Deprecate SHA-1 in dnssec-dsfromkey

This makes the `-12a` options to `dnssec-dsfromkey` work more like `dnssec-cds`, in that you can specify more than one digest and you will get multiple records. (Previously you could only get one non-default digest type at a time.) The default is now `-2`. You can get the old behaviour with `-12`. Tests and tools that use `dnssec-dsfromkey` have been updated to use `-12` where necessary. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
2019-01-31 17:05:57 +00:00
parent a177b07da1
commit 796a6c4e4e
8 changed files with 117 additions and 92 deletions
--- a/bin/tests/system/cds/setup.sh
+++ b/bin/tests/system/cds/setup.sh
@@ -44,7 +44,7 @@ tac() {
 convert() {
 	key=$1
 	n=$2
-	$DSFROMKEY $key >DS.$n
+	$DSFROMKEY -12 $key >DS.$n
 	grep ' 8 1 ' DS.$n >DS.$n-1
 	grep ' 8 2 ' DS.$n >DS.$n-2
 	sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2752,7 +2752,7 @@ status=$((status+ret))
 echo_i "check dnssec-dsfromkey from stdin ($n)"
 ret=0
 dig_with_opts dnskey algroll. @10.53.0.2 | \
-        $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
+        $DSFROMKEY -12 -f - algroll. > dig.out.ns2.test$n || ret=1
 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u)
 [ "${NF}" = 7 ] || ret=1
 # make canonical
@@ -3337,7 +3337,7 @@ echo update delete cds-update.secure CDS
 echo send
 dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
 grep "DNSKEY.257" |
-$DSFROMKEY -C -f - -T 1 cds-update.secure |
+$DSFROMKEY -12 -C -f - -T 1 cds-update.secure |
 sed "s/^/update add /"
 echo send
 ) | $NSUPDATE
@@ -3360,7 +3360,7 @@ echo update delete cds-kskonly.secure CDS
 echo send
 dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure |
 grep "DNSKEY.257" |
-$DSFROMKEY -C -f - -T 1 cds-kskonly.secure |
+$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure |
 sed "s/^/update add /"
 echo send
 ) | $NSUPDATE
@@ -3394,11 +3394,11 @@ echo update delete cds-update.secure CDS
 echo send
 dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
 grep "DNSKEY.257" |
-$DSFROMKEY -C -f - -T 1 cds-update.secure |
+$DSFROMKEY -12 -C -f - -T 1 cds-update.secure |
 sed "s/^/update add /"
 dig_with_opts +noall +answer @10.53.0.2 dnskey cds-update.secure |
 grep "DNSKEY.257" | sed 's/DNSKEY.257/DNSKEY 258/' |
-$DSFROMKEY -C -A -f - -T 1 cds-update.secure |
+$DSFROMKEY -12 -C -A -f - -T 1 cds-update.secure |
 sed "s/^/update add /"
 echo send
 ) | $NSUPDATE