Add configuration cds-digest-type

Add the 'cds-digest-type' configuration option to 'dnssec-policy'.

diff --git a/bin/named/config.c b/bin/named/config.c
index 2ae6ac8e7ecb437ca3e9a15366738f1c8dcdd22e..7e6391b1b714fb1bce41f261037fadd732ff1315 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\
                csk key-directory lifetime unlimited algorithm 13;\n\
        };\n\
 \n\
+       cds-digest-type 2;\n\
        dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
        publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
        retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4a159e72efb1856abdec2d82283f3bf5d2d4bf00..0cc405c1ebd0d4064399f13f1ae62472cbf69fa7 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6257,6 +6257,13 @@ retired when the existing key's lifetime ends.
 
 The following options can be specified in a :any:`dnssec-policy` statement:
 
+.. namedconf:statement:: cds-digest-type
+   :tags: dnssec
+   :short: Specifies the digest type to use for CDS resource records.
+
+    This indicates the digest type to use when generating CDS resource
+    records. The default is SHA-256.
+
 .. namedconf:statement:: dnskey-ttl
    :tags: dnssec
    :short: Specifies the time to live (TTL) for DNSKEY resource records.

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 00b8a14656db66b977e2d51ef191f757cda3e124..2cce43cca641342cb40dcb021c5bda428c4e3abc 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -18,6 +18,7 @@ dnssec-policy "default" {
        };
 
        // Key timings
+       cds-digest-type 2;
        dnskey-ttl 3600;
        publish-safety 1h;
        retire-safety 1h;

diff --git a/doc/misc/options b/doc/misc/options
index d665a1f07c69e07793111cec9baa303fb3b082bc..eda2fec28711ca46ea0a8d17f45ddfcf7dc9593f 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -11,6 +11,7 @@ dlz <string> {
 }; // may occur multiple times
 
 dnssec-policy <string> {
+       cds-digest-type <string>;
        dnskey-ttl <duration>;
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index de41e8a0ab061c58335ccc440d20c1eaa320e3db..f7d5e31ee775578f9750fab6276bd0523c4c8ac2 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -307,10 +307,12 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        const cfg_obj_t *koptions = NULL;
        const cfg_obj_t *keys = NULL;
        const cfg_obj_t *nsec3 = NULL;
+       const cfg_obj_t *obj = NULL;
        const cfg_listelt_t *element = NULL;
        const char *kaspname = NULL;
        dns_kasp_t *kasp = NULL;
        size_t i = 0;
+       unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
        uint32_t sigrefresh = 0, sigvalidity = 0;
        uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
        uint32_t publishsafety = 0, retiresafety = 0;
@@ -408,6 +410,34 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);
 
        /* Configuration: Keys */
+       (void)confget(maps, "cds-digest-type", &obj);
+       if (obj != NULL) {
+               isc_textregion_t r;
+               dns_dsdigest_t alg;
+               const char *str = cfg_obj_asstring(obj);
+
+               DE_CONST(str, r.base);
+               r.length = strlen(str);
+               result = dns_dsdigest_fromtext(&alg, &r);
+               if (result != ISC_R_SUCCESS) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "dnssec-policy: bad cds digest-type %s",
+                                   str);
+                       result = DNS_R_BADALG;
+                       goto cleanup;
+               }
+               if (!dst_ds_digest_supported(alg)) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "dnssec-policy: unsupported cds "
+                                   "digest-type %s",
+                                   str);
+                       result = DST_R_UNSUPPORTEDALG;
+                       goto cleanup;
+               }
+               cds_digesttype = (unsigned int)alg;
+       }
+       dns_kasp_setcdsdigesttype(kasp, cds_digesttype);
+
        dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
        dns_kasp_setdnskeyttl(kasp, dnskeyttl);
 

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 80df843cc1df132b2a6b0e95baec6a9380572fb7..d246e04e8dd7cfc83681b38b1a975c3b308d10af 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2193,6 +2193,7 @@ static cfg_type_t cfg_type_validityinterval = {
  * Clauses that can be found in a 'dnssec-policy' statement.
  */
 static cfg_clausedef_t dnssecpolicy_clauses[] = {
+       { "cds-digest-type", &cfg_type_astring, 0 },
        { "dnskey-ttl", &cfg_type_duration, 0 },
        { "keys", &cfg_type_kaspkeys, 0 },
        { "max-zone-ttl", &cfg_type_duration, 0 },