From a660ce6dbfc4182922eea8e548eb504af31b6cc1 Mon Sep 17 00:00:00 2001 From: Otto Date: Wed, 27 Oct 2021 12:01:09 +0200 Subject: [PATCH] A SHA-384 DS should not trump a SHA-256 one, so only potentially zap SHA-1 --- pdns/recursordist/test-syncres_cc9.cc | 4 ++-- pdns/syncres.cc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc index d296f25bf4..48094541e5 100644 --- a/pdns/recursordist/test-syncres_cc9.cc +++ b/pdns/recursordist/test-syncres_cc9.cc @@ -819,9 +819,9 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_all_sha) dsmap_t ds; auto state = sr->getDSRecords(target, ds, false, 0, false); BOOST_CHECK_EQUAL(state, vState::Secure); - BOOST_REQUIRE_EQUAL(ds.size(), 1U); + BOOST_REQUIRE_EQUAL(ds.size(), 2U); for (const auto& i : ds) { - BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::DIGEST_SHA384); + BOOST_CHECK(i.d_digesttype == DNSSECKeeper::DIGEST_SHA384 || i.d_digesttype == DNSSECKeeper::DIGEST_SHA256); } } diff --git a/pdns/syncres.cc b/pdns/syncres.cc index e962cf7fea..2740d452f4 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -2585,10 +2585,10 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi /* RFC 4509 section 3: "Validator implementations SHOULD ignore DS RRs containing SHA-1 * digests if DS RRs with SHA-256 digests are present in the DS RRset." - * As SHA348 is specified as well, the spirit of the this line is "use the best algorithm". + * We interpret that as: do not use SHA-1 if SHA-256 or SHA-384 is available */ for (auto dsrec = ds.begin(); dsrec != ds.end(); ) { - if (dsrec->d_digesttype != bestDigestType) { + if (dsrec->d_digesttype == DNSSECKeeper::DIGEST_SHA1 && dsrec->d_digesttype != bestDigestType) { dsrec = ds.erase(dsrec); } else { -- 2.47.2