Merge remote-tracking branch 'public/ticket18319'

3 files changed, 6 insertions, 2 deletions

diff --git a/changes/ticket18319 b/changes/ticket18319
new file mode 100644
index 0000000000..41c5b5641f
--- /dev/null
+++ b/changes/ticket18319
@@ -0,0 +1,4 @@
+  o Minor features (directory authority, security):
+    - The default for AuthDirPinKeys is now 1: directory authorities will
+      reject relays where the RSA identity key matches a previously seen
+      value, but the Ed25519 key has changed. Closes ticket 18319.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 46b10773bd..8c8922bc29 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -2277,7 +2277,7 @@ on the public Tor network.
     publish a descriptor if any other relay has reserved its <Ed25519,RSA>
     identity keypair. In all cases, Tor records every keypair it accepts
     in a journal if it is new, or if it differs from the most recently
-    accepted pinning for one of the keys it contains. (Default: 0)
+    accepted pinning for one of the keys it contains. (Default: 1)
 
 [[AuthDirSharedRandomness]] **AuthDirSharedRandomness** **0**|**1**::
     Authoritative directories only. Switch for the shared random protocol.
diff --git a/src/or/config.c b/src/or/config.c
index f885cbca3b..2c239a5e34 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -212,7 +212,7 @@ static config_var_t option_vars_[] = {
   V(AuthDirInvalidCCs,           CSV,      ""),
   V(AuthDirFastGuarantee,        MEMUNIT,  "100 KB"),
   V(AuthDirGuardBWGuarantee,     MEMUNIT,  "2 MB"),
-  V(AuthDirPinKeys,              BOOL,     "0"),
+  V(AuthDirPinKeys,              BOOL,     "1"),
   V(AuthDirReject,               LINELIST, NULL),
   V(AuthDirRejectCCs,            CSV,      ""),
   OBSOLETE("AuthDirRejectUnlisted"),