From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 30 Jan 2023 10:20:53 +0000 (+0100)
Subject: Add configuration cds-digest-type
X-Git-Tag: v9.19.11~14^2~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2742fe656f93502dca99a1dda05384502d287f14;p=thirdparty%2Fbind9.git

Add configuration cds-digest-type

Add the 'cds-digest-type' configuration option to 'dnssec-policy'.
---

diff --git a/bin/named/config.c b/bin/named/config.c
index 2ae6ac8e7ec..7e6391b1b71 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\
 		csk key-directory lifetime unlimited algorithm 13;\n\
 	};\n\
 \n\
+	cds-digest-type 2;\n\
 	dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4a159e72efb..0cc405c1ebd 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6257,6 +6257,13 @@ retired when the existing key's lifetime ends.
 
 The following options can be specified in a :any:`dnssec-policy` statement:
 
+.. namedconf:statement:: cds-digest-type
+   :tags: dnssec
+   :short: Specifies the digest type to use for CDS resource records.
+
+    This indicates the digest type to use when generating CDS resource
+    records. The default is SHA-256.
+
 .. namedconf:statement:: dnskey-ttl
    :tags: dnssec
    :short: Specifies the time to live (TTL) for DNSKEY resource records.
diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 00b8a14656d..2cce43cca64 100644
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -18,6 +18,7 @@ dnssec-policy "default" {
 	};
 
 	// Key timings
+	cds-digest-type 2;
 	dnskey-ttl 3600;
 	publish-safety 1h;
 	retire-safety 1h;
diff --git a/doc/misc/options b/doc/misc/options
index d665a1f07c6..eda2fec2871 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -11,6 +11,7 @@ dlz <string> {
 }; // may occur multiple times
 
 dnssec-policy <string> {
+	cds-digest-type <string>;
 	dnskey-ttl <duration>;
 	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
 	max-zone-ttl <duration>;
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index de41e8a0ab0..f7d5e31ee77 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -307,10 +307,12 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const cfg_obj_t *koptions = NULL;
 	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *nsec3 = NULL;
+	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *element = NULL;
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
 	size_t i = 0;
+	unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
 	uint32_t sigrefresh = 0, sigvalidity = 0;
 	uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
 	uint32_t publishsafety = 0, retiresafety = 0;
@@ -408,6 +410,34 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);
 
 	/* Configuration: Keys */
+	(void)confget(maps, "cds-digest-type", &obj);
+	if (obj != NULL) {
+		isc_textregion_t r;
+		dns_dsdigest_t alg;
+		const char *str = cfg_obj_asstring(obj);
+
+		DE_CONST(str, r.base);
+		r.length = strlen(str);
+		result = dns_dsdigest_fromtext(&alg, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy: bad cds digest-type %s",
+				    str);
+			result = DNS_R_BADALG;
+			goto cleanup;
+		}
+		if (!dst_ds_digest_supported(alg)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy: unsupported cds "
+				    "digest-type %s",
+				    str);
+			result = DST_R_UNSUPPORTEDALG;
+			goto cleanup;
+		}
+		cds_digesttype = (unsigned int)alg;
+	}
+	dns_kasp_setcdsdigesttype(kasp, cds_digesttype);
+
 	dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
 	dns_kasp_setdnskeyttl(kasp, dnskeyttl);
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 80df843cc1d..d246e04e8dd 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2193,6 +2193,7 @@ static cfg_type_t cfg_type_validityinterval = {
  * Clauses that can be found in a 'dnssec-policy' statement.
  */
 static cfg_clausedef_t dnssecpolicy_clauses[] = {
+	{ "cds-digest-type", &cfg_type_astring, 0 },
 	{ "dnskey-ttl", &cfg_type_duration, 0 },
 	{ "keys", &cfg_type_kaspkeys, 0 },
 	{ "max-zone-ttl", &cfg_type_duration, 0 },