Re: DS Algorithm selection and SHA1 deprecation

[Mark Andrews <Mark_Andrews@isc.org>]

	For what it is worth, in implementing this draft, I found the
	word "prefer" to be very poorly defined.  So much so the
	code needed to be commented to make the intent clear.
	
	At this stage I have no intention of implementing the MAY.

	Apart from that and the already mentioned typo it was fine.

	Mark

@@ -1678,6 +1678,7 @@
        dns_rdata_rrsig_t sig;
        dst_key_t *dstkey;
        isc_boolean_t supported_algorithm;
+       isc_uint8_t digest_type;
 
        /*
         * Caller must be holding the validator lock.
@@ -1840,6 +1841,25 @@
 
        supported_algorithm = ISC_FALSE;
 
+       /*
+        * If DNS_DSDIGEST_SHA256 is present we are required to prefer
+        * it over DNS_DSDIGEST_SHA1.  This in practice means that we
+        * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
+        * is present.
+        */
+       digest_type = DNS_DSDIGEST_SHA1;
+       for (result = dns_rdataset_first(val->dsset);
+            result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(val->dsset)) {
+               dns_rdata_reset(&dsrdata);
+               dns_rdataset_current(val->dsset, &dsrdata);
+               dns_rdata_tostruct(&dsrdata, &ds, NULL);
+               if (ds.digest_type == DNS_DSDIGEST_SHA256) {
+                       digest_type = DNS_DSDIGEST_SHA256;
+                       break;
+               }
+       }
+

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>