Deprecate SHA-1 DS and CDS digest types
DS and CDS records are now generated with SHA-256
digests only, instead of both SHA-1 and SHA-256. This
affects the default output of
dsset files generated by
dnssec-signzone, the DS
records added to a zone by
dnssec-signzone based on
keyset files, and the CDS records added to a zone by
dnssec-signzone based on "sync" timing
parameters in key files.
This is a cleanup commit, to prepare the ground before
dnssec-checkds is enhanced to support automatic KSK rollovers.
As such, I have not (deliberately) changed the behaviour of
The behaviour of
dnssec-dsfromkey has changed slightly, so that
you can now ask for multiple digest types using the
dnssec-cds. This allows you to get the old behaviour with
(This is used by
dnssec-checkds and the tests.) Its man page has been updated.
I have updated the tests; they should pass after each commit. I have added entries to the CHANGES and release notes.