Skip to content

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
    • Help
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project
    • Project
    • Details
    • Activity
    • Releases
    • Cycle Analytics
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Charts
  • Issues 249
    • Issues 249
    • List
    • Board
    • Labels
    • Milestones
  • Merge Requests 46
    • Merge Requests 46
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Charts
  • Registry
    • Registry
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Charts
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISC Open Source Projects
  • BINDBIND
  • Merge Requests
  • !1432

Open
Opened Jan 30, 2019 by Tony Finch@fanf
  • Report abuse
Report abuse

Deprecate SHA-1 DS and CDS digest types

DS and CDS records are now generated with SHA-256 digests only, instead of both SHA-1 and SHA-256. This affects the default output of dnssec-dsfromkey, the dsset files generated by dnssec-signzone, the DS records added to a zone by dnssec-signzone based on keyset files, and the CDS records added to a zone by named and dnssec-signzone based on "sync" timing parameters in key files.

This is a cleanup commit, to prepare the ground before dnssec-checkds is enhanced to support automatic KSK rollovers. As such, I have not (deliberately) changed the behaviour of dnssec-checkds.

The behaviour of dnssec-dsfromkey has changed slightly, so that you can now ask for multiple digest types using the -12a options, similar to dnssec-cds. This allows you to get the old behaviour with dnssec-dsfromkey -12. (This is used by dnssec-checkds and the tests.) Its man page has been updated.

I have updated the tests; they should pass after each commit. I have added entries to the CHANGES and release notes.

Check out, review, and merge locally

Step 1. Fetch and check out the branch for this merge request

git fetch https://gitlab.isc.org/fanf/bind9.git u/fanf2/ds-sha-1-deprecation
git checkout -b fanf/bind9-u/fanf2/ds-sha-1-deprecation FETCH_HEAD

Step 2. Review the changes locally

Step 3. Merge the branch and fix any conflicts that come up

git fetch origin
git checkout origin/master
git merge --no-ff fanf/bind9-u/fanf2/ds-sha-1-deprecation

Step 4. Push the result of the merge to GitLab

git push origin master

Note that pushing to GitLab requires write access to this repository.

Tip: You can also checkout merge requests locally by following these guidelines.

  • Discussion 3
  • Commits 7
  • Pipelines 3
  • Changes 21
Assignee
No assignee
Assign to
BIND 9.15.x
Milestone
BIND 9.15.x
Assign milestone
Time tracking
0
Labels
None
Assign labels
  • View project labels
Reference: isc-projects/bind9!1432