fix(api): only convey DS records with algos 2 and 4, fixes #522

api/desecapi/pdns.py

@@ -90,11 +90,16 @@ def get_keys(domain):
     """
     Retrieves a dict representation of the DNSSEC key information
     """
+    def _filter_ds(key):
+        key['ds'] = [ds for ds in key['ds'] if int(ds.split()[2]) in [2, 4]]
+        return key
+
     r = _pdns_get(NSLORD, '/zones/%s/cryptokeys' % pdns_id(domain.name))
     metrics.get('desecapi_pdns_keys_fetched').inc()
-    return [{k: key[k] for k in ('dnskey', 'ds', 'flags', 'keytype')}
-            for key in r.json()
-            if key['published'] and key['keytype'] in ['csk', 'ksk']]
+    keys = [{k: key[k] for k in ('dnskey', 'ds', 'flags', 'keytype')}
+             for key in r.json()
+             if key['published'] and key['keytype'] in ['csk', 'ksk']]
+    return list(map(_filter_ds, keys))
 
 
 def get_zone(domain):

docs/dns/domains.rst

@@ -24,9 +24,7 @@ A JSON object representing a domain has the following structure::
             {
                 "dnskey": "257 3 13 WFRl60...",
                 "ds": [
-                    "6006 13 1 8581e9...",
                     "6006 13 2 f34b75...",
-                    "6006 13 3 dfb325...",
                     "6006 13 4 2fdcf8..."
                 ],
                 "flags": 257,
@@ -52,9 +50,9 @@ Field details:
     :Access mode: read-only
 
     Array with DNSSEC key information.  Each entry contains ``DNSKEY`` and
-    ``DS`` record contents (the latter being computed from the former), and
-    some extra information.  For delegation of DNSSEC-secured domains, the
-    parent domain needs to publish these ``DS`` records.  (This usually
+    ``DS`` record contents (the latter being computed from the former), plus
+    some more technical information.  For delegation of DNSSEC-secured domains,
+    the parent domain needs to publish these ``DS`` records.  (This usually
     involves telling your registrar/registry about those records, and they
     will publish them for you.)
 
@@ -64,10 +62,9 @@ Field details:
       specific domain. In contrast, when listing all domains, the keys field
       is omitted for performance reasons.
 
-    - The contents of this field are generated from PowerDNS' ``cryptokeys``
-      endpoint, see https://doc.powerdns.com/md/httpapi/api_spec/#cryptokeys.
-      We look at each active ``cryptokey_resource`` (``active`` is true) and
-      then use the ``dnskey``, ``ds``, ``flags``, and ``keytype`` fields.
+    - ``DS`` values are the result of hashing the ``DNSKEY`` with various
+      algorithms.  We limit the set of hash algorithms according to best
+      practice.  Currently, we use algorithms 2 (SHA-256) and 4 (SHA-384).
 
 ``minimum_ttl``
     :Access mode: read-only