Deprecate SHA-1 DS digests in dnssec-signzone

This affects two cases: * When writing a `dsset` file for this zone, to be used by its parent, only write a SHA-256 DS record. * When reading a `keyset` file for a child, to generate DS records to include in this zone, generate SHA-256 DS records only. This change does not affect digests used in CDS records. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
2019-01-30 18:04:52 +00:00
parent 129b731273
commit d8f2eb249a
2 changed files with 3 additions and 25 deletions
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2752,7 +2752,7 @@ status=$((status+ret))
 echo_i "check dnssec-dsfromkey from stdin ($n)"
 ret=0
 dig_with_opts dnskey algroll. @10.53.0.2 | \
-        $DSFROMKEY -12 -f - algroll. > dig.out.ns2.test$n || ret=1
+        $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u)
 [ "${NF}" = 7 ] || ret=1
 # make canonical