From: Tony Finch Date: Wed, 30 Jan 2019 18:04:52 +0000 (+0000) Subject: Deprecate SHA-1 DS digests in `dnssec-signzone` X-Git-Tag: v9.15.0~6^2~2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d8f2eb249a729ff0a18aa348c14c3785dbb78ce2;p=thirdparty%2Fbind9.git Deprecate SHA-1 DS digests in `dnssec-signzone` This affects two cases: * When writing a `dsset` file for this zone, to be used by its parent, only write a SHA-256 DS record. * When reading a `keyset` file for a child, to generate DS records to include in this zone, generate SHA-256 DS records only. This change does not affect digests used in CDS records. This is for conformance with the DS/CDS algorithm requirements in https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update --- diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 9530bfe4e6c..f3a24cb1c33 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -987,16 +987,6 @@ loadds(dns_name_t *name, uint32_t ttl, dns_rdataset_t *dsset) { dns_rdata_init(&key); dns_rdata_init(&ds); dns_rdataset_current(&keyset, &key); - result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, name, - ttl, &ds, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - dns_rdata_reset(&ds); result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA256, dsbuf, &ds); check_result(result, "dns_ds_buildrdata"); @@ -2995,19 +2985,6 @@ writeset(const char *prefix, dns_rdatatype_t type) { isc_buffer_usedregion(&b, &r); dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r); if (type != dns_rdatatype_dnskey) { - result = dns_ds_buildrdata(gorigin, &rdata, - DNS_DSDIGEST_SHA1, - dsbuf, &ds); - check_result(result, "dns_ds_buildrdata"); - if (type == dns_rdatatype_dlv) - ds.type = dns_rdatatype_dlv; - result = dns_difftuple_create(mctx, - DNS_DIFFOP_ADDRESIGN, - name, 0, &ds, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(&diff, &tuple); - - dns_rdata_reset(&ds); result = dns_ds_buildrdata(gorigin, &rdata, DNS_DSDIGEST_SHA256, dsbuf, &ds); @@ -3018,11 +2995,12 @@ writeset(const char *prefix, dns_rdatatype_t type) { DNS_DIFFOP_ADDRESIGN, name, 0, &ds, &tuple); - } else + } else { result = dns_difftuple_create(mctx, DNS_DIFFOP_ADDRESIGN, gorigin, zone_soa_min_ttl, &rdata, &tuple); + } check_result(result, "dns_difftuple_create"); dns_diff_append(&diff, &tuple); } diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 5dc48d7cf87..a60c0f06969 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2752,7 +2752,7 @@ status=$((status+ret)) echo_i "check dnssec-dsfromkey from stdin ($n)" ret=0 dig_with_opts dnskey algroll. @10.53.0.2 | \ - $DSFROMKEY -12 -f - algroll. > dig.out.ns2.test$n || ret=1 + $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1 NF=$(awk '{print NF}' dig.out.ns2.test$n | sort -u) [ "${NF}" = 7 ] || ret=1 # make canonical