Merge branch '107192666-ds-key-data-dnssec' into staging

app/controllers/admin/settings_controller.rb

@@ -51,7 +51,7 @@ class Admin::SettingsController < AdminController
       :admin_contacts_max_count,
       :tech_contacts_min_count,
       :tech_contacts_max_count,
-      :ds_algorithm,
+      :ds_digest_type,
       :dnskeys_min_count,
       :dnskeys_max_count,
       :ns_min_count,

app/models/dnskey.rb

@@ -17,9 +17,10 @@ class Dnskey < ActiveRecord::Base
     end
   }
 
-  ALGORITHMS = %w(3 5 6 7 8 10 13 14)
+  ALGORITHMS = Depp::Dnskey::ALGORITHMS.map {|pair| pair[1].to_s}.freeze # IANA numbers, single authority list
   PROTOCOLS = %w(3)
   FLAGS = %w(0 256 257) # 256 = ZSK, 257 = KSK
+  DS_DIGEST_TYPE = [1,2]
 
   def epp_code_map
     {
@@ -66,7 +67,10 @@ class Dnskey < ActiveRecord::Base
   end
 
   def generate_digest
-    return if flags != 257 # generate ds only with KSK
+    return unless flags == 257 || flags == 256 # require ZoneFlag, but optional SecureEntryPoint
+    self.ds_alg = alg
+    self.ds_digest_type = Setting.ds_digest_type if self.ds_digest_type.blank? || !DS_DIGEST_TYPE.include?(ds_digest_type)
+
     flags_hex = self.class.int_to_hex(flags)
     protocol_hex = self.class.int_to_hex(protocol)
     alg_hex = self.class.int_to_hex(alg)
@@ -74,9 +78,9 @@ class Dnskey < ActiveRecord::Base
     hex = [domain.name_in_wire_format, flags_hex, protocol_hex, alg_hex, public_key_hex].join
     bin = self.class.hex_to_bin(hex)
 
-    if ds_digest_type == 1
+    if self.ds_digest_type == 1
       self.ds_digest = Digest::SHA1.hexdigest(bin).upcase
-    elsif ds_digest_type == 2
+    elsif self.ds_digest_type == 2
       self.ds_digest = Digest::SHA256.hexdigest(bin).upcase
     end
   end
@@ -86,7 +90,7 @@ class Dnskey < ActiveRecord::Base
   end
 
   def generate_ds_key_tag
-    return if flags != 257 # generate ds key tag only with KSK
+    return unless flags == 257 || flags == 256 # require ZoneFlag, but optional SecureEntryPoint
     pk = public_key.gsub(' ', '')
     wire_format = [flags, protocol, alg].pack('S!>CC')
     wire_format += Base64.decode64(pk)

app/models/epp/domain.rb

@@ -387,13 +387,8 @@ class Epp::Domain < Domain
     end
 
     def key_data_from(frame)
-      result = xm_copy frame, KEY_INTERFACE
+      xm_copy frame, KEY_INTERFACE
-      # TODO: can these defaults go where they belong?
+   end
-      result.merge({
-                       ds_alg: 3,      # DSA/SHA-1 [DSA] RFC2536
-                       ds_digest_type: Setting.ds_algorithm     # only 1
-                   })
-    end
 
     def ds_data_from(frame)
       frame.css('dsData').each do |ds_data|

app/views/admin/settings/index.haml

@@ -47,8 +47,8 @@
             %th{class: 'col-xs-6'}= t(:setting)
             %th{class: 'col-xs-6'}= t(:value)
         %tbody
-          /= render 'setting_row', var: :transfer_wait_time
+          = render 'setting_row', var: :transfer_wait_time
-          = render 'setting_row', var: :ds_algorithm
+          = render 'setting_row', var: :ds_digest_type
           = render 'setting_row', var: :client_side_status_editing_enabled
           = render 'setting_row', var: :api_ip_whitelist_enabled
           = render 'setting_row', var: :registrar_ip_whitelist_enabled

config/initializers/initial_settings.rb

@@ -12,7 +12,7 @@ if con.present? && con.table_exists?('settings')
   Setting.save_default(:tech_contacts_max_count, 10)
   Setting.save_default(:expire_pending_confirmation, 48)
 
-  Setting.save_default(:ds_algorithm, 2)
+  Setting.save_default(:ds_digest_type, 2)
   Setting.save_default(:ds_data_allowed, false)
   Setting.save_default(:key_data_allowed, true)
 

config/locales/en.yml

@@ -443,7 +443,7 @@ en:
   ds_data_allowed: 'DS data allowed'
   ds_data_with_key_allowed: 'Allow DS data with key'
   key_data_allowed: 'Allow key data'
-  ds_algorithm: 'DS algorithm'
+  ds_digest_type: 'DS digest type'
   zonefile_settings: 'Zonefile settings'
   background_jobs: Background jobs
   domain_history: Domain history