mirrors/dns
1
0
Fork 0
mirror of https://github.com/miekg/dns.git synced 2025-10-18 13:21:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

DNSSEC: remove deprecated algorithms (RFC 6944) (#970)

Browse Source 
This removes RSAMD5 as an algorithm you can use. BIND also has
deprecated *all* DSA algos which is more involved can removes more
helper codes as well, so that should be done in a new PR.

See #968

Signed-off-by: Miek Gieben <miek@miek.nl>
This commit is contained in:
Miek Gieben 2019-05-20 07:44:43 +01:00 committed by GitHub
parent d49318b5a0
commit 0930b62a13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -152,6 +152,7 @@ Example programs can be found in the `github.com/miekg/exdns` repository.
* 6844 - CAA record * 6844 - CAA record
* 6891 - EDNS0 update * 6891 - EDNS0 update
* 6895 - DNS IANA considerations * 6895 - DNS IANA considerations
* 6944 - DNSSEC DNSKEY Algorithm Status
* 6975 - Algorithm Understanding in DNSSEC * 6975 - Algorithm Understanding in DNSSEC
* 7043 - EUI48/EUI64 records * 7043 - EUI48/EUI64 records
* 7314 - DNS (EDNS) EXPIRE Option * 7314 - DNS (EDNS) EXPIRE Option

3
dnssec.go
View File

@ -318,6 +318,9 @@ func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error {
} }
rr.Signature = toBase64(signature) rr.Signature = toBase64(signature)
case RSAMD5:
// See RFC 6944.
return ErrAlg
default: default:
h := hash.New() h := hash.New()
h.Write(signdata) h.Write(signdata)

6
dnssec_keygen.go
View File

@ -20,11 +20,13 @@ import (
// bits should be set to the size of the algorithm. // bits should be set to the size of the algorithm.
func (k *DNSKEY) Generate(bits int) (crypto.PrivateKey, error) { func (k *DNSKEY) Generate(bits int) (crypto.PrivateKey, error) {
switch k.Algorithm { switch k.Algorithm {
case RSAMD5:
return nil, ErrAlg
case DSA, DSANSEC3SHA1: case DSA, DSANSEC3SHA1:
if bits != 1024 { if bits != 1024 {
return nil, ErrKeySize return nil, ErrKeySize
} }
case RSAMD5, RSASHA1, RSASHA256, RSASHA1NSEC3SHA1: case RSASHA1, RSASHA256, RSASHA1NSEC3SHA1:
if bits < 512 || bits > 4096 { if bits < 512 || bits > 4096 {
return nil, ErrKeySize return nil, ErrKeySize
} }
@ -60,7 +62,7 @@ func (k *DNSKEY) Generate(bits int) (crypto.PrivateKey, error) {
} }
k.setPublicKeyDSA(params.Q, params.P, params.G, priv.PublicKey.Y) k.setPublicKeyDSA(params.Q, params.P, params.G, priv.PublicKey.Y)
return priv, nil return priv, nil
case RSAMD5, RSASHA1, RSASHA256, RSASHA512, RSASHA1NSEC3SHA1: case RSASHA1, RSASHA256, RSASHA512, RSASHA1NSEC3SHA1:
priv, err := rsa.GenerateKey(rand.Reader, bits) priv, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil { if err != nil {
return nil, err return nil, err

4
dnssec_keyscan.go
View File

@ -44,6 +44,8 @@ func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (crypto.PrivateKey, er
return nil, ErrPrivKey return nil, ErrPrivKey
} }
switch uint8(algo) { switch uint8(algo) {
case RSAMD5:
return nil, ErrAlg
case DSA: case DSA:
priv, err := readPrivateKeyDSA(m) priv, err := readPrivateKeyDSA(m)
if err != nil { if err != nil {
@ -55,8 +57,6 @@ func (k *DNSKEY) ReadPrivateKey(q io.Reader, file string) (crypto.PrivateKey, er
} }
priv.PublicKey = *pub priv.PublicKey = *pub
return priv, nil return priv, nil
case RSAMD5:
fallthrough
case RSASHA1: case RSASHA1:
fallthrough fallthrough
case RSASHA1NSEC3SHA1: case RSASHA1NSEC3SHA1: