mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-22 06:37:42 -04:00
Deprecate SHA-1 DS digests in dnssec-signzone
This affects two cases:
* When writing a `dsset` file for this zone, to be used by its
parent, only write a SHA-256 DS record.
* When reading a `keyset` file for a child, to generate DS records
to include in this zone, generate SHA-256 DS records only.
This change does not affect digests used in CDS records.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This commit is contained in:
Tony Finch
Evan Hunt
parent
129b731273
commit
d8f2eb249a
2 changed files with 3 additions and 25 deletions
|
|
@ -987,16 +987,6 @@ loadds(dns_name_t *name, uint32_t ttl, dns_rdataset_t *dsset) {
|
|||
dns_rdata_init(&key);
|
||||
dns_rdata_init(&ds);
|
||||
dns_rdataset_current(&keyset, &key);
|
||||
result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
|
||||
dsbuf, &ds);
|
||||
check_result(result, "dns_ds_buildrdata");
|
||||
|
||||
result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
|
||||
ttl, &ds, &tuple);
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
|
||||
dns_rdata_reset(&ds);
|
||||
result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
|
||||
dsbuf, &ds);
|
||||
check_result(result, "dns_ds_buildrdata");
|
||||
|
|
@ -2995,19 +2985,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
|
|||
isc_buffer_usedregion(&b, &r);
|
||||
dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
|
||||
if (type != dns_rdatatype_dnskey) {
|
||||
result = dns_ds_buildrdata(gorigin, &rdata,
|
||||
DNS_DSDIGEST_SHA1,
|
||||
dsbuf, &ds);
|
||||
check_result(result, "dns_ds_buildrdata");
|
||||
if (type == dns_rdatatype_dlv)
|
||||
ds.type = dns_rdatatype_dlv;
|
||||
result = dns_difftuple_create(mctx,
|
||||
DNS_DIFFOP_ADDRESIGN,
|
||||
name, 0, &ds, &tuple);
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
|
||||
dns_rdata_reset(&ds);
|
||||
result = dns_ds_buildrdata(gorigin, &rdata,
|
||||
DNS_DSDIGEST_SHA256,
|
||||
dsbuf, &ds);
|
||||
|
|
@ -3018,11 +2995,12 @@ writeset(const char *prefix, dns_rdatatype_t type) {
|
|||
DNS_DIFFOP_ADDRESIGN,
|
||||
name, 0, &ds, &tuple);
|
||||
|
||||
} else
|
||||
} else {
|
||||
result = dns_difftuple_create(mctx,
|
||||
DNS_DIFFOP_ADDRESIGN,
|
||||
gorigin, zone_soa_min_ttl,
|
||||
&rdata, &tuple);
|
||||
}
|
||||
check_result(result, "dns_difftuple_create");
|
||||
dns_diff_append(&diff, &tuple);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2752,7 +2752,7 @@ status=$((status+ret))
|
|||
echo_i "check dnssec-dsfromkey from stdin ($n)"
|
||||
ret=0
|
||||
dig_with_opts dnskey algroll. @10.53.0.2 | \
|
||||
$DSFROMKEY -12 -f - algroll. > dig.out.ns2.test$n || ret=1
|
||||
$DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
|
||||
NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u)
|
||||
[ "${NF}" = 7 ] || ret=1
|
||||
# make canonical
|
||||
|
|
|
|||
Loading…
Reference in a new issue