From db53c847ca8835ce404884b35813fb297e8e664a Mon Sep 17 00:00:00 2001
From: Tom Thorogood <me+github@tomthorogood.co.uk>
Date: Sat, 24 Oct 2020 22:25:55 +1030
Subject: [PATCH] Remove RSAMD5 support from (*RRSIG).Verify (#1185)

AFAIK, the only way to get an RSAMD5 DNSKEY was to manually construct
one. This is ancient, just get rid of it.

The only remaining usage of md5 is in tsig.go. Hopefully that might be
removable as well.
---
 dnssec.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dnssec.go b/dnssec.go
index b6dd9d410..900f6e059 100644
--- a/dnssec.go
+++ b/dnssec.go
@@ -5,7 +5,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	_ "crypto/md5"
 	"crypto/rand"
 	"crypto/rsa"
 	_ "crypto/sha1"
@@ -437,7 +436,7 @@ func (rr *RRSIG) Verify(k *DNSKEY, rrset []RR) error {
 	}
 
 	switch rr.Algorithm {
-	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, RSAMD5:
+	case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512:
 		// TODO(mg): this can be done quicker, ie. cache the pubkey data somewhere??
 		pubkey := k.publicKeyRSA() // Get the key
 		if pubkey == nil {