From b44780b22c9504ab041de4f587cafe560a7c3234 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 17 Sep 2012 13:15:12 +0000
Subject: [PATCH] - patch_rsamd5_enable.diff: this patch enables RSAMD5
 validation   otherwise it is treated as insecure.  The RSAMD5 algorithm is  
 deprecated (RFC6725).  The MD5 hash is considered weak for some   purposes,
 if you want to sign your zone, then RSASHA256 is an   uncontested hash.

git-svn-id: file:///svn/unbound/trunk@2760 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 contrib/README                   |  2 ++
 contrib/patch_rsamd5_enable.diff | 22 ++++++++++++++++++++++
 doc/Changelog                    |  7 +++++++
 3 files changed, 31 insertions(+)
 create mode 100644 contrib/patch_rsamd5_enable.diff

diff --git a/contrib/README b/contrib/README
index 19abd0544..943ce5264 100644
--- a/contrib/README
+++ b/contrib/README
@@ -17,3 +17,5 @@ distribution but may be helpful.
 	in with the nagios monitoring framework.  Contributed by Migiel de Vos.
 * unbound_unixsock.diff: Add Unix socket support for unbound-control. 
 	Contributed by Ilya Bakulin, 2012-08-28.
+* patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise
+  it is treated as insecure).  The RSAMD5 algorithm is deprecated (RFC6725).
diff --git a/contrib/patch_rsamd5_enable.diff b/contrib/patch_rsamd5_enable.diff
new file mode 100644
index 000000000..dfd4a7b9f
--- /dev/null
+++ b/contrib/patch_rsamd5_enable.diff
@@ -0,0 +1,22 @@
+Index: validator/val_secalgo.c
+===================================================================
+--- validator/val_secalgo.c	(revision 2759)
++++ validator/val_secalgo.c	(working copy)
+@@ -153,7 +153,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
+@@ -617,7 +617,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
diff --git a/doc/Changelog b/doc/Changelog
index f655cb697..629749839 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+17 September 2012: Wouter
+	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
+	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
+	  deprecated (RFC6725).  The MD5 hash is considered weak for some
+	  purposes, if you want to sign your zone, then RSASHA256 is an
+	  uncontested hash.
+
 30 August 2012: Wouter
 	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
 	- iana portlist updated.