ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Deprecate SHA-1 in dnssec-dsfromkey

Browse Source 
This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)

The default is now `-2`. You can get the old behaviour with `-12`.

Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This commit is contained in:
Tony Finch
2019-01-31 17:05:57 +00:00
committed by Evan Hunt
parent a177b07da1
commit 796a6c4e4e
8 changed files with 117 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
bin/dnssec/dnssec-cds.c
View File

@@ -75,12 +75,6 @@ static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static dns_rdataclass_t rdclass = dns_rdataclass_in;
/*
* List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
* from -a arguments. The size of the array is an arbitrary limit.
*/
static dns_dsdigest_t dtype[8];
static const char *startstr = NULL; /* from which we derive notbefore */
static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
static dns_rdata_rrsig_t oldestsig; /* for recording inception time */
@@ -831,34 +825,6 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
return (ISC_R_SUCCESS);
}
/*
* For sorting the digest types so that DS records generated
* from CDNSKEY records are in canonical order.
*/
static int
cmp_dtype(const void *ap, const void *bp) {
int a = *(const dns_dsdigest_t *)ap;
int b = *(const dns_dsdigest_t *)bp;
return (a - b);
}
static void
add_dtype(const char *dn) {
dns_dsdigest_t dt;
unsigned i, n;
dt = strtodsdigest(dn);
n = sizeof(dtype)/sizeof(dtype[0]);
for (i = 0; i < n; i++) {
if (dtype[i] == 0 || dtype[i] == dt) {
dtype[i] = dt;
qsort(dtype, i+1, 1, cmp_dtype);
return;
}
}
fatal("too many -a digest type arguments");
}
static void
make_new_ds_set(ds_maker_func_t *ds_from_rdata,
uint32_t ttl, dns_rdataset_t *rdset)
@@ -1147,7 +1113,7 @@ main(int argc, char *argv[]) {
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case 'a':
add_dtype(isc_commandline_argument);
add_dtype(strtodsdigest(isc_commandline_argument));
break;
case 'c':
rdclass = strtoclass(isc_commandline_argument);