Deprecate SHA-1 in dnssec-dsfromkey

This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)

The default is now `-2`. You can get the old behaviour with `-12`.

Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update

bin/dnssec/dnssectool.c

@@ -58,6 +58,7 @@
 #include "dnssectool.h"
 
 int verbose;
+uint8_t dtype[8];
 
 static fatalcallback_t *fatalcallback = NULL;
 
@@ -343,6 +344,32 @@ strtodsdigest(const char *algname) {
 	}
 }
 
+static int
+cmp_dtype(const void *ap, const void *bp) {
+	int a = *(const uint8_t *)ap;
+	int b = *(const uint8_t *)bp;
+	return (a - b);
+}
+
+void
+add_dtype(unsigned int dt) {
+	unsigned i, n;
+
+	/* ensure there is space for a zero terminator */
+	n = sizeof(dtype)/sizeof(dtype[0]) - 1;
+	for (i = 0; i < n; i++) {
+		if (dtype[i] == dt) {
+			return;
+		}
+		if (dtype[i] == 0) {
+			dtype[i] = dt;
+			qsort(dtype, i+1, 1, cmp_dtype);
+			return;
+		}
+	}
+	fatal("too many -a digest type arguments");
+}
+
 isc_result_t
 try_dir(const char *dirname) {
 	isc_result_t result;