+			if (exists(cds, &cds_sha256)) {
+				RETERR(delrdata(&cds_sha256, diff, origin,
 						cds->ttl, mctx));
+			}
 		}

 		if (dns_rdataset_isassociated(cdnskey)) {
-			if (exists(cdnskey, &cdnskeyrdata))
+			if (exists(cdnskey, &cdnskeyrdata)) {
 				RETERR(delrdata(&cdnskeyrdata, diff, origin,
 						cdnskey->ttl, mctx));
+			}
 		}
 	}