"statement\n");
fprintf(stderr, " -a <algorithm>:\n");
if (!isc_crypto_fips_mode()) {
- fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
+ fprintf(stderr, " RSASHA1 (deprecated) | NSEC3RSASHA1 "
+ "(deprecated) |\n");
}
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
if (!isc_crypto_fips_mode()) {
- fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa,
- MAX_RSA);
- fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa,
- MAX_RSA);
+ fprintf(stderr, " RSASHA1 (deprecated) :\t[%d..%d]\n",
+ min_rsa, MAX_RSA);
+ fprintf(stderr,
+ " NSEC3RSASHA1 (deprecated) :\t[%d..%d]\n",
+ min_rsa, MAX_RSA);
}
fprintf(stderr, " RSASHA256:\t[%d..%d]\n", min_rsa, MAX_RSA);
fprintf(stderr, " RSASHA512:\t[%d..%d]\n", min_rsa, MAX_RSA);
ctx->setpub = ctx->setact = true;
}
+ switch (ctx->alg) {
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ dns_secalg_format(ctx->alg, algstr, sizeof(algstr));
+ fprintf(stderr,
+ "WARNING: DNSKEY algorithm '%s' is deprecated. Please "
+ "migrate to another algorithm\n",
+ algstr);
+ break;
+ default:
+ break;
+ }
+
switch (ctx->alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
bool has_aaaa = false;
int level;
char namebuf[DNS_NAME_FORMATSIZE];
+ bool logged_algorithm[DST_MAX_ALGS];
+ bool logged_digest_type[DNS_DSDIGEST_MAX + 1];
name = dns_fixedname_initname(&fixed);
bottom = dns_fixedname_initname(&fixedbottom);
dns_dbiterator_pause(dbiterator);
+ /*
+ * Check for deprecated KEY algorithms
+ */
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS) {
+ goto checkforns;
+ }
+
+ memset(logged_algorithm, 0, sizeof(logged_algorithm));
+ DNS_RDATASET_FOREACH (&rdataset) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdata_key_t key;
+ dns_rdataset_current(&rdataset, &rdata);
+
+ result = dns_rdata_tostruct(&rdata, &key, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+ /*
+ * If we ever deprecate a private algorithm use
+ * dst_algorithm_fromdata() here.
+ */
+ switch (key.algorithm) {
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ if (!logged_algorithm[key.algorithm]) {
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_secalg_format(key.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/KEY deprecated "
+ "algorithm %u (%s)",
+ namebuf, key.algorithm,
+ algbuf);
+ logged_algorithm[key.algorithm] = true;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ dns_rdataset_disassociate(&rdataset);
+
+ checkforns:
/*
* Don't check the NS records at the origin.
*/
if (result != ISC_R_SUCCESS) {
goto checkfords;
}
+
/*
* Remember bottom of zone due to NS.
*/
}
}
dns_rdataset_disassociate(&rdataset);
+
+ /*
+ * Check for deprecated DS digest types.
+ */
+ result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS) {
+ goto next;
+ }
+
+ memset(logged_algorithm, 0, sizeof(logged_algorithm));
+ memset(logged_digest_type, 0, sizeof(logged_digest_type));
+ DNS_RDATASET_FOREACH (&rdataset) {
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdataset_current(&rdataset, &rdata);
+ dns_rdata_ds_t ds;
+
+ result = dns_rdata_tostruct(&rdata, &ds, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ switch (ds.digest_type) {
+ case DNS_DSDIGEST_SHA1:
+ if (!logged_digest_type[ds.digest_type]) {
+ char algbuf[DNS_DSDIGEST_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_dsdigest_format(ds.digest_type,
+ algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/DS deprecated digest "
+ "type %u (%s)",
+ namebuf, ds.digest_type,
+ algbuf);
+ logged_digest_type[ds.digest_type] =
+ true;
+ }
+ break;
+ }
+
+ /*
+ * If we ever deprecate a private algorithm use
+ * dst_algorithm_fromdata() here.
+ */
+ switch (ds.algorithm) {
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ if (!logged_algorithm[ds.algorithm]) {
+ char algbuf[DNS_SECALG_FORMATSIZE];
+ dns_name_format(name, namebuf,
+ sizeof(namebuf));
+ dns_secalg_format(ds.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "%s/DS deprecated algorithm "
+ "%u (%s)",
+ namebuf, ds.algorithm,
+ algbuf);
+ logged_algorithm[ds.algorithm] = true;
+ }
+ break;
+ }
+ }
+ dns_rdataset_disassociate(&rdataset);
+
goto next;
checkfords:
dns_rdata_dnskey_t dnskey;
dns_rdataset_t rdataset;
isc_result_t result;
+ bool logged_algorithm[DST_MAX_ALGS] = { 0 };
+ bool alldeprecated = true;
result = dns_db_findnode(db, &zone->origin, false, &node);
if (result != ISC_R_SUCCESS) {
}
DNS_RDATASET_FOREACH (&rdataset) {
+ char algbuf[DNS_SECALG_FORMATSIZE];
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
algorithm, dnskey.algorithm,
dst_region_computeid(&r));
}
+ switch (dnskey.algorithm) {
+ case DNS_KEYALG_RSAMD5:
+ case DNS_KEYALG_DSA:
+ case DNS_KEYALG_RSASHA1:
+ case DNS_KEYALG_NSEC3DSA:
+ case DNS_KEYALG_NSEC3RSASHA1:
+ case DNS_KEYALG_ECCGOST:
+ if (!logged_algorithm[dnskey.algorithm]) {
+ dns_secalg_format(dnskey.algorithm, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "deprecated DNSKEY algorithm found: "
+ "%u (%s)\n",
+ dnskey.algorithm, algbuf);
+ logged_algorithm[dnskey.algorithm] = true;
+ }
+ break;
+ default:
+ alldeprecated = false;
+ break;
+ }
}
dns_rdataset_disassociate(&rdataset);
+ if (alldeprecated) {
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "all DNSKEY algorithms found are deprecated");
+ }
+
cleanup:
if (node != NULL) {
dns_db_detachnode(db, &node);
* record which must be by itself.
*/
if (dns_rdataset_isassociated(&cds)) {
+ bool logged_digest_type[DNS_DSDIGEST_MAX + 1] = { 0 };
bool delete = false;
memset(algorithms, notexpected, sizeof(algorithms));
DNS_RDATASET_FOREACH (&cds) {
}
CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
+
+ /*
+ * Log deprecated CDS digest types.
+ */
+ switch (structcds.digest_type) {
+ case DNS_DSDIGEST_SHA1:
+ if (!logged_digest_type[structcds.digest_type])
+ {
+ char algbuf[DNS_DSDIGEST_FORMATSIZE];
+ dns_dsdigest_format(
+ structcds.digest_type, algbuf,
+ sizeof(algbuf));
+ dnssec_log(zone, ISC_LOG_WARNING,
+ "deprecated CDS digest type "
+ "%u (%s)",
+ structcds.digest_type,
+ algbuf);
+ logged_digest_type[structcds.digest_type] =
+ true;
+ }
+ break;
+ }
+
if (structcds.algorithm != DNS_KEYALG_PRIVATEDNS &&
structcds.algorithm != DNS_KEYALG_PRIVATEOID)
{
projects / thirdparty / bind9.git / commitdiff
