diff options
| author | Casey Deccio <casey@deccio.net> | 2021-01-08 08:26:05 +0300 |
|---|---|---|
| committer | Casey Deccio <casey@deccio.net> | 2021-01-09 03:07:33 +0300 |
| commit | 7a4b641806356df72095d794773790a97b4ced94 (patch) | |
| tree | a81150a9b01de13b57b1f4910614b84c02214d5c | |
| parent | 22cdb21932a5e9f3aac5ab77dedb1a845a585768 (diff) | |
Warn if using prohibited or not recommended algorithm
| -rw-r--r-- | dnsviz/analysis/status.py | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py index ea81ebf..914d53a 100644 --- a/dnsviz/analysis/status.py +++ b/dnsviz/analysis/status.py @@ -416,9 +416,13 @@ class DSStatus(object): # Independent of whether or not we considered the digest for # validation, issue a warning if we are using a digest type for which - # validation has been prohibited. + # validation or publishing has been prohibited. if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED: self.warnings.append(Errors.DigestAlgorithmValidationProhibited(algorithm=self.ds.digest_type)) + elif self.ds.digest_type in DS_DIGEST_ALGS_PROHIBITED: + self.warnings.append(Errors.DigestAlgorithmProhibited(algorithm=self.ds.digest_type)) + elif self.ds.digest_type in DS_DIGEST_ALGS_NOT_RECOMMENDED: + self.warnings.append(Errors.DigestAlgorithmNotRecommended(algorithm=self.ds.digest_type)) if self.dnskey is not None and \ self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke']: @@ -495,12 +499,6 @@ class DSStatus(object): else: self.warnings.append(Errors.DSDigestAlgorithmMaybeIgnored(algorithm=1, new_algorithm=digest_alg)) - # For all other digest types, just add a warning here - elif self.ds.digest_type in DS_DIGEST_ALGS_PROHIBITED: - self.warnings.append(Errors.DigestAlgorithmProhibited(algorithm=self.ds.digest_type)) - elif self.ds.digest_type in DS_DIGEST_ALGS_NOT_RECOMMENDED: - self.warnings.append(Errors.DigestAlgorithmNotRecommended(algorithm=self.ds.digest_type)) - def __str__(self): return '%s record(s) corresponding to DNSKEY for %s (algorithm %d (%s), key tag %d)' % (dns.rdatatype.to_text(self.ds_meta.rrset.rdtype), fmt.humanize_name(self.ds_meta.rrset.name), self.ds.algorithm, fmt.DNSKEY_ALGORITHMS.get(self.ds.algorithm, self.ds.algorithm), self.ds.key_tag) |