- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation

otherwise it is treated as insecure.  The RSAMD5 algorithm is
  deprecated (RFC6725).  The MD5 hash is considered weak for some
  purposes, if you want to sign your zone, then RSASHA256 is an
  uncontested hash.


git-svn-id: file:///svn/unbound/trunk@2760 be551aaa-1e26-0410-a405-d3ace91eadb9

contrib/README

@@ -17,3 +17,5 @@ distribution but may be helpful.
 	in with the nagios monitoring framework.  Contributed by Migiel de Vos.
 * unbound_unixsock.diff: Add Unix socket support for unbound-control. 
 	Contributed by Ilya Bakulin, 2012-08-28.
+* patch_rsamd5_enable.diff: this patch enables RSAMD5 validation (otherwise
+  it is treated as insecure).  The RSAMD5 algorithm is deprecated (RFC6725).

contrib/patch_rsamd5_enable.diff

@@ -0,0 +1,22 @@
+Index: validator/val_secalgo.c
+===================================================================
+--- validator/val_secalgo.c	(revision 2759)
++++ validator/val_secalgo.c	(working copy)
+@@ -153,7 +153,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:
+@@ -617,7 +617,7 @@
+ 	switch(id) {
+ 	case LDNS_RSAMD5:
+ 		/* RFC 6725 deprecates RSAMD5 */
+-		return 0;
++		return 1;
+ 	case LDNS_DSA:
+ 	case LDNS_DSA_NSEC3:
+ 	case LDNS_RSASHA1:

doc/Changelog

@@ -1,3 +1,10 @@
+17 September 2012: Wouter
+	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
+	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
+	  deprecated (RFC6725).  The MD5 hash is considered weak for some
+	  purposes, if you want to sign your zone, then RSASHA256 is an
+	  uncontested hash.
+
 30 August 2012: Wouter
 	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
 	- iana portlist updated.