fix: Drop incomplete support for DSA/SHA1 (#55)

See #50.
relaycorp · Nov 18, 2022 · 4bd3ff8 · 4bd3ff8
1 parent 09429c9
commit 4bd3ff8
Show file tree

Hide file tree

Showing 5 changed files with 2 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ This library supports producing RRSig records simply for testing purposes: It ma
 
 We support all the _Zone Signing_ [DNSSEC algorithms](https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1) as of 2022, except for:
 
+- DSA (`3`) because [it's too insecure and hardly used](https://github.com/relaycorp/dnssec-js/issues/50).
 - NSEC3 (`6` and `7`) because [we don't currently support Denial of Existence records](https://github.com/relaycorp/dnssec-js/issues/17).
 - [GOST](https://en.wikipedia.org/wiki/GOST) (`12`) due to lack of support in Node.js, and its lack of popularity and security doesn't seem to justify integrating a third party NPM package supporting it (assuming a suitable one exists).
 - Private algorithms (`253` and `254`) because we have no use for those, but we'd welcome PRs to implement them.
diff --git a/src/lib/DnssecAlgorithm.ts b/src/lib/DnssecAlgorithm.ts
@@ -4,7 +4,7 @@
  * @link https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
  */
 export enum DnssecAlgorithm {
-  DSA = 3,
+  // DSA = 3, // See: https://github.com/relaycorp/dnssec-js/issues/50
   RSASHA1 = 5,
   RSASHA256 = 8,
   RSASHA512 = 10,

diff --git a/src/lib/signing/keyGen.ts b/src/lib/signing/keyGen.ts
@@ -15,7 +15,6 @@ const RSA_OPTIONS = {
   options: { modulusLength: 2048 },
 };
 const KEY_GEN_OPTIONS: { readonly [key in DnssecAlgorithm]: KeyGenOptions } = {
-  [DnssecAlgorithm.DSA]: { type: 'dsa' },
   [DnssecAlgorithm.ECDSAP256SHA256]: { type: 'ec', options: { namedCurve: 'prime256v1' } },
   [DnssecAlgorithm.ECDSAP384SHA384]: { type: 'ec', options: { namedCurve: 'secp384r1' } },
   [DnssecAlgorithm.RSASHA1]: RSA_OPTIONS,

diff --git a/src/lib/utils/crypto/hashing.spec.ts b/src/lib/utils/crypto/hashing.spec.ts
@@ -6,7 +6,6 @@ import { DnssecAlgorithm } from '../../DnssecAlgorithm';
 
 describe('getNodejsHashAlgorithmFromDnssecAlgo', () => {
   test.each([
-    [DnssecAlgorithm.DSA, 'sha1'],
     [DnssecAlgorithm.RSASHA1, 'sha1'],
     [DnssecAlgorithm.RSASHA256, 'sha256'],
     [DnssecAlgorithm.RSASHA512, 'sha512'],

diff --git a/src/lib/utils/crypto/hashing.ts b/src/lib/utils/crypto/hashing.ts
@@ -4,7 +4,6 @@ import { DigestType } from '../../DigestType';
 import { DnssecAlgorithm } from '../../DnssecAlgorithm';
 
 const HASH_BY_DNSSEC_ALGO: { readonly [algo in DnssecAlgorithm]: string | null } = {
-  [DnssecAlgorithm.DSA]: 'sha1',
   [DnssecAlgorithm.RSASHA1]: 'sha1',
   [DnssecAlgorithm.RSASHA256]: 'sha256',
   [DnssecAlgorithm.RSASHA512]: 'sha512',