Skip to content

Deprecate SHA-1 DS and CDS digest types

Tony Finch requested to merge fanf/bind9:u/fanf2/ds-sha-1-deprecation into master

DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, and the CDS records added to a zone by named and dnssec-signzone based on "sync" timing parameters in key files.

This is a cleanup commit, to prepare the ground before dnssec-checkds is enhanced to support automatic KSK rollovers. As such, I have not (deliberately) changed the behaviour of dnssec-checkds.

The behaviour of dnssec-dsfromkey has changed slightly, so that you can now ask for multiple digest types using the -12a options, similar to dnssec-cds. This allows you to get the old behaviour with dnssec-dsfromkey -12. (This is used by dnssec-checkds and the tests.) Its man page has been updated.

I have updated the tests; they should pass after each commit. I have added entries to the CHANGES and release notes.

Merge request reports