Deprecate SHA-1 in dnssec-dsfromkey

This makes the `-12a` options to `dnssec-dsfromkey` work more like `dnssec-cds`, in that you can specify more than one digest and you will get multiple records. (Previously you could only get one non-default digest type at a time.) The default is now `-2`. You can get the old behaviour with `-12`. Tests and tools that use `dnssec-dsfromkey` have been updated to use `-12` where necessary. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
2019-01-31 17:05:57 +00:00
parent a177b07da1
commit 796a6c4e4e
8 changed files with 117 additions and 92 deletions
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -31,6 +31,15 @@ extern int verbose;
 /*! program name, statically initialized in each program */
 extern const char *program;

+/*!
+ * List of DS digest types used by dnssec-cds and dnssec-dsfromkey,
+ * defined in dnssectool.c. Filled in by add_dtype() from -a
+ * arguments, sorted (so that DS records are in a canonical order) and
+ * terminated by a zero. The size of the array is an arbitrary limit
+ * which should be greater than the number of known digest types.
+ */
+extern uint8_t dtype[8];
+
 typedef void (fatalcallback_t)(void);

 ISC_PLATFORM_NORETURN_PRE void
@@ -65,11 +74,14 @@ isc_stdtime_t
 strtotime(const char *str, int64_t now, int64_t base,
 	  bool *setp);

+dns_rdataclass_t
+strtoclass(const char *str);
+
 unsigned int
 strtodsdigest(const char *str);

-dns_rdataclass_t
-strtoclass(const char *str);
+void
+add_dtype(unsigned int dt);

 isc_result_t
 try_dir(const char *dirname);