[master] remove default algorithm in dnssec-keygen

4594. [func] dnssec-keygen no longer uses RSASHA1 by default; the signing algorithm must be specified on the command line with the "-a" option. Signing scripts that rely on the existing default behavior will break; use "dnssec-keygen -a RSASHA1" to repair them. (The goal of this change is to make it easier to find scripts using RSASHA1 so they can be changed in the event of that algorithm being deprecated in the future.) [RT #44755]
2017-08-30 18:51:11 -07:00
parent 2bfc294f0a
commit 45afdb2672
33 changed files with 468 additions and 431 deletions
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -57,7 +57,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check new trust anchor can be added ($n)"
 ret=0
-standby1=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 5
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
@@ -241,7 +241,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: revoke original key, add new standby ($n)"
 ret=0
-standby2=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 3
@@ -276,7 +276,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: revoke standby before it is trusted ($n)"
 ret=0
-standby3=`$KEYGEN -qfk -r $RANDFILE -K ns1 .`
+standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 loadkeys . | sed 's/^/I: ns1 /'
 sleep 3
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'