From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 8 Jul 2019 08:44:15 +0000 (+0200)
Subject: Backport #7976: Make pdnsutil set-publish-cds default to SHA-256 only
X-Git-Tag: auth-4.2.0-rc3~19^2~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c5bfe29344c799c03d0f139d11a9cc39d7299d54;p=pdns

Backport #7976: Make pdnsutil set-publish-cds default to SHA-256 only
---

diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 63b19bf59..72cdf6a72 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -109,7 +109,7 @@ unset-nsec3 *ZONE*
 set-publish-cds *ZONE* [*DIGESTALGOS*]
     Set *ZONE* to respond to queries for its CDS records. the optional
     argument *DIGESTALGOS* should be a comma-separated list of DS
-    algorithms to use. By default, this is 1,2 (SHA1 and SHA2-256).
+    algorithms to use. By default, this is 2 (SHA-256).
 set-publish-cdnskey *ZONE*
     Set *ZONE* to publish CDNSKEY records.
 unset-publish-cds *ZONE*
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 5bea46eb9..ed3bf5d3d 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -2017,7 +2017,7 @@ try
     cout<<"set-presigned ZONE                 Use presigned RRSIGs from storage"<<endl;
     cout<<"set-publish-cdnskey ZONE           Enable sending CDNSKEY responses for ZONE"<<endl;
     cout<<"set-publish-cds ZONE [DIGESTALGOS] Enable sending CDS responses for ZONE, using DIGESTALGOS as signature algorithms"<<endl;
-    cout<<"                                   DIGESTALGOS should be a comma separated list of numbers, it is '1,2' by default"<<endl;
+    cout<<"                                   DIGESTALGOS should be a comma separated list of numbers, it is '2' by default"<<endl;
     cout<<"add-meta ZONE KIND VALUE           Add zone metadata, this adds to the existing KIND"<<endl;
     cout<<"                   [VALUE ...]"<<endl;
     cout<<"set-meta ZONE KIND [VALUE] [VALUE] Set zone metadata, optionally providing a value. *No* value clears meta"<<endl;
@@ -2575,7 +2575,7 @@ try
 
     // If DIGESTALGOS is unset
     if(cmds.size() == 2)
-      cmds.push_back("1,2");
+      cmds.push_back("2");
 
     if (! dk.setPublishCDS(DNSName(cmds[1]), cmds[2])) {
       cerr << "Could not set publishing for CDS records for "<< cmds[1]<<endl;
diff --git a/regression-tests/tests/publishing-cds-cdnskey/expected_result b/regression-tests/tests/publishing-cds-cdnskey/expected_result
index 0c709606d..15fdc7680 100644
--- a/regression-tests/tests/publishing-cds-cdnskey/expected_result
+++ b/regression-tests/tests/publishing-cds-cdnskey/expected_result
@@ -1,4 +1,3 @@
-0	secure-delegated.dnssec-parent.com.	IN	CDS	86400	54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c
 0	secure-delegated.dnssec-parent.com.	IN	CDS	86400	54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
@@ -12,14 +11,12 @@ Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDS
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=CDNSKEY
 0	secure-delegated.dnssec-parent.com.	IN	CDNSKEY	86400	257 3 8 AwEAAZd9R7SWWGqA12oG7Ls+h3b0/IAyMj/Pqn/ZuKWM/OdpxT/cn2xwLDhkdmqP/pUqAzvyFPyd4kTqrmLfbohBwA7+07pBVa4qf/jxlHivdMNUD72H+dUYqBlmhCC6l3eG+8FZi2tkdwn8kUoa9kyLMtrEaFnOd/oUQbmNvIDp+8VWv1cSnRJ8UXKdXLl0smpvC7h1K2AUiC5oGIYQTCYWwYRM1wCbb+q1fbFCdkbI7OQW/h7Pj30eLpIuz0bJj4vdKXXZHK8clSdTMAFm6rQsNDI0w7QdCgaDmTn3b6TF2UJi4eDnh7uDbSpUd1mI5XWNw4C6WrUmebFLfiry6vqdiIc=
-0	secure-delegated.dnssec-parent.com.	IN	CDS	86400	54319 8 1 a28ebe791e9cc7f4c2821131be367326ddd7434c
 0	secure-delegated.dnssec-parent.com.	IN	CDS	86400	54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDNSKEY 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 0	secure-delegated.dnssec-parent.com.	IN	RRSIG	86400	CDS 8 3 86400 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 0	cdnskey-cds-test.com.	IN	CDS	86400
-0	cdnskey-cds-test.com.	IN	CDS	86400
 0	cdnskey-cds-test.com.	IN	RRSIG	86400
 2	.	IN	OPT	32768	
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
@@ -31,6 +28,5 @@ Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='cdnskey-cds-test.com.', qtype=CDNSKEY
 0	cdnskey-cds-test.com.	IN	CDNSKEY	86400
 0	cdnskey-cds-test.com.	IN	CDS	86400
-0	cdnskey-cds-test.com.	IN	CDS	86400
 0	cdnskey-cds-test.com.	IN	RRSIG	86400
 0	cdnskey-cds-test.com.	IN	RRSIG	86400