ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Deprecate SHA-1 in dnssec-dsfromkey

Browse Source 
This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)

The default is now `-2`. You can get the old behaviour with `-12`.

Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This commit is contained in:
Tony Finch
2019-01-31 17:05:57 +00:00
committed by Evan Hunt
parent a177b07da1
commit 796a6c4e4e
8 changed files with 117 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bin/python/isc/checkds.py.in
View File

@@ -115,7 +115,7 @@ def check(zone, args):
klist = []
if args.masterfile:
cmd = [args.dsfromkey, "-f", args.masterfile]
cmd = [args.dsfromkey, "-12f", args.masterfile]
if args.lookaside:
cmd += ["-l", args.lookaside]
cmd.append(zone)
@@ -123,7 +123,7 @@ def check(zone, args):
else:
intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
"-q", zone], stdout=PIPE).communicate()
cmd = [args.dsfromkey, "-f", "-"]
cmd = [args.dsfromkey, "-12f", "-"]
if args.lookaside:
cmd += ["-l", args.lookaside]
cmd.append(zone)