Commit 8785f6fa authored by Tony Finch's avatar Tony Finch Committed by Evan Hunt
Browse files

Deprecate SHA-1 CDS records

This affects CDS records generated by `named` and `dnssec-signzone`
based on `-P sync` and `-D sync` key timing instructions.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
parent d8f2eb24
......@@ -1909,8 +1909,8 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
for (key = ISC_LIST_HEAD(*keys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
......@@ -1918,69 +1918,83 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
&cdnskeyrdata));
/*
* We construct the SHA-1 version of the record so we can
* delete any old records generated by previous versions of
* BIND. We only add SHA-256 records.
*
* XXXMPA we need to be able to specify the DS algorithms
* to be used here and below with rmkeys.
*/
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
&cdsrdata1));
&cds_sha1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
&cdsrdata2));
&cds_sha256));
/*
* Now that the we have created the DS records convert
* the rdata to CDNSKEY and CDS for comparison.
*/
cdnskeyrdata.type = dns_rdatatype_cdnskey;
cdsrdata1.type = dns_rdatatype_cds;
cdsrdata2.type = dns_rdatatype_cds;
cds_sha1.type = dns_rdatatype_cds;
cds_sha256.type = dns_rdatatype_cds;
if (syncpublish(key->key, now)) {
if (!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskeyrdata))
{
RETERR(publish(&cdnskeyrdata, diff, origin,
ttl, mctx));
}
/* Only publish SHA-256 (SHA-1 is deprecated) */
if (!dns_rdataset_isassociated(cds) ||
!exists(cds, &cdsrdata1))
RETERR(publish(&cdsrdata1, diff, origin,
ttl, mctx));
if (!dns_rdataset_isassociated(cds) ||
!exists(cds, &cdsrdata2))
RETERR(publish(&cdsrdata2, diff, origin,
!exists(cds, &cds_sha256))
{
RETERR(publish(&cds_sha256, diff, origin,
ttl, mctx));
}
}
if (dns_rdataset_isassociated(cds) &&
syncdelete(key->key, now)) {
if (exists(cds, &cdsrdata1))
RETERR(delrdata(&cdsrdata1, diff, origin,
syncdelete(key->key, now))
{
/* Delete both SHA-1 and SHA-256 */
if (exists(cds, &cds_sha1)) {
RETERR(delrdata(&cds_sha1, diff, origin,
cds->ttl, mctx));
if (exists(cds, &cdsrdata2))
RETERR(delrdata(&cdsrdata2, diff, origin,
}
if (exists(cds, &cds_sha256)) {
RETERR(delrdata(&cds_sha256, diff, origin,
cds->ttl, mctx));
}
}
if (dns_rdataset_isassociated(cdnskey) &&
syncdelete(key->key, now)) {
if (exists(cdnskey, &cdnskeyrdata))
syncdelete(key->key, now))
{
if (exists(cdnskey, &cdnskeyrdata)) {
RETERR(delrdata(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
}
}
}
if (!dns_rdataset_isassociated(cds) &&
!dns_rdataset_isassociated(cdnskey))
{
return (ISC_R_SUCCESS);
}
/*
* Unconditionaly remove CDS/DNSKEY records for removed keys.
*/
for (key = ISC_LIST_HEAD(*rmkeys);
key != NULL;
key = ISC_LIST_NEXT(key, link)) {
dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
key = ISC_LIST_NEXT(key, link))
{
dns_rdata_t cds_sha1 = DNS_RDATA_INIT;
dns_rdata_t cds_sha256 = DNS_RDATA_INIT;
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
......@@ -1990,22 +2004,25 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
if (dns_rdataset_isassociated(cds)) {
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA1, dsbuf1,
&cdsrdata1));
&cds_sha1));
RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
DNS_DSDIGEST_SHA256, dsbuf2,
&cdsrdata2));
if (exists(cds, &cdsrdata1))
RETERR(delrdata(&cdsrdata1, diff, origin,
&cds_sha256));
if (exists(cds, &cds_sha1)) {
RETERR(delrdata(&cds_sha1, diff, origin,
cds->ttl, mctx));
if (exists(cds, &cdsrdata2))
RETERR(delrdata(&cdsrdata2, diff, origin,
}
if (exists(cds, &cds_sha256)) {
RETERR(delrdata(&cds_sha256, diff, origin,
cds->ttl, mctx));
}
}
if (dns_rdataset_isassociated(cdnskey)) {
if (exists(cdnskey, &cdnskeyrdata))
if (exists(cdnskey, &cdnskeyrdata)) {
RETERR(delrdata(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment