The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was derived from it) had several options dating to the time when keys in DNS were still experimental and not fully specified, and when `dnssec-keygen` had the additional function of generating TSIG keys, which are now generated by `tsig-keygen`. These options are no longer necessary in the modern DNSSEC environment, and have been removed.
The removed options are:
- `-t` (key type), which formerly set flags to disable confidentiality or authentication support in a key; these are no longer used.
- `-n` (name type), which is now always set to "ZONE" for DNSKEY and "HOST" for KEY.
- `-p` (protocol), which is now always set to 3 (DNSSEC); no other value has ever been defined.
- `-s` (signatory field), which was never fully defined.
- `-d` (digest bits), which is meaningful only for TSIG keys.
Merge branch 'each-remove-keygen-options' into 'main'
See merge request isc-projects/bind9!10262
projects / thirdparty / bind9.git / commitdiff
