Remove -p option from dnssec-keygen/keyfromlabel

The -p (protocol) option for all keys defaults to 3 (DNSSEC).
There is currently no practical reason to use any other value;
we can simplify things by removing the option.

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 7b210f18cbe0bea97d666199d3e456c900fdddc3..e358eb98ff94a6d8fd1b818811ad3efd95ff9788 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -74,7 +74,6 @@ usage(void) {
        fprintf(stderr, "    -L ttl: default key TTL\n");
        fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
        fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-       fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
        fprintf(stderr, "    -y: permit keys that might collide\n");
        fprintf(stderr, "    -v verbose level\n");
        fprintf(stderr, "    -V: print version information\n");
@@ -119,7 +118,6 @@ main(int argc, char **argv) {
        bool oldstyle = false;
        isc_mem_t *mctx = NULL;
        int ch;
-       int protocol = -1;
        isc_result_t ret;
        isc_textregion_t r;
        char filename[255];
@@ -220,11 +218,7 @@ main(int argc, char **argv) {
                        fatal("The -n option has been deprecated.");
                        break;
                case 'p':
-                       protocol = strtol(isc_commandline_argument, &endp, 10);
-                       if (*endp != '\0' || protocol < 0 || protocol > 255) {
-                               fatal("-p must be followed by a number "
-                                     "[0..255]");
-                       }
+                       fatal("The -p option has been deprecated.");
                        break;
                case 't':
                        fatal("The -t option has been deprecated.");
@@ -541,19 +535,11 @@ main(int argc, char **argv) {
                flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
        }
 
-       if (protocol == -1) {
-               protocol = DNS_KEYPROTO_DNSSEC;
-       } else if ((options & DST_TYPE_KEY) == 0 &&
-                  protocol != DNS_KEYPROTO_DNSSEC)
-       {
-               fatal("invalid DNSKEY protocol: %d", protocol);
-       }
-
        isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
        /* associate the key */
-       ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
-                               NULL, mctx, &key);
+       ret = dst_key_fromlabel(name, alg, flags, DNS_KEYPROTO_DNSSEC, rdclass,
+                               label, NULL, mctx, &key);
 
        if (ret != ISC_R_SUCCESS) {
                char namestr[DNS_NAME_FORMATSIZE];

diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst
index c956cf13ec208b82aea8b2cffdf8adf268c20145..64d0ec720d03f71887dd6c63ee93eb55f96a7b52 100644 (file)
--- a/bin/dnssec/dnssec-keyfromlabel.rst
+++ b/bin/dnssec/dnssec-keyfromlabel.rst
@@ -127,12 +127,6 @@ Options
    values for ``tag_min`` and ``tag_max`` are [0..65535].  The
    default allows all key tag values to be accepted.
 
-.. option:: -p protocol
-
-   This option sets the protocol value for the key. The protocol is a number between
-   0 and 255. The default is 3 (DNSSEC). Other possible values for this
-   argument are listed in :rfc:`2535` and its successors.
-
 .. option:: -S key
 
    This option generates a key as an explicit successor to an existing key. The name,

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index ad91fce3126358c777f8e668a9eb31231fb4778c..74d5d4c53ddf5ebb8775481ab96901e09a9ba937 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -82,7 +82,6 @@ struct keygen_ctx {
        const char *directory;
        dns_keystore_t *keystore;
        char *algname;
-       int protocol;
        int size;
        uint16_t tag_min;
        uint16_t tag_max;
@@ -172,7 +171,6 @@ usage(void) {
        fprintf(stderr, "    -F: FIPS mode\n");
        fprintf(stderr, "    -L <ttl>: default key TTL\n");
        fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
-       fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
        fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
                        "records with (default: 0)\n");
        fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
@@ -511,14 +509,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                }
        }
 
-       if (ctx->protocol == -1) {
-               ctx->protocol = DNS_KEYPROTO_DNSSEC;
-       } else if ((ctx->options & DST_TYPE_KEY) == 0 &&
-                  ctx->protocol != DNS_KEYPROTO_DNSSEC)
-       {
-               fatal("invalid DNSKEY protocol: %d", ctx->protocol);
-       }
-
        switch (ctx->alg) {
        case DNS_KEYALG_RSASHA1:
        case DNS_KEYALG_NSEC3RSASHA1:
@@ -556,12 +546,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                                mctx, ctx->alg, ctx->size, flags, &key);
                } else if (!ctx->quiet && show_progress) {
                        ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-                                              flags, ctx->protocol,
+                                              flags, DNS_KEYPROTO_DNSSEC,
                                               ctx->rdclass, NULL, mctx, &key,
                                               &progress);
                } else {
                        ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-                                              flags, ctx->protocol,
+                                              flags, DNS_KEYPROTO_DNSSEC,
                                               ctx->rdclass, NULL, mctx, &key,
                                               NULL);
                }
@@ -792,7 +782,6 @@ main(int argc, char **argv) {
        keygen_ctx_t ctx = {
                .options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
                .prepub = -1,
-               .protocol = -1,
                .size = -1,
                .now = isc_stdtime_now(),
        };
@@ -914,14 +903,7 @@ main(int argc, char **argv) {
                case 'm':
                        break;
                case 'p':
-                       ctx.protocol = strtol(isc_commandline_argument, &endp,
-                                             10);
-                       if (*endp != '\0' || ctx.protocol < 0 ||
-                           ctx.protocol > 255)
-                       {
-                               fatal("-p must be followed by a number "
-                                     "[0..255]");
-                       }
+                       fatal("The -p option has been deprecated.");
                        break;
                case 'q':
                        ctx.quiet = true;

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index 5fda5613f670320a934b4dfad8e89b3319bac2db..e5618b2efd8988de07a6f9aebc41e0cde15298ff 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -163,13 +163,6 @@ Options
    key tag values to be produced.  This option is ignored when ``-k policy``
    is specified.
 
-.. option:: -p protocol
-
-   This option sets the protocol value for the generated key, for use with
-   :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default
-   is 3 (DNSSEC). Other possible values for this argument are listed in
-   :rfc:`2535` and its successors.
-
 .. option:: -q
 
    This option sets quiet mode, which suppresses unnecessary output, including progress