]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
projects / thirdparty / pdns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2e7166c)
pdnsutil: skip SHA1 DSes except in verbose mode, fixes #11045 11067/head
authorPeter van Dijk <peter.van.dijk@powerdns.com>
Fri, 3 Dec 2021 11:38:25 +0000 (12:38 +0100)
committerPeter van Dijk <peter.van.dijk@powerdns.com>
Fri, 3 Dec 2021 11:40:18 +0000 (12:40 +0100)
docs/upgrading.rst patch | blob | blame | history
pdns/pdnsutil.cc patch | blob | blame | history

diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index b754d09d70718b4db48733d81543e378d60ac9a0..de34d38030ce4768e001b820d05a27287d19b515 100644 (file)
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -26,6 +26,11 @@ New default NSEC3 parameters
 
 Following `draft-ietf-dnsop-nsec3-guidance (Guidance for NSEC3 parameter settings) <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance>`__, the default NSEC3PARAM settings (see :ref:`dnssec-operational-nsec-modes-params`) in pdnsutil are now `1 0 0 -` instead of `1 0 1 ab`.
 
+SHA1 DSes
+^^^^^^^^^
+
+``pdnsutil show-zone`` and ``pdnsutil export-zone-ds`` no longer emit SHA1 DS records, unless ``--verbose`` is in use.
+
 4.4.x to 4.5.0
 --------------
 
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index da2e60e7ab114420261192d61379aeba2332c3b8..130fc2a4ee881b608f75d267bb234f9536ce0434 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1965,7 +1965,9 @@ static bool showZone(DNSSECKeeper& dk, const DNSName& zone, bool exportDS = fals
       }
 
       const std::string prefix(exportDS ? "" : "DS = ");
-      cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl;
+      if (g_verbose) {
+        cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl;
+      }
       cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA256).getZoneRepresentation() << " ; ( SHA256 digest )" << endl;
       try {
         string output=makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_GOST).getZoneRepresentation();
@@ -2016,7 +2018,9 @@ static bool showZone(DNSSECKeeper& dk, const DNSName& zone, bool exportDS = fals
       if (value.second.keyType == DNSSECKeeper::KSK || value.second.keyType == DNSSECKeeper::CSK) {
         const auto &key = value.first.getDNSKEY();
         const std::string prefix(exportDS ? "" : "DS = ");
-        cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl;
+        if (g_verbose) {
+          cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA1).getZoneRepresentation() << " ; ( SHA1 digest )" << endl;
+        }
         cout<<prefix<<zone.toString()<<" IN DS "<<makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_SHA256).getZoneRepresentation() << " ; ( SHA256 digest )" << endl;
         try {
           string output=makeDSFromDNSKey(zone, key, DNSSECKeeper::DIGEST_GOST).getZoneRepresentation();
Unnamed repository; edit this file 'description' to name the repository.