Deprecate SHA-1 DS digests in `dnssec-signzone`

This affects two cases:

  * When writing a `dsset` file for this zone, to be used by its
    parent, only write a SHA-256 DS record.

  * When reading a `keyset` file for a child, to generate DS records
    to include in this zone, generate SHA-256 DS records only.

This change does not affect digests used in CDS records.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 9530bfe4e6c95f6efd1268c41044f2afaf6c11cb..f3a24cb1c33c90bbf611e93ed84931a5d680e459 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -987,16 +987,6 @@ loadds(dns_name_t *name, uint32_t ttl, dns_rdataset_t *dsset) {
                dns_rdata_init(&key);
                dns_rdata_init(&ds);
                dns_rdataset_current(&keyset, &key);
-               result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
-                                          dsbuf, &ds);
-               check_result(result, "dns_ds_buildrdata");
-
-               result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name,
-                                             ttl, &ds, &tuple);
-               check_result(result, "dns_difftuple_create");
-               dns_diff_append(&diff, &tuple);
-
-               dns_rdata_reset(&ds);
                result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256,
                                           dsbuf, &ds);
                check_result(result, "dns_ds_buildrdata");
@@ -2995,19 +2985,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
                isc_buffer_usedregion(&b, &r);
                dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
                if (type != dns_rdatatype_dnskey) {
-                       result = dns_ds_buildrdata(gorigin, &rdata,
-                                                  DNS_DSDIGEST_SHA1,
-                                                  dsbuf, &ds);
-                       check_result(result, "dns_ds_buildrdata");
-                       if (type == dns_rdatatype_dlv)
-                               ds.type = dns_rdatatype_dlv;
-                       result = dns_difftuple_create(mctx,
-                                                     DNS_DIFFOP_ADDRESIGN,
-                                                     name, 0, &ds, &tuple);
-                       check_result(result, "dns_difftuple_create");
-                       dns_diff_append(&diff, &tuple);
-
-                       dns_rdata_reset(&ds);
                        result = dns_ds_buildrdata(gorigin, &rdata,
                                                   DNS_DSDIGEST_SHA256,
                                                   dsbuf, &ds);
@@ -3018,11 +2995,12 @@ writeset(const char *prefix, dns_rdatatype_t type) {
                                                      DNS_DIFFOP_ADDRESIGN,
                                                      name, 0, &ds, &tuple);
 
-               } else
+               } else {
                        result = dns_difftuple_create(mctx,
                                                      DNS_DIFFOP_ADDRESIGN,
                                                      gorigin, zone_soa_min_ttl,
                                                      &rdata, &tuple);
+               }
                check_result(result, "dns_difftuple_create");
                dns_diff_append(&diff, &tuple);
        }

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 5dc48d7cf875f9bc9c37a725c191a502b42ae264..a60c0f069696948546858c99aab724bd98525161 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -2752,7 +2752,7 @@ status=$((status+ret))
 echo_i "check dnssec-dsfromkey from stdin ($n)"
 ret=0
 dig_with_opts dnskey algroll. @10.53.0.2 | \
-        $DSFROMKEY -12 -f - algroll. > dig.out.ns2.test$n || ret=1
+        $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u)
 [ "${NF}" = 7 ] || ret=1
 # make canonical