[BIND 9.11.11] dnssec-dsfromkey behaviour is inconsistent with manual
Summary
On BIND 9.11.11, dnssec-dsfromkey behaviour is inconsistent with manual.
The command puts both SHA-1 and SHA-256 digest, but the manual says the default is SHA-256.
BIND version used
BIND 9.11.11 (Extended Support Version) <id:4ae9ff1>
running on Linux x86_64 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11)
built by make with '--enable-dnstap' '--without-python'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.1.0k 28 May 2019
linked to OpenSSL version: OpenSSL 1.1.0k 28 May 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with zlib version: 1.2.8
linked to zlib version: 1.2.8
threads support is enabledSteps to reproduce
- run
dnssec-dsfromkeywithout explicit digest algorithm specified
$ dig -t DNSKEY . | dnssec-dsfromkey -f - .What is the current bug behavior?
It puts both SHA-1 and SHA-256 DS resource records.
. IN DS 20326 8 1 AE1EA5B974D4C858B740BD03E3CED7EBFCBD1724
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8DWhat is the expected correct behavior?
It should put SHA-256 DS resource record only.
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8DThe manual (dnssec-dsfromkey.8) says:
-a algorithm Specify a digest algorithm to use when converting DNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each DNSKEY record. The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256.
Relevant configuration files
(Not applicable)
Relevant logs and/or screenshots
(See above)
Possible fixes
I'm not confident but I guess the manual has been changed accidentally.
If the implementation code is correct, the manual should be fixed:
--- bin/dnssec/dnssec-dsfromkey.docbook.orig 2019-09-09 23:48:35.000000000 +0900
+++ bin/dnssec/dnssec-dsfromkey.docbook 2019-09-21 01:11:30.689905192 +0900
@@ -177,7 +177,7 @@
The <replaceable>algorithm</replaceable> must be one of
SHA-1, SHA-256, or SHA-384. These values are case insensitive,
and the hyphen may be omitted. If no algorithm is specified,
- the default is SHA-256.
+ the default is both SHA-1 and SHA-256.
</para>
</listitem>
</varlistentry>The description is from commit 0a20176c, which is cherry-picked from commit fb9bc8f8.
If the manual is correct, the code should be fixed:
--- bin/dnssec/dnssec-dsfromkey.c.orig 2019-09-09 23:48:35.000000000 +0900
+++ bin/dnssec/dnssec-dsfromkey.c 2019-09-21 01:14:01.374525192 +0900
@@ -351,9 +351,8 @@
char *lookaside = NULL;
char *endp;
int ch;
- dns_dsdigest_t dtype = DNS_DSDIGEST_SHA1;
+ dns_dsdigest_t dtype = DNS_DSDIGEST_SHA256;
bool cds = false;
- bool both = true;
bool usekeyset = false;
bool showall = false;
isc_result_t result;
@@ -383,18 +382,15 @@
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
- both = false;
break;
case '2':
dtype = DNS_DSDIGEST_SHA256;
- both = false;
break;
case 'A':
showall = true;
break;
case 'a':
algname = isc_commandline_argument;
- both = false;
break;
case 'C':
if (lookaside != NULL)
@@ -537,13 +533,7 @@
if (verbose > 2)
logkey(&rdata);
- if (both) {
- emit(DNS_DSDIGEST_SHA1, showall, lookaside,
- cds, &rdata);
- emit(DNS_DSDIGEST_SHA256, showall, lookaside,
- cds, &rdata);
- } else
- emit(dtype, showall, lookaside, cds, &rdata);
+ emit(dtype, showall, lookaside, cds, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -551,13 +541,7 @@
loadkey(argv[isc_commandline_index], key_buf,
DST_KEY_MAXSIZE, &rdata);
- if (both) {
- emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
- &rdata);
- emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
- &rdata);
- } else
- emit(dtype, showall, lookaside, cds, &rdata);
+ emit(dtype, showall, lookaside, cds, &rdata);
}
if (dns_rdataset_isassociated(&rdataset))