rec: A SHA-384 DS should not trump a SHA-256 one, so only potentially zap SHA-1

[omoerbeek]

Short description

Checklist

I have:

• read the CONTRIBUTING.md document
• compiled this code
• tested this code
• included documentation (including possible behaviour changes)
• documented the code
• added or modified regression test(s)
• added or modified unit test(s)

[vcunat]

So GOST still zaps SHA-1? 🤔

(On a quick glance.) Not that I'd expect it to matter/happen in practice. Still, if that's so, it would be inconsistent with the comment you added.

[Habbie]

We don't support GOST any more (even if some comments near this code still mention it) - but the comments could indeed be better.

[vcunat]

OK, but I was reading (possibly dead) code, not just comments: https://github.com/PowerDNS/pdns/blob/b995eb5/pdns/syncres.cc#L2616

[Habbie]

Indeed, dead code, even if the compiler can't figure that out.

[vcunat]

Could call it "g(h)ost" code.

[vcunat]

Speaking of GOST DS, I'd expect a new one in the IANA registry soon (like 2022?). But that does not imply you implementing it. I expect that like us, any algorithm that you add in future will be considered significantly more secure than SHA1, so it makes sense to write the code like the diff in this PR.

For reference, my reason for looking into this: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1251