Deprecate SHA-1 in dnssec-dsfromkey
This makes the `-12a` options to `dnssec-dsfromkey` work more like `dnssec-cds`, in that you can specify more than one digest and you will get multiple records. (Previously you could only get one non-default digest type at a time.) The default is now `-2`. You can get the old behaviour with `-12`. Tests and tools that use `dnssec-dsfromkey` have been updated to use `-12` where necessary. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This commit is contained in:
Tony Finch
Evan Hunt
@@ -44,7 +44,7 @@ tac() {
|
||||
convert() {
|
||||
key=$1
|
||||
n=$2
|
||||
$DSFROMKEY $key >DS.$n
|
||||
$DSFROMKEY -12 $key >DS.$n
|
||||
grep ' 8 1 ' DS.$n >DS.$n-1
|
||||
grep ' 8 2 ' DS.$n >DS.$n-2
|
||||
sed 's/ IN DS / IN CDS /' <DS.$n >>CDS.$n
|
||||
|
||||
Reference in New Issue
Block a user