Merge branch '22-remove-last-traces-of-already-removed-algorithms' into 'master'

Remove various leftovers for algorithms that have been already removed from BIND See merge request isc-projects/bind9!901
2025-08-30 22:15:20 +00:00 · 2018-10-26 06:01:54 -04:00
parent cc8c79bb69 58cfb2a18a
commit 241594299b
41 changed files with 125 additions and 422 deletions
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -64,8 +64,8 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
-			"        NSEC3DSA | NSEC3RSASHA1 |\n"
+			"        RSA | RSAMD5 | DH | RSASHA1 |\n"
+			"        NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
@@ -402,13 +402,9 @@ main(int argc, char **argv) {

 		if (use_nsec3) {
 			switch (alg) {
-			case DST_ALG_DSA:
-				alg = DST_ALG_NSEC3DSA;
-				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
-			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -106,7 +106,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
 	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>
 	  <para>
@@ -119,9 +119,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    or NSEC3DSA will be used instead.
+	    will be used instead.
 	  </para>
 	  <para>
 	    As of BIND 9.12.0, this option is mandatory except when using
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -79,8 +79,8 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
-				" | NSEC3DSA |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
+				" |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
@@ -92,10 +92,6 @@ usage(void) {
 	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
-	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
-	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
-				"by 64\n");
-	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        ED25519:\tignored\n");
@@ -161,11 +157,6 @@ usage(void) {
 	exit (-1);
 }

-static bool
-dsa_size_ok(int size) {
-	return (size >= 512 && size <= 1024 && size % 64 == 0);
-}
-
 static void
 progress(int p)
 {
@@ -542,17 +533,12 @@ main(int argc, char **argv) {

 		if (use_nsec3) {
 			switch (alg) {
-			case DST_ALG_DSA:
-				alg = DST_ALG_NSEC3DSA;
-				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
-			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
-			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -598,7 +584,6 @@ main(int argc, char **argv) {
 							" to %d\n", size);
 				}
 				break;
-			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:
@@ -728,14 +713,6 @@ main(int argc, char **argv) {
 		if (size != 0 && (size < 128 || size > 4096))
 			fatal("DH key size %d out of range", size);
 		break;
-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
-		if (size != 0 && !dsa_size_ok(size))
-			fatal("invalid DSS key size: %d", size);
-		break;
-	case DST_ALG_ECCGOST:
-		size = 256;
-		break;
 	case DST_ALG_ECDSA256:
 		size = 256;
 		break;
@@ -815,9 +792,6 @@ main(int argc, char **argv) {
 		param = generator;
 		break;

-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
-	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 	case DST_ALG_ED25519:
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -123,7 +123,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <option>-T KEY</option>
@@ -132,9 +132,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    or NSEC3DSA will be used instead.
+	    will be used instead.
 	  </para>
 	  <para>
 	    This parameter <emphasis>must</emphasis> be specified except
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -43,7 +43,7 @@
 * Create a key in the keystore of an HSM
 *
 * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts 
+ * that converts the key into a DNSKEY RR and inserts
 * it into a zone file.
 *
 * usage:
@@ -71,7 +71,6 @@

 #include <pk11/pk11.h>
 #include <pk11/result.h>
-#define WANT_DH_PRIMES
 #include <pk11/constants.h>
 #include <pkcs11/eddsa.h>

@@ -79,12 +78,10 @@
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;

-/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
+/* Key class: RSA, ECC, ECX, or unknown */
 typedef enum {
 	key_unknown,
 	key_rsa,
-	key_dsa,
-	key_dh,
 	key_ecc,
 	key_ecx
 } key_class_t;
@@ -152,78 +149,6 @@ static CK_ATTRIBUTE ecc_template[] = {
 	{CKA_ID, NULL_PTR, 0}
 };

-/*
- * Public key template for DSA keys
- */
-#define DSA_LABEL 0
-#define DSA_VERIFY 1
-#define DSA_TOKEN 2
-#define DSA_PRIVATE 3
-#define DSA_PRIME 4
-#define DSA_SUBPRIME 5
-#define DSA_BASE 6
-#define DSA_ID 7
-#define DSA_ATTRS 8
-static CK_ATTRIBUTE dsa_template[] = {
-	{CKA_LABEL, NULL_PTR, 0},
-	{CKA_VERIFY, &truevalue, sizeof(truevalue)},
-	{CKA_TOKEN, &truevalue, sizeof(truevalue)},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_SUBPRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-	{CKA_ID, NULL_PTR, 0}
-};
-#define DSA_PARAM_PRIME 0
-#define DSA_PARAM_SUBPRIME 1
-#define DSA_PARAM_BASE 2
-#define DSA_PARAM_ATTRS 3
-static CK_ATTRIBUTE dsa_param_template[] = {
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_SUBPRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-};
-#define DSA_DOMAIN_PRIMEBITS 0
-#define DSA_DOMAIN_PRIVATE 1
-#define DSA_DOMAIN_ATTRS 2
-static CK_ATTRIBUTE dsa_domain_template[] = {
-	{CKA_PRIME_BITS, NULL_PTR, 0},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-};
-
-/*
- * Public key template for DH keys
- */
-#define DH_LABEL 0
-#define DH_VERIFY 1
-#define DH_TOKEN 2
-#define DH_PRIVATE 3
-#define DH_PRIME 4
-#define DH_BASE 5
-#define DH_ID 6
-#define DH_ATTRS 7
-static CK_ATTRIBUTE dh_template[] = {
-	{CKA_LABEL, NULL_PTR, 0},
-	{CKA_VERIFY, &truevalue, sizeof(truevalue)},
-	{CKA_TOKEN, &truevalue, sizeof(truevalue)},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-	{CKA_ID, NULL_PTR, 0}
-};
-#define DH_PARAM_PRIME 0
-#define DH_PARAM_BASE 1
-#define DH_PARAM_ATTRS 2
-static CK_ATTRIBUTE dh_param_template[] = {
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-};
-#define DH_DOMAIN_PRIMEBITS 0
-#define DH_DOMAIN_ATTRS 1
-static CK_ATTRIBUTE dh_domain_template[] = {
-	{CKA_PRIME_BITS, NULL_PTR, 0},
-};
-
 /*
 * Convert from text to key class.  Accepts the names of DNSSEC
 * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
@@ -237,11 +162,6 @@ keyclass_fromtext(const char *name) {
 	if (strncasecmp(name, "rsa", 3) == 0 ||
 	    strncasecmp(name, "nsec3rsa", 8) == 0)
 		return (key_rsa);
-	else if (strncasecmp(name, "dsa", 3) == 0 ||
-		 strncasecmp(name, "nsec3dsa", 8) == 0)
-		return (key_dsa);
-	else if (strcasecmp(name, "dh") == 0)
-		return (key_dh);
 	else if (strncasecmp(name, "ecc", 3) == 0 ||
 		 strncasecmp(name, "ecdsa", 5) == 0)
 		return (key_ecc);
@@ -279,7 +199,7 @@ main(int argc, char *argv[]) {
 	pk11_context_t pctx;
 	int error = 0;
 	int c, errflg = 0;
-	int hide = 1, special = 0, quiet = 0;
+	int hide = 1, quiet = 0;
 	int idlen = 0, id_offset = 0;
 	unsigned int i;
 	unsigned long id = 0;
@@ -331,9 +251,6 @@ main(int argc, char *argv[]) {
 		case 'q':
 			quiet = 1;
 			break;
-		case 'S':
-			special = 1;
-			break;
 		case ':':
 			fprintf(stderr,
 				"Option -%c requires an operand\n",
@@ -360,12 +277,6 @@ main(int argc, char *argv[]) {
 		exit(2);
 	}

-	if (special != 0 && keyclass != key_dh) {
-		fprintf(stderr, "The -S option is only compatible "
-				"with Diffie-Hellman key generation\n");
-		exit(2);
-	}
-
 	switch (keyclass) {
 	case key_rsa:
 		op_type = OP_RSA;
@@ -461,70 +372,10 @@ main(int argc, char *argv[]) {

 #endif
 		break;
-	case key_dsa:
-		op_type = OP_DSA;
-		if (bits == 0)
-			usage();
-
-		dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
-		dpmech.pParameter = NULL;
-		dpmech.ulParameterLen = 0;
-		mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
-		mech.pParameter = NULL;
-		mech.ulParameterLen = 0;
-
-		public_template = dsa_template;
-		public_attrcnt = DSA_ATTRS;
-		id_offset = DSA_ID;
-
-		domain_template = dsa_domain_template;
-		domain_attrcnt = DSA_DOMAIN_ATTRS;
-		param_template = dsa_param_template;
-		param_attrcnt = DSA_PARAM_ATTRS;
-
-		domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
-		domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
-		break;
-	case key_dh:
-		op_type = OP_DH;
-		if (special && bits == 0)
-			bits = 1024;
-		else if (special &&
-			 bits != 768 && bits != 1024 && bits != 1536)
-		{
-			fprintf(stderr, "When using the special prime (-S) "
-				"option, only key sizes of\n"
-				"768, 1024 or 1536 are supported.\n");
-			exit(2);
-		} else if (bits == 0)
-			usage();
-
-		dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
-		dpmech.pParameter = NULL;
-		dpmech.ulParameterLen = 0;
-		mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
-		mech.pParameter = NULL;
-		mech.ulParameterLen = 0;
-
-		/* Override CKA_SIGN attribute */
-		private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
-
-		public_template = dh_template;
-		public_attrcnt = DH_ATTRS;
-		id_offset = DH_ID;
-
-		domain_template = dh_domain_template;
-		domain_attrcnt = DH_DOMAIN_ATTRS;
-		param_template = dh_param_template;
-		param_attrcnt = DH_PARAM_ATTRS;
-
-		domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
-		domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
-		break;
 	case key_unknown:
 		usage();
 	}
-	
+
 	search_template[0].pValue = label;
 	search_template[0].ulValueLen = strlen((char *)label);
 	public_template[0].pValue = label;
@@ -582,7 +433,7 @@ main(int argc, char *argv[]) {
 	hSession = pctx.session;

 	/* check if a key with the same id already exists */
-	rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); 
+	rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
 	if (rv != CKR_OK) {
 		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
 		error = 1;
@@ -609,29 +460,6 @@ main(int argc, char *argv[]) {
 	if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
 		goto generate_keys;

-	/*
-	 * Special setup for Diffie-Hellman keys
-	 */
-	if (special != 0) {
-		public_template[DH_BASE].pValue = pk11_dh_bn2;
-		public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
-		if (bits == 768) {
-			public_template[DH_PRIME].pValue = pk11_dh_bn768;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn768);
-		} else if (bits == 1024) {
-			public_template[DH_PRIME].pValue = pk11_dh_bn1024;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn1024);
-		} else {
-			public_template[DH_PRIME].pValue = pk11_dh_bn1536;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn1536);
-		}
-		param_attrcnt = 0;
-		goto generate_keys;
-	}
-
 	/* Generate Domain parameters */
 	rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
 			   domain_attrcnt, &domainparams);
@@ -651,7 +479,7 @@ main(int argc, char *argv[]) {
 		fprintf(stderr,
 			"C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
 		error = 1;
-		goto exit_domain;
+		goto exit_search;
 	}

 	/* Allocate space for parameter attributes */
@@ -664,81 +492,22 @@ main(int argc, char *argv[]) {
 		if (param_template[i].pValue == NULL) {
 			fprintf(stderr, "malloc failed\n");
 			error = 1;
-			goto exit_params;
+			goto exit_search;
 		}
 	}

-	rv = pkcs_C_GetAttributeValue(hSession, domainparams,
-				 dsa_param_template, DSA_PARAM_ATTRS);
-
-	if (rv != CKR_OK) {
-		fprintf(stderr,
-			"C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
-		error = 1;
-		goto exit_params;
-	}
-
-	switch (keyclass) {
-	case key_dsa:
-		public_template[DSA_PRIME].pValue =
-			param_template[DSA_PARAM_PRIME].pValue;
-		public_template[DSA_PRIME].ulValueLen =
-			param_template[DSA_PARAM_PRIME].ulValueLen;
-		public_template[DSA_SUBPRIME].pValue =
-			param_template[DSA_PARAM_SUBPRIME].pValue;
-		public_template[DSA_SUBPRIME].ulValueLen =
-			param_template[DSA_PARAM_SUBPRIME].ulValueLen;
-		public_template[DSA_BASE].pValue =
-			param_template[DSA_PARAM_BASE].pValue;
-		public_template[DSA_BASE].ulValueLen =
-			param_template[DSA_PARAM_BASE].ulValueLen;
-		break;
-	case key_dh:
-		public_template[DH_PRIME].pValue =
-			param_template[DH_PARAM_PRIME].pValue;
-		public_template[DH_PRIME].ulValueLen =
-			param_template[DH_PARAM_PRIME].ulValueLen;
-		public_template[DH_BASE].pValue =
-			param_template[DH_PARAM_BASE].pValue;
-		public_template[DH_BASE].ulValueLen =
-			param_template[DH_PARAM_BASE].ulValueLen;
-	default:
-		break;
-	}
-
 generate_keys:
 	/* Generate Key pair for signing/verifying */
 	rv = pkcs_C_GenerateKeyPair(hSession, &mech,
 			       public_template, public_attrcnt,
 			       private_template, private_attrcnt,
 			       &publickey, &privatekey);
-	
+
 	if (rv != CKR_OK) {
 		fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
 		error = 1;
 	 } else if (!quiet)
 		printf("Key pair generation complete.\n");
-	
- exit_params:
-	/* Free parameter attributes */
-	if (keyclass == key_dsa || keyclass == key_dh) {
-		for (i = 0; i < param_attrcnt; i++) {
-			if (param_template[i].pValue != NULL) {
-				free(param_template[i].pValue);
-			}
-		}
-	}
-
- exit_domain:
-	/* Destroy domain parameters */
-	if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
-		rv = pkcs_C_DestroyObject(hSession, domainparams);
-		if (rv != CKR_OK) {
-			fprintf(stderr,
-				"C_DestroyObject: Error = 0x%.8lX\n", rv);
-			error = 1;
-		}
-	}

 exit_search:
 	rv = pkcs_C_FindObjectsFinal(hSession);
--- a/bin/python/isc/dnskey.py.in
+++ b/bin/python/isc/dnskey.py.in
@@ -30,7 +30,7 @@ class dnskey:
              'Revoke', 'DSPublish', 'SyncPublish', 'SyncDelete')
    _OPTS = (None, '-P', '-A', '-I', '-D', '-R', None, '-Psync', '-Dsync')

-    _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
+    _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', None, 'RSASHA1',
                 'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
                 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
                 'ECDSAP384SHA384', 'ED25519', 'ED448')
--- a/bin/tests/optional/Kchild.example.+003+04017.key
+++ b/bin/tests/optional/Kchild.example.+003+04017.key
@@ -1 +0,0 @@
-child.example. IN KEY 256 3 3 ALeiYGFXbil6PgHnkm5ZE67ygEVDvGT/gqZmLH7tGboofcPSfyhh1hpw dxZgJ26d/gynWMGVSYzaXfzsxpPoNeYn+qeevQoJOaxXXlfcy8Ik52Rm eW0J9mWlf9hsD7ShIhh1+0kRYGCOCaU25wIe3SLVkN3HgqiCBDYnBY0u nMkqRadiUnoEa3Tcvc9kJx9r9gDstR2A9A5sBhFLI/XQ0gViHHLVpQ4x hz+rTLb/xrBoAb5sQJT3xUjhhdNo9HuL6kwdLdSu//PCl1QnY9NpYPVV SKUo
--- a/bin/tests/optional/Kchild.example.+003+04017.private
+++ b/bin/tests/optional/Kchild.example.+003+04017.private
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): vGT/gqZmLH7tGboofcPSfyhh1hpwdxZgJ26d/gynWMGVSYzaXfzsxpPoNeYn+qeevQoJOaxXXlfcy8Ik52RmeQ==
-Subprime(q): t6JgYVduKXo+AeeSblkTrvKARUM=
-Base(g): bQn2ZaV/2GwPtKEiGHX7SRFgYI4JpTbnAh7dItWQ3ceCqIIENicFjS6cySpFp2JSegRrdNy9z2QnH2v2AOy1HQ==
-Private_value(x): J1Ctez8+w1PTR56Hze3pGoe0Wag=
-Public_value(y): gPQObAYRSyP10NIFYhxy1aUOMYc/q0y2/8awaAG+bECU98VI4YXTaPR7i+pMHS3Urv/zwpdUJ2PTaWD1VUilKA==
--- a/bin/tests/optional/Kchild.example.+005+33180.key
+++ b/bin/tests/optional/Kchild.example.+005+33180.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 33180, for child.example.
+; Created: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Publish: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Activate: 20181025104746 (Thu Oct 25 12:47:46 2018)
+child.example. IN DNSKEY 256 3 5 AwEAAb9eatC8ASzDnRApcZuxyBrvJRANRQjCXQ1FWK+8vEyXV5NIE9Km hKIV2wbq2tLBPfjNQz4BTJ9RmDINf1RayDlt6L+IQV1JCaDaMjd1zU3n SQK18Y7fMu0ww4AMKOnoVRbkIxa3zlA0chImXcfPE0q2AvKBYLzPfkPO cfplAuRkLcGUxdADCipNzCOakpcd5gfm9Sa2HlaXcw3gyI1WcE8=
--- a/bin/tests/optional/Kchild.example.+005+33180.private
+++ b/bin/tests/optional/Kchild.example.+005+33180.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: v15q0LwBLMOdEClxm7HIGu8lEA1FCMJdDUVYr7y8TJdXk0gT0qaEohXbBura0sE9+M1DPgFMn1GYMg1/VFrIOW3ov4hBXUkJoNoyN3XNTedJArXxjt8y7TDDgAwo6ehVFuQjFrfOUDRyEiZdx88TSrYC8oFgvM9+Q85x+mUC5GQtwZTF0AMKKk3MI5qSlx3mB+b1JrYeVpdzDeDIjVZwTw==
+PublicExponent: AQAB
+PrivateExponent: WDsn9GU6BXGLENCK2MX3BLQN2oDDu24hiOTYJu5VwtpkPjuVKCIuNKzu9xmBGnqOIBBDWGsw8KOmEC247yOL/S53iRdBS8lI7yiqznc52RhlmrdPKXbNpVnPwil8wocw+oQYa7uvdPYxI2Yy3B/tRgUxlxSlc/LW/dr0BX2L7qr/aeOBeGSRUlCpc7tYU9a2RUaLpVxF6SlqicCpC91MAQ==
+Prime1: 466f+JL66Bl4qYnkj0s9+1N3pYmdcM9Ja1AN66X4VLslA9Cm1JEaC5V9HOptfcXUk0XYEVnKeKM2lIQnvcLG0yuQHIa+pGi7P8vgQfdaRUE=
+Prime2: 1yuUkTVRSbUWeUreEcHgeeBBJ61UshX7t07gnGgIr3artGdo2CVEb5//+2Mvj5bgjCQBvjBbmHNZrR0jKDRBTIGtqbBerOuhEN4AXdAEgY8=
+Exponent1: KzUXbJ/P973ltR7S/hKEV66WVRbRhvf/cdsGWULs5n+BXcD59/r1W19qF9OxJZ4mYjBt+ZT1pIEsuXB+7jcJbkelGJTFlwO9DTVOgJZFTkE=
+Exponent2: FTPsLertGbBIiKdB/sn2Dsx0Xy6LXAkihsu1AnSV9oRhIyPVhwcVGVLQ7Lq3YxThB648pbsqK3miapamcj3D+YAF1uTUT4Hgm0LlEll/OC0=
+Coefficient: Vulw9kmmjKc+wmOukLdzheoA2hNPDVtgiynfzHybyXdqvapCoK+ZVmNFzjO0M41ATcpvya3iX0bekMQqYnBhLURNZUIyqz2nGskOjV8I5Jg=
+Created: 20181025104746
+Publish: 20181025104746
+Activate: 20181025104746
--- a/bin/tests/optional/dst_test.c
+++ b/bin/tests/optional/dst_test.c
@@ -254,11 +254,9 @@ main(void) {
 	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (1);
-	io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 	   mctx);

-	io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);

 	isc_buffer_constinit(&b, "dh.", 3);
@@ -270,7 +268,6 @@ main(void) {

 	generate(DST_ALG_RSAMD5, mctx);
 	generate(DST_ALG_DH, mctx);
-	generate(DST_ALG_DSA, mctx);
 	generate(DST_ALG_HMACMD5, mctx);

 	dst_lib_destroy();
--- a/bin/tests/optional/sig0_test.c
+++ b/bin/tests/optional/sig0_test.c
@@ -255,7 +255,7 @@ main(int argc, char *argv[]) {
 	CHECK("dns_name_fromtext", result);

 	key = NULL;
-	result = dst_key_fromfile(name, 4017, DNS_KEYALG_DSA,
+	result = dst_key_fromfile(name, 33180, DNS_KEYALG_RSASHA1,
 				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
 				  NULL, mctx, &key);
 	CHECK("dst_key_fromfile", result);
--- a/config.h.in
+++ b/config.h.in
@@ -99,9 +99,6 @@
 /* Define to 1 to enable dnstap support */
 #undef HAVE_DNSTAP

-/* Define to 1 if you have the `DSA_get0_pqg' function. */
-#undef HAVE_DSA_GET0_PQG
-
 /* Define to 1 if you have the `ECDSA_sign' function. */
 #undef HAVE_ECDSA_SIGN

--- a/config.h.win32
+++ b/config.h.win32
@@ -111,15 +111,6 @@
 /* Define if you have h_errno */
 #define HAVE_H_ERRNO

-/* Define if you have RSA_generate_key(). */
-#define HAVE_RSA_GENERATE_KEY
-
-/* Define if you have DSA_generate_parameters(). */
-#define HAVE_DSA_GENERATE_PARAMETERS
-
-/* Define if you have DH_generate_parameters(). */
-#define HAVE_DH_GENERATE_PARAMETERS
-
 /* Define if you have getpassphrase in the C library. */
 #define HAVE_GETPASSPHRASE

@@ -289,9 +280,6 @@ typedef __int64 off_t;
 /* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@

-/* Define if your OpenSSL version supports DSA functions. */
-@HAVE_DSA_GET0_PQG@
-
 /* Define if your OpenSSL version supports ECDSA functions. */
@HAVE_ECDSA_SIG_GET0@

--- a/2
+++ b/2
@@ -15787,7 +15787,7 @@ done
 #
 # Check for OpenSSL 1.1.x/LibreSSL functions
 #
-for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
--- a/configure.ac
+++ b/configure.ac
@@ -857,7 +857,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
 #
 # Check for OpenSSL 1.1.x/LibreSSL functions
 #
-AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])

 #
 # Check whether FIPS mode is available and whether we should enable it
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -63,13 +63,6 @@
 #define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
 #define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)

-#define DSA_NTAGS		5
-#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
-
 #define ECDSA_NTAGS		4
 #define TAG_ECDSA_PRIVATEKEY	((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
 #define TAG_ECDSA_ENGINE	((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -90,12 +90,6 @@
 #define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
 #define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)

-#define DNS_SIG_DSASIGSIZE	41
-#define DNS_SIG_DSAMINBITS	512
-#define DNS_SIG_DSAMAXBITS	1024
-#define DNS_SIG_DSAMINBYTES	213
-#define DNS_SIG_DSAMAXBYTES	405
-
 #define DNS_SIG_ECDSA256SIZE	64
 #define DNS_SIG_ECDSA384SIZE	96

--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -274,9 +274,7 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);

 		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
-		    dnskey.algorithm == DST_ALG_RSASHA1 ||
-		    dnskey.algorithm == DST_ALG_DSA ||
-		    dnskey.algorithm == DST_ALG_ECC)
+		    dnskey.algorithm == DST_ALG_RSASHA1)
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -108,8 +108,9 @@
 	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
 	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
 	{ DNS_KEYALG_DH, "DH", 0 }, \
-	{ DNS_KEYALG_ECC, "ECC", 0 }, \
+	{ DNS_KEYALG_DSA, "DSA", 0 }, \
 	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
 	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
 	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
 	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
--- a/lib/dns/tests/dst_test.c
+++ b/lib/dns/tests/dst_test.c
@@ -19,6 +19,7 @@
 #include <unistd.h>

 #include <isc/file.h>
+#include <isc/hex.h>
 #include <isc/util.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -185,10 +186,39 @@ check_sig(const char *datapath, const char *sigpath, const char *keyname,
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 	result = dst_context_verify(ctx, &sigreg);

+	if (expect && result != ISC_R_SUCCESS) {
+		isc_result_t result2;
+		result2 = dst_context_create(key, mctx, DNS_LOGCATEGORY_GENERAL,
+					    false, 0, &ctx);
+		ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+		result2 = dst_context_adddata(ctx, &datareg);
+		ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+		char sigbuf2[4096];
+		isc_buffer_t sigb;
+		isc_buffer_init(&sigb, sigbuf2, sizeof(sigbuf2));
+
+		result2 = dst_context_sign(ctx, &sigb);
+		ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+		isc_region_t r;
+		isc_buffer_usedregion(&sigb, &r);
+
+		char hexbuf[4096] = { 0 };
+		isc_buffer_t hb;
+		isc_buffer_init(&hb, hexbuf, sizeof(hexbuf));
+
+		isc_hex_totext(&r, 0, "", &hb);
+
+		fprintf(stderr, "%s\n", hexbuf);
+
+		dst_context_destroy(&ctx);
+	}
+
 	ATF_REQUIRE((expect && (result == ISC_R_SUCCESS)) ||
 		    (!expect && (result != ISC_R_SUCCESS)));

-
 	isc_mem_put(mctx, data, size + 1);
 	dst_context_destroy(&ctx);
 	dst_key_free(&key);
@@ -211,27 +241,28 @@ ATF_TC_BODY(sig, tc) {
 		dns_secalg_t alg;
 		bool expect;
 	} testcases[] = {
+		/* XXXOND: Why the heck isn't this failing? */
 		{
 			"testdata/dst/test1.data",
-			"testdata/dst/test1.dsasig",
-			"test.", 23616, DST_ALG_DSA, true
+			"testdata/dst/test1.ecdsa256sig",
+			"test.", 49130, DST_ALG_ECDSA256, true
 		},
 		{
 			"testdata/dst/test1.data",
-			"testdata/dst/test1.rsasig",
-			"test.", 54622, DST_ALG_RSAMD5, true
+			"testdata/dst/test1.rsasha256sig",
+			"test.", 11349, DST_ALG_RSASHA256, true
 		},
 		{
 			/* wrong sig */
 			"testdata/dst/test1.data",
-			"testdata/dst/test1.dsasig",
-			"test.", 54622, DST_ALG_RSAMD5, false
+			"testdata/dst/test1.ecdsa256sig",
+			"test.", 11349, DST_ALG_RSASHA256, false
 		},
 		{
 			/* wrong data */
 			"testdata/dst/test2.data",
-			"testdata/dst/test1.dsasig",
-			"test.", 23616, DST_ALG_DSA, false
+			"testdata/dst/test1.ecdsa256sig",
+			"test.", 49130, DST_ALG_ECDSA256, false
 		},
 	};
 	unsigned int i;
--- a/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
@@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 1
--- a/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
@@ -1 +0,0 @@
-test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==
--- a/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 0I8EqWlc8SIEQqYlKKM1EChodqF/DSBSgzr7cSvrZ+d+jmYNnETik5YBhB1ySvWB31v+p80FC01aW+tz/kkDJowgonW/CGMoSLYsUc7VXiU=
-PublicExponent: Aw==
-PrivateExponent: iwoDG5uTS2wC1xluGxd4tXBFpGuqCMA3AidSS3Kc7++ptEQJEtiXC9kfCJMvZhGfQLaujft2OgrmkcuDVtPIbQWEENhyJhb4Lk82kFXbfus=
-Prime1: /rSKuzcZY7R5cY2YWD4CiBNyj9WJMq1wWmBnb9+5M08nTl5E9NW5qQ==
-Prime2: 0Z5shXQYd16E2Gs6e5WxtO0Oqlly2KkSqXohwTQWDWTb8Pw0WTZmHQ==
-Exponent1: qc2x0iS7l82mS7O65X6sWrehtTkGIcj1kZWaSpUmIjTE3umDTePRGw==
-Exponent2: i77zA6K6+j8DOvIm/Q52eJ4JxuZMkHC3G6bBK3gOs5iSoKgi5iREEw==
-Coefficient: 3+wYZB0SJad7z2EsjzgbSlg6CawoaOvrROGSbwSiW5DCsMFROudOTw==
--- a/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
@@ -1 +0,0 @@
-test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx
--- a/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): 73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mQ==
-Subprime(q): 2nX/+WoOUR9Nq9wUj5zK501+ATM=
-Base(g): sQaXrPC973CrnPsihNjn8niXtcsIp+2D/Aa+vNdCGCAiRG8SHebKHF36i4gtyl+9Mi2FaVMqIfn21ImmaCaJIw==
-Private_value(x): Nky4tvIwg6xlcyeHXr4k2DEZg0E=
-Public_value(y): ExO5w2Gn9dIlUVjegzEqa4Ho4h9Of36ZsmQLeOLcgIeJtcF0ubuLWptT1wyWCaM5+xH0PHtsHiL9cgvrejx0sQ==
--- a/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
@@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 3
--- a/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 11349, for test.
+; Created: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Publish: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Activate: 20181025090713 (Thu Oct 25 11:07:13 2018)
+test. IN DNSKEY 256 3 8 AwEAAdqPwPScyURzeCUzEadKNYgQW50LPDV/ir9nWIbiSn2yMkymxiby BQH+Hk1neE9qa9X4XaEnKf5YZx7o14rRikmOb2lomtOkI9ovh1K/SvLO Zd1E3e61F29g1eCq52mMY3xAdEcBNqEq+6mgEwGmwl83+mAh5anxXNHa 2rcfdG+L
--- a/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2o/A9JzJRHN4JTMRp0o1iBBbnQs8NX+Kv2dYhuJKfbIyTKbGJvIFAf4eTWd4T2pr1fhdoScp/lhnHujXitGKSY5vaWia06Qj2i+HUr9K8s5l3UTd7rUXb2DV4KrnaYxjfEB0RwE2oSr7qaATAabCXzf6YCHlqfFc0dratx90b4s=
+PublicExponent: AQAB
+PrivateExponent: a4qmX/YxlmvWpz8spYr/MhcSbQCVPKGoLKv2RFBeZODknRDGmW0mh6d5U47hBPqRWvRdZak2oX7wJqZdQGIAT25bC09rLNMctfxXKtzwSaXFjXZGHGv+bDHcqIltvIYmRbb0pK/LinFaLZqfpVe0WOfKuT9BT03BlwSZV8GKgZE=
+Prime1: 8oZLQoVpIqsiQw7bX5pTm/O0gEUnEzNOVEoLGsfIl68Lz/1CBm9ypTp8QOB0B9IpnH8vOS+NJM1az1d0RhqKow==
+Prime2: 5rSbE6duWIb90uICkAUJn4OztHX0fkd9GKNYdsHVReFBH2poXGojVGkW6i/IaYl4NEXXr5Z89dWtR+RNH2Z9+Q==
+Exponent1: 2IcuCmYyR9Gi9Vv+YIzYuRQMw7j5+hqEhJzW7UIRxdtzIG9s03INWZet9/5tmc35eM/Uyam6ynDN8vCRz0VDIQ==
+Exponent2: vKcdVKIKWrvwXXzRaaGk79rLnZsDFiwxQG96TIpOczkyfpUNx9xHDaRtx4zRTnPKZrxiFkRx5LkZXHt1EWNHSQ==
+Coefficient: pb9dFRZA2IRXDCGCM1ikp+QCs72wNn3hgURZLRLmtcBbQcYhP/dcp80SpInviwJPNRcKrfxninqygEARzfHtqQ==
+Created: 20181025090713
+Publish: 20181025090713
+Activate: 20181025090713
--- a/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 49130, for test.
+; Created: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Publish: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Activate: 20181025090718 (Thu Oct 25 11:07:18 2018)
+test. IN DNSKEY 256 3 13 uP04fwB/DuBBqdjPLseIoFT7vgtP8Lr/be1NhRBvibwQ+Hr+3GQhIKIK XbamgOUxXJ9JDjWFAT2KXw0V3sAN9w==
--- a/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: feGDRABRCbcsCqssKK5B5518y95smrv/cJnz2pa/UVA=
+Created: 20181025090718
+Publish: 20181025090718
+Activate: 20181025090718
--- a/lib/dns/tests/testdata/dst/test1.dsasig
+++ b/lib/dns/tests/testdata/dst/test1.dsasig
@@ -1,3 +0,0 @@
-0009B55FDB62034326278C9371F32D92
-3D0E1161A32D491BEC38546FC452D903
-A91D806345B2F7F22E
--- a/lib/dns/tests/testdata/dst/test1.ecdsa256sig
+++ b/lib/dns/tests/testdata/dst/test1.ecdsa256sig
@@ -0,0 +1 @@
+8A7D4670BCC3DC8299E62AAE0A2DCB84E5B972BC8CB97422DD61E58B74440645626CC11D421570745B2D84EE38DA64BBF27DEF66F951B88A3647BFE3730EADE5
--- a/lib/dns/tests/testdata/dst/test1.rsasha256sig
+++ b/lib/dns/tests/testdata/dst/test1.rsasha256sig
@@ -0,0 +1 @@
+65DE879EDCD21C9B22BDF383424C3F513C15A4F217FF2BEE555D1AE31E24C9FF5BBA1CB32A331C2236FC4FAFBD80F597E7CF6B19DB867FB75DC4AD41F8FA66D13D8B44F6B2A44624A88EAE168A8E3DB5E32946868BFD2BB3D562E85C492A89B1A93279B8B73D4785C09DFCE54485914B2BCDA5C537A842AAA2D3B2E5228E8A11
--- a/lib/dns/tests/testdata/dst/test1.rsasig
+++ b/lib/dns/tests/testdata/dst/test1.rsasig
@@ -1,5 +0,0 @@
-A8A20D2F26F792B3CE76DD0E12A85DFE
-FF66AB866EF0BDB0F515001E234E699B
-F5CD6FB41FB15D4213705ABE9B563896
-2196228648E0F8AA7F2F4EED3C19165C
-1B4C70C9D69B93A1F2BE5B2F948CE023
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -17861,8 +17861,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 			continue;

 		alg = tuple->rdata.data[3];
-		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-		    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
 			nseconly = true;
 			break;
 		}
--- a/lib/isc/include/pk11/pk11.h
+++ b/lib/isc/include/pk11/pk11.h
@@ -58,7 +58,6 @@ typedef struct pk11_object pk11_object_t;
 typedef enum {
 	OP_ANY = 0,
 	OP_RSA = 1,
-	OP_DSA = 2,
 	OP_DH = 3,
 	OP_ECDSA = 4,
 	OP_EDDSA = 5,
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -559,35 +559,6 @@ scan_slots(void) {
 			}
 		}

-		/* Check for DH support */
-		bad = false;
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
-					     &mechInfo);
-		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
-			PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
-		}
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
-					     &mechInfo);
-		if ((rv != CKR_OK) ||
-		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
-#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
-			bad = true;
-#endif
-			PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
-		}
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
-					     &mechInfo);
-		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
-			bad = true;
-			PK11_TRACEM(CKM_DH_PKCS_DERIVE);
-		}
-		if (!bad) {
-			token->operations |= 1 << OP_DH;
-			if (best_dh_token == NULL) {
-				best_dh_token = token;
-			}
-		}
-
 		/* Check for ECDSA support */
 		bad = false;
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
@@ -651,9 +622,6 @@ pk11_get_best_token(pk11_optype_t optype) {
 	case OP_RSA:
 		token = best_rsa_token;
 		break;
-	case OP_DH:
-		token = best_dh_token;
-		break;
 	case OP_ECDSA:
 		token = best_ecdsa_token;
 		break;
@@ -999,8 +967,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 	if (token == NULL) {
 		if (optype == OP_RSA) {
 			token = best_rsa_token;
-		} else if (optype == OP_DH) {
-			token = best_dh_token;
 		} else if (optype == OP_ECDSA) {
 			token = best_ecdsa_token;
 		} else if (optype == OP_EDDSA) {
@@ -1058,12 +1024,6 @@ pk11_dump_tokens(void) {
 			first = false;
 			printf("RSA");
 		}
-		if (token->operations & (1 << OP_DH)) {
-			if (!first)
-				printf(",");
-			first = false;
-			printf("DH");
-		}
 		if (token->operations & (1 << OP_ECDSA)) {
 			if (!first)
 				printf(",");
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1960,8 +1960,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (tuple->rdata.type == dns_rdatatype_dnskey) {
 			uint8_t alg;
 			alg = tuple->rdata.data[3];
-			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-			    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
 				nseconly = true;
 				break;
 			}
--- a/util/copyrights
+++ b/util/copyrights
@@ -302,8 +302,8 @@
 ./bin/tests/headerdep_test.sh.in		SH	2000,2001,2004,2007,2012,2016,2018
 ./bin/tests/makejournal.c			C	2013,2015,2016,2017,2018
 ./bin/tests/named.conf				CONF-C	1999,2000,2001,2004,2007,2011,2015,2016,2018
-./bin/tests/optional/Kchild.example.+003+04017.key	X	2000,2001,2018
-./bin/tests/optional/Kchild.example.+003+04017.private	X	2000,2001,2018
+./bin/tests/optional/Kchild.example.+005+33180.key	X	2018
+./bin/tests/optional/Kchild.example.+005+33180.private	X	2018
 ./bin/tests/optional/adb_test.c			C	1999,2000,2001,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018
 ./bin/tests/optional/backtrace_test.c		C	2009,2013,2015,2016,2018
 ./bin/tests/optional/byaddr_test.c		C	2000,2001,2002,2004,2005,2007,2012,2015,2016,2018
@@ -3221,15 +3221,13 @@
 ./lib/dns/tests/testdata/dnstap/query.recursive	X	2015,2018
 ./lib/dns/tests/testdata/dnstap/response.auth	X	2015,2018
 ./lib/dns/tests/testdata/dnstap/response.recursive	X	2015,2018
-./lib/dns/tests/testdata/dst/Ktest.+001+00002.key	X	2018
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.key	X	2018
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.private	X	2018
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.key	X	2018
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.private	X	2018
-./lib/dns/tests/testdata/dst/Ktest.+003+49667.key	X	2018
+./lib/dns/tests/testdata/dst/Ktest.+008+11349.key	X	2018
+./lib/dns/tests/testdata/dst/Ktest.+008+11349.private	X	2018
+./lib/dns/tests/testdata/dst/Ktest.+013+49130.key	X	2018
+./lib/dns/tests/testdata/dst/Ktest.+013+49130.private	X	2018
 ./lib/dns/tests/testdata/dst/test1.data		X	2018
-./lib/dns/tests/testdata/dst/test1.dsasig	X	2018
-./lib/dns/tests/testdata/dst/test1.rsasig	X	2018
+./lib/dns/tests/testdata/dst/test1.ecdsa256sig	X	2018
+./lib/dns/tests/testdata/dst/test1.rsasha256sig	X	2018
 ./lib/dns/tests/testdata/dst/test2.data		X	2018
 ./lib/dns/tests/testdata/dstrandom/random.data	X	2017,2018
 ./lib/dns/tests/testdata/master/master1.data	X	2011,2018
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -203,7 +203,6 @@ my @substdefh = ("AES_CC",
                 "HAVE_OPENSSL_ED25519",
                 "HAVE_OPENSSL_ED448",
 		 "HAVE_DH_GET0_KEY",
-		 "HAVE_DSA_GET0_PQG",
 		 "HAVE_ECDSA_SIG_GET0",
 		 "HAVE_RSA_SET0_KEY",
 		 "USE_BACKTRACE",
@@ -1483,7 +1482,7 @@ int main() {
        }
        printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
               OPENSSL_VERSION_NUMBER);
-        printf("This version has no built-in support for DH/DSA/ECDSA/RSA functions.\n\n");
+        printf("This version has no built-in support for DH/ECDSA/RSA functions.\n\n");
        return (1);
 }
 EOF
@@ -1495,7 +1494,6 @@ EOF
        `.\\testosslfunc.exe`;
        if ($? == 0) {
            $configdefh{"HAVE_DH_GET0_KEY"} = 1;
-            $configdefh{"HAVE_DSA_GET0_PQG"} = 1;
            $configdefh{"HAVE_ECDSA_SIG_GET0"} = 1;
            $configdefh{"HAVE_RSA_SET0_KEY"} = 1;
        }
				`@@ -1 +0,0 @@`
				`child.example. IN KEY 256 3 3 ALeiYGFXbil6PgHnkm5ZE67ygEVDvGT/gqZmLH7tGboofcPSfyhh1hpw dxZgJ26d/gynWMGVSYzaXfzsxpPoNeYn+qeevQoJOaxXXlfcy8Ik52Rm eW0J9mWlf9hsD7ShIhh1+0kRYGCOCaU25wIe3SLVkN3HgqiCBDYnBY0u nMkqRadiUnoEa3Tcvc9kJx9r9gDstR2A9A5sBhFLI/XQ0gViHHLVpQ4x hz+rTLb/xrBoAb5sQJT3xUjhhdNo9HuL6kwdLdSu//PCl1QnY9NpYPVV SKUo`
				`@@ -1 +0,0 @@`
				`test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==`
				`@@ -1 +0,0 @@`
				`test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx`
				`@@ -0,0 +1 @@`
				`8A7D4670BCC3DC8299E62AAE0A2DCB84E5B972BC8CB97422DD61E58B74440645626CC11D421570745B2D84EE38DA64BBF27DEF66F951B88A3647BFE3730EADE5`
				`@@ -0,0 +1 @@`
				`65DE879EDCD21C9B22BDF383424C3F513C15A4F217FF2BEE555D1AE31E24C9FF5BBA1CB32A331C2236FC4FAFBD80F597E7CF6B19DB867FB75DC4AD41F8FA66D13D8B44F6B2A44624A88EAE168A8E3DB5E32946868BFD2BB3D562E85C492A89B1A93279B8B73D4785C09DFCE54485914B2BCDA5C537A842AAA2D3B2E5228E8A11`