Suppress SHA-1 DS records in dnssec-cds
Previously, when dnssec-cds copied CDS records to make DS records, its -a algorithm option did not have any effect. This means that if the child zone is signed with older software that generates SHA-1 CDS records, dnssec-cds would (by default) create SHA-1 DS records in violation of RFC 8624.
This change makes the dnssec-cds -a option apply to CDS records as well as CDNSKEY records. In the CDS case, the -a algorithms are the acceptable subset of possible CDS algorithms. If none of the CDS records are acceptable, dnssec-cds tries to generate DS records from CDNSKEY records.
Closes #2871 (closed)
Edited by Michał Kępień