Skip to content

Suppress SHA-1 DS records in dnssec-cds

Tony Finch requested to merge fanf/bind9:u/fanf2/dnssec-cds-no-sha1 into main

Previously, when dnssec-cds copied CDS records to make DS records, its -a algorithm option did not have any effect. This means that if the child zone is signed with older software that generates SHA-1 CDS records, dnssec-cds would (by default) create SHA-1 DS records in violation of RFC 8624.

This change makes the dnssec-cds -a option apply to CDS records as well as CDNSKEY records. In the CDS case, the -a algorithms are the acceptable subset of possible CDS algorithms. If none of the CDS records are acceptable, dnssec-cds tries to generate DS records from CDNSKEY records.

Edited by Ondřej Surý

Merge request reports