From 7a4b641806356df72095d794773790a97b4ced94 Mon Sep 17 00:00:00 2001
From: Casey Deccio <casey@deccio.net>
Date: Thu, 7 Jan 2021 22:26:05 -0700
Subject: Warn if using prohibited or not recommended algorithm

---
 dnsviz/analysis/status.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/dnsviz/analysis/status.py b/dnsviz/analysis/status.py
index ea81ebf..914d53a 100644
--- a/dnsviz/analysis/status.py
+++ b/dnsviz/analysis/status.py
@@ -416,9 +416,13 @@ class DSStatus(object):
 
         # Independent of whether or not we considered the digest for
         # validation, issue a warning if we are using a digest type for which
-        # validation has been prohibited.
+        # validation or publishing has been prohibited.
         if self.ds.digest_type in DS_DIGEST_ALGS_VALIDATION_PROHIBITED:
             self.warnings.append(Errors.DigestAlgorithmValidationProhibited(algorithm=self.ds.digest_type))
+        elif self.ds.digest_type in DS_DIGEST_ALGS_PROHIBITED:
+            self.warnings.append(Errors.DigestAlgorithmProhibited(algorithm=self.ds.digest_type))
+        elif self.ds.digest_type in DS_DIGEST_ALGS_NOT_RECOMMENDED:
+            self.warnings.append(Errors.DigestAlgorithmNotRecommended(algorithm=self.ds.digest_type))
 
         if self.dnskey is not None and \
                 self.dnskey.rdata.flags & fmt.DNSKEY_FLAGS['revoke']:
@@ -495,12 +499,6 @@ class DSStatus(object):
                         else:
                             self.warnings.append(Errors.DSDigestAlgorithmMaybeIgnored(algorithm=1, new_algorithm=digest_alg))
 
-        # For all other digest types, just add a warning here
-        elif self.ds.digest_type in DS_DIGEST_ALGS_PROHIBITED:
-            self.warnings.append(Errors.DigestAlgorithmProhibited(algorithm=self.ds.digest_type))
-        elif self.ds.digest_type in DS_DIGEST_ALGS_NOT_RECOMMENDED:
-            self.warnings.append(Errors.DigestAlgorithmNotRecommended(algorithm=self.ds.digest_type))
-
 
     def __str__(self):
         return '%s record(s) corresponding to DNSKEY for %s (algorithm %d (%s), key tag %d)' % (dns.rdatatype.to_text(self.ds_meta.rrset.rdtype), fmt.humanize_name(self.ds_meta.rrset.name), self.ds.algorithm, fmt.DNSKEY_ALGORITHMS.get(self.ds.algorithm, self.ds.algorithm), self.ds.key_tag)
-- 
cgit v1.2.3