Remove -d option from dnssec-keygen

The -d (digestbits) option was only applicable to HMAC keys, which
are no longer created by dnssec-keygen. The option can be removed.

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 75819f270b9d833dfc08e5c3421f8f6543f4dafd..c134a4c8817708121ed272aae98b93c015535362 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -87,7 +87,6 @@ struct keygen_ctx {
        uint16_t tag_max;
        dns_rdataclass_t rdclass;
        int options;
-       int dbits;
        dns_ttl_t ttl;
        bool wantzsk;
        bool wantksk;
@@ -563,8 +562,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                              algstr, isc_result_totext(ret));
                }
 
-               dst_key_setbits(key, ctx->dbits);
-
                /*
                 * Set key timing metadata (unless using -C)
                 *
@@ -838,10 +835,7 @@ main(int argc, char **argv) {
                        classname = isc_commandline_argument;
                        break;
                case 'd':
-                       ctx.dbits = strtol(isc_commandline_argument, &endp, 10);
-                       if (*endp != '\0' || ctx.dbits < 0) {
-                               fatal("-d requires a non-negative number");
-                       }
+                       fatal("The -d option has been deprecated.");
                        break;
                case 'E':
                        fatal("%s", isc_result_totext(DST_R_NOENGINE));

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index 3f14007f77947f5bc6e699b34092861dc8dcd63f..ef12dbb134e6143f3da5bccae50cf35239105a57 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name}
 
 Description
 ~~~~~~~~~~~
@@ -87,13 +87,6 @@ Options
    This option indicates that the DNS record containing the key should have the
    specified class. If not specified, class IN is used.
 
-.. option:: -d bits
-
-   This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
-   RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
-   and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
-   ECDSAP384SHA384, ED25519, and ED448.
-
 .. option:: -f flag
 
    This option sets the specified flag in the flag field of the KEY/DNSKEY record.