Commit be59bcd4 authored by Joshua Tauberer's avatar Joshua Tauberer

for .fund domains use RSASHA256 DNSSEC keys

parent cfe0fa91
......@@ -511,8 +511,12 @@ zone:
########################################################################
def dnssec_choose_algo(domain, env):
if domain.endswith(".email") or domain.endswith(".guide"):
# At least at GoDaddy, this is the only algorithm supported.
if '.' in domain and domain.rsplit('.')[-1] in \
("email", "guide", "fund"):
# At GoDaddy, RSASHA256 is the only algorithm supported
# for .email and .guide.
# A variety of algorithms are supported for .fund. This
# is preferred.
return "RSASHA256"
# For any domain we were able to sign before, don't change the algorithm
......
......@@ -52,6 +52,10 @@ mkdir -p "$STORAGE_ROOT/dns/dnssec";
#
# * .email
# * .guide
#
# Supports `RSASHA256` (and defaulting to this)
#
# * .fund
FIRST=1 #NODOC
for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment