git.ipfire.org Git - thirdparty/bind9.git/commit

author	Tony Finch <dot@dotat.at>
	Thu, 16 Jan 2020 18:50:59 +0000 (18:50 +0000)
committer	Evan Hunt <each@isc.org>
	Thu, 19 Aug 2021 05:42:00 +0000 (22:42 -0700)
commit	eabf898b36c4cdad06e0379fa95ff80c3489bcd8
tree	59f56671beee1708d8248c2c9c74dd11139c6a36	tree \| snapshot
parent	2eac5781c9e043cad892ba4e2545c9f61d6d06c1	commit \| diff

Suppress SHA-1 DS records in dnssec-cds

Previously, when dnssec-cds copied CDS records to make DS records,
its -a algorithm option did not have any effect. This means that if
the child zone is signed with older software that generates SHA-1 CDS
records, dnssec-cds would (by default) create SHA-1 DS records in
violation of RFC 8624.

This change makes the dnssec-cds -a option apply to CDS records as
well as CDNSKEY records. In the CDS case, the -a algorithms are the
acceptable subset of possible CDS algorithms. If none of the CDS
records are acceptable, dnssec-cds tries to generate DS records from
CDNSKEY records.

bin/dnssec/dnssec-cds.c		diff \| blob \| blame \| history
bin/dnssec/dnssec-cds.rst		diff \| blob \| blame \| history
bin/dnssec/dnssectool.c		diff \| blob \| blame \| history
bin/tests/system/cds/setup.sh		diff \| blob \| blame \| history
bin/tests/system/cds/tests.sh		diff \| blob \| blame \| history
doc/man/dnssec-cds.1in		diff \| blob \| blame \| history