+5332. [func] Renamed "dnssec-keys" configuration statement
+ to the more descriptive "trust-anchors".
+
5331. [func] Use compiler-provided mechanisms for thread local
storage, and make the requirement for such mechanisms
explicit in configure. [GL #1444]
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
- permitting configuration of trust anchors in DS as well as
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+ statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
-static char anchortext[] = DNSSEC_KEYS;
+static char anchortext[] = TRUST_ANCHORS;
/*
* Static function prototypes
cfg_parser_t *parser = NULL;
const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
- const cfg_obj_t *dnssec_keys = NULL;
+ const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
- cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
+ cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
if (trusted_keys != NULL) {
CHECK(load_keys(trusted_keys, client));
if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
}
- if (dnssec_keys != NULL) {
- CHECK(load_keys(dnssec_keys, client));
+ if (trust_anchors != NULL) {
+ CHECK(load_keys(trust_anchors, client));
}
result = ISC_R_SUCCESS;
</para>
<para>
Note: When reading the trust anchor file,
- <command>delv</command> treats <option>dnssec-keys</option>
+ <command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
-DNSSEC_KEYS
+TRUST_ANCHORS
"# END MANAGED KEYS\n\
\n\
</literallayout>
</refsection>
- <refsection><info><title>DNSSEC-KEYS</title></info>
- <literallayout class="normal">
-dnssec-keys { <replaceable>string</replaceable> ( static-key |
- initial-key | static-ds | initial-ds )
- <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
- <replaceable>quoted_string</replaceable>; ... };
-</literallayout>
- </refsection>
-
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
- <para>Deprecated - see DNSSEC-KEYS.</para>
+ <para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
</literallayout>
</refsection>
+ <refsection><info><title>TRUST-ANCHORS</title></info>
+ <literallayout class="normal">
+trust-anchors { <replaceable>string</replaceable> ( static-key |
+ initial-key | static-ds | initial-ds )
+ <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+ <replaceable>quoted_string</replaceable>; ... };
+</literallayout>
+ </refsection>
+
<refsection><info><title>TRUSTED-KEYS</title></info>
- <para>Deprecated - see DNSSEC-KEYS.</para>
+ <para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
- dnssec-keys { <replaceable>string</replaceable> ( static-key |
- initial-key | static-ds | initial-ds
- ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
- <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
+ trust-anchors { <replaceable>string</replaceable> ( static-key |
+ initial-key | static-ds | initial-ds
+ ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+ <replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
}
/*
- * Add the key to 'secroots'. Keys from a "dnssec-keys" or
+ * Add the key to 'secroots'. Keys from a "trust-anchors" or
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
- const cfg_obj_t *view_dnssec_keys = NULL;
+ const cfg_obj_t *view_trust_anchors = NULL;
const cfg_obj_t *global_managed_keys = NULL;
- const cfg_obj_t *global_dnssec_keys = NULL;
+ const cfg_obj_t *global_trust_anchors = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
- /* managed-keys and dnssec-keys are synonyms. */
+ /* managed-keys and trust-anchors are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
- (void) cfg_map_get(voptions, "dnssec-keys",
- &view_dnssec_keys);
+ (void) cfg_map_get(voptions, "trust-anchors",
+ &view_trust_anchors);
maps[i++] = voptions;
}
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
- /* managed-keys and dnssec-keys are synonyms. */
+ /* managed-keys and trust-anchors are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
- (void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+ (void)cfg_map_get(config, "trust-anchors",
+ &global_trust_anchors);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
/*
* If bind.keys exists and is populated, it overrides
- * the dnssec-keys clause hard-coded in named_g_config.
+ * the trust-anchors clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
"from '%s'",
view->name, named_g_server->bindkeysfile);
- (void)cfg_map_get(bindkeys, "dnssec-keys",
+ (void)cfg_map_get(bindkeys, "trust-anchors",
&builtin_keys);
if (builtin_keys == NULL) {
"using built-in root key for view %s",
view->name);
- (void)cfg_map_get(named_g_config, "dnssec-keys",
+ (void)cfg_map_get(named_g_config, "trust-anchors",
&builtin_keys);
}
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
- CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
+ CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
mctx));
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
- CHECK(load_view_keys(global_dnssec_keys, view, true,
+ CHECK(load_view_keys(global_trust_anchors, view, true,
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
<listitem>
<para>
Dump the security roots (i.e., trust anchors
- configured via <command>dnssec-keys</command> statements, or the
+ configured via <command>trust-anchors</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
dnssec-validation yes;
};
-dnssec-keys {
+trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
NQyrszHhWUU=";
};
-dnssec-keys {
+trust-anchors {
example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
dnssec-validation yes;
};
-dnssec-keys {
+trust-anchors {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
dnssec-validation auto;
};
-dnssec-keys {
+trust-anchors {
. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
. static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
dnssec-validation yes;
};
-dnssec-keys {
+trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
* information regarding copyright ownership.
*/
-dnssec-keys {
+trust-anchors {
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
+echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
ret=0
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
-# provided to a *static-key* "dnssec-keys" section suitable for including in a
-# resolver's configuration file
+# provided to a *static-key* "trust-anchors" section suitable for including in
+# a resolver's configuration file
keyfile_to_static_keys() {
- keyfile_to_keys "dnssec-keys" "static-key" $*
+ keyfile_to_keys "trust-anchors" "static-key" $*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-key* "dnssec-keys" section suitable for including
+# provided to an *initial-key* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys() {
- keyfile_to_keys "dnssec-keys" "initial-key" $*
+ keyfile_to_keys "trust-anchors" "initial-key" $*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
-# provided to a *static-ds* "dnssec-keys" section suitable for including in a
+# provided to a *static-ds* "trust-anchors" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds() {
- keyfile_to_dskeys "dnssec-keys" "static-ds" $*
+ keyfile_to_dskeys "trust-anchors" "static-ds" $*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-ds* "dnssec-keys" section suitable for including
+# provided to an *initial-ds* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds() {
- keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
+ keyfile_to_dskeys "trust-anchors" "initial-ds" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
-dnssec-keys {
+trust-anchors {
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
};
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
-ns3 is a validator with a broken initializing key in dnssec-keys.
+ns3 is a validator with a broken initializing key in trust-anchors.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
};
# purposely broken key for testing
-dnssec-keys {
+trust-anchors {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
- sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+ sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}${TP}
rm $DSFILENAME $1/tmp
}
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
-dnssec-keys {
+trust-anchors {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
-#define DNSSEC_KEYS "\
+#define TRUST_ANCHORS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
-dnssec-keys {\n\
+trust-anchors {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
<userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
- using a <command>dnssec-keys</command> statement (or the
+ using a <command>trust-anchors</command> statement (or the
<command>managed-keys</command> and <command>trusted-keys</command>
statements, both deprecated).
</para>
</para>
<para>
- The keys specified in <command>dnssec-keys</command>
+ The keys specified in <command>trust-anchors</command>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <command>static-key</command> or
</para>
<para>
- <command>dnssec-keys</command> is described in more detail
+ <command>trust-anchors</command> is described in more detail
later in this document.
</para>
</para>
<programlisting>
-dnssec-keys {
+trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
</row>
<row rowsep="0">
<entry colname="1">
- <para><command>dnssec-keys</command></para>
+ <para><command>trust-anchors</command></para>
</entry>
<entry colname="2">
<para>
</entry>
<entry colname="2">
<para>
- is identical to <command>dnssec-keys</command>;
+ is identical to <command>trust-anchors</command>;
this option is deprecated in favor
- of <command>dnssec-keys</command> with
+ of <command>trust-anchors</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para>
<para>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
- of <command>dnssec-keys</command> with
+ of <command>trust-anchors</command> with
the <command>static-key</command> keyword,
and may be removed in a future release.
</para>
track managed DNSSEC keys (i.e., those configured using
the <command>initial-key</command> or
<command>initial-ds</command> keywords in a
- <command>dnssec-keys</command> statement). By default,
+ <command>trust-anchors</command> statement). By default,
this is the working directory. The directory
<emphasis>must</emphasis> be writable by the effective
user ID of the <command>named</command> process.
as insecure.
</para>
<para>
- Configured trust anchors in <command>dnssec-keys</command>
+ Configured trust anchors in <command>trust-anchors</command>
(or <command>managed-keys</command> or
<command>trusted-keys</command>, both deprecated)
that match a disabled algorithm will be ignored and treated
they are secure. If <userinput>no</userinput>, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be defined as a
- trust anchor, for instance in a <command>dnssec-keys</command>
+ trust anchor, for instance in a <command>trust-anchors</command>
statement, or <command>dnssec-validation auto</command> must
be active.
</para>
Causes <command>named</command> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via, e.g.,
- <command>dnssec-keys</command> or
+ <command>trust-anchors</command> or
<command>dnssec-validation auto</command>.
</para>
<para>
<para>
If set to <userinput>yes</userinput>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
- using a <command>dnssec-keys</command> statement (or
+ using a <command>trust-anchors</command> statement (or
the <command>managed-keys</command> or the
<command>trusted-keys</command> statements, both deprecated).
If there is no configured trust anchor, validation will
</para>
</section>
- <section xml:id="dnssec_keys"><info><title><command>dnssec-keys</command> Statement Grammar</title></info>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="dnssec-keys.grammar.xml"/>
+ <section xml:id="trust_anchors"><info><title><command>trust-anchors</command> Statement Grammar</title></info>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="trust-anchors.grammar.xml"/>
</section>
- <section xml:id="dnssec-keys"><info><title><command>dnssec-keys</command> Statement Definition
+ <section xml:id="trust-anchors"><info><title><command>trust-anchors</command> Statement Definition
and Usage</title></info>
<para>
- The <command>dnssec-keys</command> statement defines DNSSEC
+ The <command>trust-anchors</command> statement defines DNSSEC
trust anchors. DNSSEC is described in <xref linkend="DNSSEC"/>.
</para>
<para>
the <command>validate-except</command> option).
</para>
<para>
- All keys listed in <command>dnssec-keys</command>, and
+ All keys listed in <command>trust-anchors</command>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</para>
<para>
- <command>dnssec-keys</command> may be set at the top level
+ <command>trust-anchors</command> may be set at the top level
of <filename>named.conf</filename> or within a view. If it is
set in both places, the configurations are additive: keys
defined at the top level are inherited by all views, but keys
defined in a view are only used within that view.
</para>
<para>
- The <command>dnssec-keys</command> statement can contain
+ The <command>trust-anchors</command> statement can contain
multiple trust anchor entries, each consisting of a
domain name, followed by an "anchor type" keyword indicating
the trust anchor's format, followed by the key or digest data.
<command>static-ds</command> would be unable to validate
this zone any longer; it would reply with a SERVFAIL response
code. This would continue until the resolver operator had
- updated the <command>dnssec-keys</command> statement with
+ updated the <command>trust-anchors</command> statement with
the new key.
</para>
<para>
<command>initial-key</command> or <command>initial-ds</command>
configured in <filename>named.conf</filename>, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
- using the trust anchor specified in <command>dnssec-keys</command>.
+ using the trust anchor specified in <command>trust-anchors</command>.
If the DNSKEY RRset is validly signed by a key matching
the trust anchor, then it is used as the basis for a new
managed keys database.
From that point on, whenever <command>named</command> runs, it
sees the <command>initial-key</command> or
<command>initial-ds</command> listed in
- <command>dnssec-keys</command>, checks to
+ <command>trust-anchors</command>, checks to
make sure RFC 5011 key maintenance has already been initialized
for the specified domain, and if so, it simply moves on. The
- key specified in the <command>dnssec-keys</command>
+ key specified in the <command>trust-anchors</command>
statement is not used to validate answers; it is
superseded by the key or keys stored in the managed keys
database.
The next time <command>named</command> runs after an
<command>initial-key</command> or <command>initial-ds</command>
trust anchor has been <emphasis>removed</emphasis> from the
- <command>dnssec-keys</command> statement (or changed to
+ <command>trust-anchors</command> statement (or changed to
a <command>static-key</command> or <command>static-ds</command>),
the corresponding keys will be removed from the managed keys
database, and RFC 5011 key maintenance will no longer be used
<para>
The <command>managed-keys</command> statement has been
- deprecated in favor of <xref linkend="dnssec_keys"/>
+ deprecated in favor of <xref linkend="trust_anchors"/>
with the <command>initial-key</command> keyword.
</para>
</section>
<para>
The <command>trusted-keys</command> statement has been
- deprecated in favor of <xref linkend="dnssec_keys"/>
+ deprecated in favor of <xref linkend="trust_anchors"/>
with the <command>static-key</command> keyword.
</para>
</section>
(KSK) for the zone must be configured as a trust
anchor in <filename>named.conf</filename>: that
is, a key for the zone must be specified in
- <command>dnssec-keys</command>. In the case
+ <command>trust-anchors</command>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <xref endterm="dnssec_validation_term"
<!-- TODO: command tag is overloaded for configuration and executables -->
<para>To configure a validating resolver to use RFC 5011 to
maintain a trust anchor, configure the trust anchor using a
- <command>dnssec-keys</command> statement and the
+ <command>trust-anchors</command> statement and the
<command>initial-key</command> or <command>initial-ds</command>
keyword. Information about this can be found in
- <xref linkend="dnssec-keys"/>.</para>
+ <xref linkend="trust-anchors"/>.</para>
</section>
<section><info><title>Authoritative Server</title></info>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes-9.15.7"><info><title>Notes for BIND 9.15.7</title></info>
+
+ <section xml:id="relnotes-9.15.7-changes"><info><title>Feature Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>dnssec-keys</command> configuration statement,
+ which was introduced in 9.15.1 and revised in 9.15.6, has now
+ been renamed to the more descriptive
+ <command>trust-anchors</command>.
+ </para>
+ <para>
+ (See the sections on
+ <xref linkend="relnotes-9.15.6" xrefstyle="template:9.15.6"/> and
+ <xref linkend="relnotes-9.15.1" xrefstyle="template:9.15.1"/>
+ for prior discussion of this feature.)
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+</section>
<!-- Generated by doc/misc/docbook-options.pl -->
<programlisting>
-<command>dnssec-keys</command> { <replaceable>string</replaceable> ( static-key |
+<command>trust-anchors</command> { <replaceable>string</replaceable> ( static-key |
<command>initial-key</command> | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
${PERL} docbook-grammars.pl options.active options > ${top_srcdir}/doc/arm/options.grammar.xml
${PERL} docbook-grammars.pl options.active server > ${top_srcdir}/doc/arm/server.grammar.xml
${PERL} docbook-grammars.pl options.active statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
- ${PERL} docbook-grammars.pl options.active dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
+ ${PERL} docbook-grammars.pl options.active trust-anchors > ${top_srcdir}/doc/arm/trust-anchors.grammar.xml
${PERL} docbook-grammars.pl options.active managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
${PERL} docbook-grammars.pl options.active trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
-This functionality is enabled by including a "dnssec-keys" clause
+This functionality is enabled by including a "trust-anchors" clause
in the configuration file, containing the top-level zone key of the
the DNSSEC tree.
* Check for conflicts between static and initialiizing keys.
*/
static isc_result_t
-check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
+check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys,
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
{
/*
* First we record all the static keys (i.e., old-style
- * trusted-keys and dnssec-keys configured with "static-key"),
+ * trusted-keys and trust-anchors configured with "static-key"),
* and all the DS-style trust anchors.
*/
- for (elt = cfg_list_first(global_dkeys);
+ for (elt = cfg_list_first(global_ta);
elt != NULL;
elt = cfg_list_next(elt))
{
}
}
- for (elt = cfg_list_first(view_dkeys);
+ for (elt = cfg_list_first(view_ta);
elt != NULL;
elt = cfg_list_next(elt))
{
/*
* Next, ensure that there's no conflict between the
- * static keys and the dnssec-keys configured with "initial-key",
- * or between DS-style and DNSKEY-style dnssec-keys.
+ * static keys and the trust-anchors configured with "initial-key",
+ * or between DS-style and DNSKEY-style trust-anchors.
*/
- for (elt = cfg_list_first(global_dkeys);
+ for (elt = cfg_list_first(global_ta);
elt != NULL;
elt = cfg_list_next(elt))
{
}
}
- for (elt = cfg_list_first(view_dkeys);
+ for (elt = cfg_list_first(view_ta);
elt != NULL;
elt = cfg_list_next(elt))
{
const cfg_obj_t *zones = NULL;
const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
- const cfg_obj_t *view_dkeys = NULL, *global_dkeys = NULL;
+ const cfg_obj_t *view_ta = NULL, *global_ta = NULL;
const cfg_obj_t *check_keys[2] = { NULL, NULL };
const cfg_obj_t *keys = NULL;
#ifndef HAVE_DLOPEN
*/
if (voptions != NULL) {
(void)cfg_map_get(voptions, "trusted-keys", &view_tkeys);
- (void)cfg_map_get(voptions, "dnssec-keys", &view_dkeys);
+ (void)cfg_map_get(voptions, "trust-anchors", &view_ta);
(void)cfg_map_get(voptions, "managed-keys", &view_mkeys);
}
(void)cfg_map_get(config, "trusted-keys", &global_tkeys);
- (void)cfg_map_get(config, "dnssec-keys", &global_dkeys);
+ (void)cfg_map_get(config, "trust-anchors", &global_ta);
(void)cfg_map_get(config, "managed-keys", &global_mkeys);
/*
ISC_LOG_WARNING,
"trusted-keys entry for the root "
"zone WILL FAIL after key "
- "rollover - use dnssec-keys "
+ "rollover - use trust-anchors "
"with initial-key "
"or initial-ds instead.");
}
* Check dnssec/managed-keys. (Only one or the other can be used.)
*/
if ((view_mkeys != NULL || global_mkeys != NULL) &&
- (view_dkeys != NULL || global_dkeys != NULL))
+ (view_ta != NULL || global_ta != NULL))
{
keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys;
cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
"use of managed-keys is not allowed when "
- "dnssec-keys is also in use");
+ "trust-anchors is also in use");
result = ISC_R_FAILURE;
}
- if (view_dkeys == NULL && global_dkeys == NULL) {
- view_dkeys = view_mkeys;
- global_dkeys = global_mkeys;
+ if (view_ta == NULL && global_ta == NULL) {
+ view_ta = view_mkeys;
+ global_ta = global_mkeys;
}
- check_keys[0] = view_dkeys;
- check_keys[1] = global_dkeys;
+ check_keys[0] = view_ta;
+ check_keys[1] = global_ta;
for (i = 0; i < 2; i++) {
if (check_keys[i] != NULL) {
unsigned int flags = 0;
ISC_LOG_WARNING,
"static entry for the root "
"zone WILL FAIL after key "
- "rollover - use dnssec-keys "
+ "rollover - use trust-anchors "
"with initial-key "
"or initial-ds instead.");
}
}
if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
- keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys;
+ keys = (view_ta != NULL) ? view_ta : global_ta;
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
- "both trusted-keys and dnssec-keys "
+ "both trusted-keys and trust-anchors "
"for the root zone are present");
}
if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
- keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys;
+ keys = (view_ta != NULL) ? view_ta : global_ta;
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"both initial and static entries for the "
"root zone are present");
autovalidation = true;
}
- tresult = check_ta_conflicts(global_dkeys, view_dkeys,
+ tresult = check_ta_conflicts(global_ta, view_ta,
global_tkeys, view_tkeys,
autovalidation, mctx, logctx);
if (tresult != ISC_R_SUCCESS) {
* statements with the set of trust anchors found in the managed-keys.bind
* zone. If a domain is no longer named in managed-keys, delete all keys
* from that domain from the key zone. If a domain is configured as an
- * initial-key in dnssec-keys, but there are no references to it in the
+ * initial-key in trust-anchors, but there are no references to it in the
* key zone, load the key zone with the initializing key(s) for that
* domain and schedule a key refresh. If a domain is configured as
- * an initial-ds in dnssec-keys, fetch the DNSKEY RRset, load the key
+ * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key
* zone with the matching key, and schedule a key refresh.
*/
static isc_result_t
/*
* Walk the zone DB. If we find any keys whose names are no longer
- * in dnssec-keys, or which have been changed from initial to static,
+ * in trust-anchors, or which have been changed from initial to static,
* (meaning they are permanent and not RFC5011-maintained), delete
* them from the zone. Otherwise call load_secroots(), which
* loads keys into secroots as appropriate.
}
keys = NULL;
- cfg_map_get(cfgobj, "dnssec-keys", &keys);
+ cfg_map_get(cfgobj, "trust-anchors", &keys);
if (keys == NULL) {
return (ISC_R_SUCCESS);
}
* Notes:
* This module is very experimental and the configuration syntax or library
* interfaces may change in future versions. Currently, only static
- * key configuration is supported; "trusted-keys" and "dnssec-keys"/
+ * key configuration is supported; "trusted-keys" and "trust-anchors"/
* "managed-keys" statements will be parsed exactly as they are in
- * named.conf, except that "dnssec-keys" and "managed-keys" entries will
+ * named.conf, except that "trust-anchors" and "managed-keys" entries will
* be treated as if they were configured with "static-key", even if they
* were actually configured with "initial-key".
*/
/*%
* A key initialization specifier, as used in the
- * "dnssec-keys" (or synonymous "managed-keys") statement.
+ * "trust-anchors" (or synonymous "managed-keys") statement.
*/
static const char *anchortype_enums[] = {
"static-key", "initial-key", "static-ds", "initial-ds", NULL
{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
- { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
{ "managed-keys", &cfg_type_dnsseckeys,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
+ { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
{ "trusted-keys", &cfg_type_trustedkeys,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
*/
static cfg_clausedef_t
bindkeys_clauses[] = {
- { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
{ "managed-keys", &cfg_type_dnsseckeys,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
+ { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
{ "trusted-keys", &cfg_type_trustedkeys,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ NULL, NULL, 0 }
&cfg_rep_map, namedconf_clausesets
};
-/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */
+/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */
static cfg_clausedef_t *
bindkeys_clausesets[] = {
bindkeys_clauses,
$lines .= $_ . "\n";
}
-my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n";
+my $mkey = '#define TRUST_ANCHORS "\\' . "\n" . $lines . "\"\n";
print "#ifndef BIND_KEYS_H\n";
print "#define BIND_KEYS_H 1\n";
./doc/arm/controls.grammar.xml SGML 2018,2019
./doc/arm/delegation-only.zoneopt.xml SGML 2018,2019
./doc/arm/dlz.xml SGML 2012,2013,2014,2015,2016,2018,2019
-./doc/arm/dnssec-keys.grammar.xml SGML 2019
./doc/arm/dnssec-policy.grammar.xml SGML 2019
./doc/arm/dnssec.xml SGML 2010,2011,2015,2016,2017,2018,2019
./doc/arm/dyndb.xml SGML 2015,2016,2018,2019
./doc/arm/notes-9.15.4.xml SGML 2019
./doc/arm/notes-9.15.5.xml SGML 2019
./doc/arm/notes-9.15.6.xml SGML 2019
+./doc/arm/notes-9.15.7.xml SGML 2019
./doc/arm/notes-download.xml SGML 2019
./doc/arm/notes-eol.xml SGML 2019
./doc/arm/notes-intro.xml SGML 2019
./doc/arm/static-stub.zoneopt.xml SGML 2018,2019
./doc/arm/statistics-channels.grammar.xml SGML 2018,2019
./doc/arm/stub.zoneopt.xml SGML 2018,2019
+./doc/arm/trust-anchors.grammar.xml SGML 2019
./doc/arm/trusted-keys.grammar.xml SGML 2018,2019
./doc/design/addressdb TXT.BRIEF 2000,2001,2004,2016,2018,2019
./doc/design/cds-child TXT.BRIEF 2015,2016,2018,2019
projects / thirdparty / bind9.git / commitdiff
