if (cfg_obj_isvoid(obj)) {
/*
* "anchortype" is not defined, this must be a static-key
- * configured with trusted-keys.
+ * configured with trust-anchors.
*/
anchortype = STATIC_KEY;
} else {
setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) {
isc_result_t result;
cfg_parser_t *parser = NULL;
- const cfg_obj_t *trusted_keys = NULL;
- const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
}
INSIST(bindkeys != NULL);
- cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
- cfg_map_get(bindkeys, "managed-keys", &managed_keys);
cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
-
- if (trusted_keys != NULL) {
- CHECK(load_keys(trusted_keys, client, toview));
- }
- if (managed_keys != NULL) {
- CHECK(load_keys(managed_keys, client, toview));
- }
if (trust_anchors != NULL) {
CHECK(load_keys(trust_anchors, client, toview));
}
}
/*
- * Add the key to 'secroots'. Keys from a "trust-anchors" or
- * "managed-keys" statement may be either static or initializing
- * keys. If it's not initializing, we don't want to treat it as
- * managed, so we use 'initializing' twice here, for both the
- * 'managed' and 'initializing' arguments to dns_keytable_add().
+ * Add the key to 'secroots'. Keys from a "trust-anchors" statement
+ * may be either static or initializing keys. If it's not initializing,
+ * we don't want to treat it as managed, so we use 'initializing'
+ * twice here, for both the 'managed' and 'initializing' arguments to
+ * dns_keytable_add().
*/
result = dns_keytable_add(secroots, initializing, initializing, keyname,
&ds, sfd_add, view);
const cfg_obj_t *config, const cfg_obj_t *bindkeys,
bool auto_root) {
isc_result_t result = ISC_R_SUCCESS;
- const cfg_obj_t *view_keys = NULL;
- const cfg_obj_t *global_keys = NULL;
- const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_trust_anchors = NULL;
- const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_trust_anchors = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
if (vconfig != NULL) {
voptions = cfg_tuple_get(vconfig, "options");
if (voptions != NULL) {
- (void)cfg_map_get(voptions, "trusted-keys", &view_keys);
-
- /* managed-keys and trust-anchors are synonyms. */
- (void)cfg_map_get(voptions, "managed-keys",
- &view_managed_keys);
(void)cfg_map_get(voptions, "trust-anchors",
&view_trust_anchors);
-
maps[i++] = voptions;
}
}
if (config != NULL) {
- (void)cfg_map_get(config, "trusted-keys", &global_keys);
-
- /* managed-keys and trust-anchors are synonyms. */
- (void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "trust-anchors",
&global_trust_anchors);
-
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
maps[i++] = options;
}
if (view->rdclass == dns_rdataclass_in) {
- CHECK(load_view_keys(view_keys, view, false, NULL));
CHECK(load_view_keys(view_trust_anchors, view, true, NULL));
- CHECK(load_view_keys(view_managed_keys, view, true, NULL));
-
- CHECK(load_view_keys(global_keys, view, false, NULL));
CHECK(load_view_keys(global_trust_anchors, view, true, NULL));
- CHECK(load_view_keys(global_managed_keys, view, true, NULL));
}
/*
.. option:: secroots [-] [view ...]
This command dumps the security roots (i.e., trust anchors configured via
- ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements
- [both deprecated], or ``dnssec-validation auto``) and negative trust anchors
- for the specified views. If no view is specified, all views are
+ ``trust-anchors`` statement, or ``dnssec-validation auto``) and negative
+ trust anchors for the specified views. If no view is specified, all views are
dumped. Security roots indicate whether they are configured as trusted
keys, managed keys, or initializing managed keys (managed keys that have not
yet been updated by a successful key refresh query).
NQyrszHhWUU=";
};
-trusted-keys {
- . 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
- y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
- YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
- 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
- E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
- Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
- 6zqCkwuMmrU=";
+trust-anchors {
+ . static-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+ 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+ tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+ kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+ fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+ WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+ NQyrszHhWUU=";
};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnssec-validation yes;
-};
QxA+Uk1ihz0=";
};
-managed-keys {
+trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-trusted-keys {
- # This key (20326) was published in the root zone in 2017.
- # Servers which were already using the old key (19036) should
- # roll seamlessly to this new one via RFC 5011 rollover. Servers
- # being set up for the first time can use the contents of this
- # file as initializing keys; thereafter, the keys in the
- # managed key database will be trusted and maintained
- # automatically.
- . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
- +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
- ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
- 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
- oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
- RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
- R1AkUTV74bU=";
-};
sortlist { };
};
-trusted-keys {
- fake.trusted. 257 3 8
- "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
- QxA+Uk1ihz0=";
-};
-
-managed-keys {
+trust-anchors {
fake.managed. initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnssec-validation yes;
-};
-
-trusted-keys {
- example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
- 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
- tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
- kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
- fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
- WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
- NQyrszHhWUU=";
- example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
- y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
- YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
- 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
- E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
- Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
- 6zqCkwuMmrU=";
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnssec-validation yes;
-};
-
-trusted-keys {};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- dnssec-validation yes;
-};
-
-trusted-keys {
- example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
- 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
- tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
- kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
- fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
- WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
- NQyrszHhWUU=";
-};
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
-grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "check that a trusted-keys entry for root generates a warning ($n)"
-ret=0
-$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
-ret=0
-$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1
-grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
- echo_i "failed"
- ret=1
-fi
-status=$((status + ret))
-
n=$((n + 1))
echo_i "checking named-checkconf kasp errors ($n)"
ret=0
echo "};"
}
-# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
-# provided to a "trust-keys" section suitable for including in a
-# resolver's configuration file
-keyfile_to_trusted_keys() {
- keyfile_to_keys "trusted-keys" "" $*
-}
-
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static-key* "trust-anchors" section suitable for including in
# a resolver's configuration file
cp trusted.conf ../ns7/trusted.conf
cp trusted.conf ../ns9/trusted.conf
-keyfile_to_trusted_keys "$ksk" >trusted.keys
+keyfile_to_static_keys "$ksk" >trusted.keys
# ...or with an initializing key.
keyfile_to_initial_ds "$ksk" >managed.conf
:any:`trust-anchors`
Defines DNSSEC trust anchors: if used with the ``initial-key`` or ``initial-ds`` keyword, trust anchors are kept up-to-date using :rfc:`5011` trust anchor maintenance; if used with ``static-key`` or ``static-ds``, keys are permanent.
- :any:`managed-keys`
- Is identical to :any:`trust-anchors`; this option is deprecated in favor of :any:`trust-anchors` with the ``initial-key`` keyword, and may be removed in a future release.
-
- :any:`trusted-keys`
- Defines permanent trusted DNSSEC keys; this option is deprecated in favor of :any:`trust-anchors` with the ``static-key`` keyword, and may be removed in a future release.
-
:any:`view`
Defines a view.
If all supported algorithms are disabled, the zones covered by the
:any:`disable-algorithms` setting are treated as insecure.
- Configured trust anchors in :any:`trust-anchors` (or :any:`managed-keys` or
- :any:`trusted-keys`) that match a disabled algorithm are ignored and treated
- as if they were not configured.
+ Configured trust anchors in :any:`trust-anchors` that match a disabled
+ algorithm are ignored and treated as if they were not configured.
.. namedconf:statement:: disable-ds-digests
:tags: dnssec, zone
anchor for the DNS root zone is used. This trust anchor is provided
as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key
management. Adding an explicit static key using the :any:`trust-anchors`
- statement, with a ``static-key`` anchor type (or using the deprecated
- :any:`trusted-keys` statement) for the root zone, is not supported with the
- ``auto`` setting and is treated as a configuration error.
+ statement, with a ``static-key`` anchor type for the root zone, is not
+ supported with the ``auto`` setting and is treated as a configuration error.
If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
- manually configured using a :any:`trust-anchors` statement (or the
- :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
+ manually configured using a :any:`trust-anchors` statement. If
:any:`trust-anchors` is not configured, it is a configuration error. If
:any:`trust-anchors` does not include a valid root key, then validation does
not take place for names which are not covered by any of the configured trust
anchor types are immutable, while keys configured with
``initial-key`` or ``initial-ds``
can be kept up-to-date automatically, without intervention from the resolver operator.
-(``static-key`` keys are identical to keys configured using the
-deprecated :any:`trusted-keys` statement.)
Suppose, for example, that a zone's key-signing key was compromised, and
the zone owner had to revoke and replace the key. A resolver which had
This option acts like :any:`parental-source`, but applies to parental DS
queries sent to IPv6 addresses.
-:any:`managed-keys` Block Grammar
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: managed-keys
- :tags: deprecated
-
-:any:`managed-keys` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The :any:`managed-keys` statement has been
-deprecated in favor of :any:`trust-anchors`
-with the ``initial-key`` keyword.
-
-:any:`trusted-keys` Block Grammar
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: trusted-keys
- :tags: deprecated
-
-:any:`trusted-keys` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The :any:`trusted-keys` statement has been deprecated in favor of
-:any:`trust-anchors` with the ``static-key`` keyword.
-
:any:`view` Block Grammar
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. namedconf:statement:: view
### Trust anchors
-In BIND 9, trust anchors can be configured using two clauses:
-
- * `trusted-keys`, which contains hardcoded (static) trust anchors,
- * `managed-keys`, which will be kept up to date automatically, following the
- zone's key rollovers (according to the algorithm specified in RFC 5011).
-
-When put into the above clauses, keys using unsupported algorithms will be
-ignored:
+In BIND 9, trust anchors can be configured using `trust-anchors`. When put into
+such clause, keys using unsupported algorithms will be ignored:
trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported
managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported
by the records in that DLV zone will yield SERVFAIL responses. Consider the
following example:
- trusted-keys {
- "dlv.example." 257 3 1 ...;
+ trust-anchors {
+ "dlv.example." static-key 257 3 1 ...;
};
options {
A zone for which BIND 9 has a trust anchor configured may decide to do an
algorithm rollover to an unsupported algorithm. If configured with
-`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does
+`trust-anchors`, BIND 9 will ignore the newly introduced DNSKEY if it does
not support the algorithm. That means that the moment the predecessor DNSKEY
gets revoked, BIND 9 will no longer have any trust anchors for the given zone
and it will treat the trust point as if it does not exist, meaning that
};
This “auto” line enables automatic DNSSEC trust anchor configuration
-using the :any:`managed-keys` feature. In this case, no manual key
+using the :any:`trust-anchors` feature. In this case, no manual key
configuration is needed. There are three possible choices for the
:any:`dnssec-validation` option:
}; // may occur multiple times
};
-managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
-
options {
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
-
view <string> [ <class> ] {
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
key-directory <quoted_string>;
lame-ttl <duration>;
lmdb-mapsize <sizeval>; // optional (only available if configured)
- managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
masterfile-format ( raw | text );
masterfile-style ( full | relative );
match-clients { <address_match_element>; ... };
transfer-source-v6 ( <ipv6_address> | * );
trust-anchor-telemetry <boolean>;
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
- trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
try-tcp-refresh <boolean>;
update-check-ksk <boolean>; // obsolete
v6-bias <integer>;
*
* The value of keynode->managed is set to 'managed', and the
* value of keynode->initial is set to 'initial'. (Note: 'initial'
- * should only be used when adding managed-keys from configuration.
+ * should only be used when adding trust-anchors from configuration.
* This indicates the key is in "initializing" state, and has not yet
* been confirmed with a key refresh query. Once a key refresh query
* has validated, we update the keynode with initial == false.)
/*%
* KASP flags
*/
-#define KASP_LOCK(k) \
- if ((k) != NULL) { \
- LOCK((&((k)->lock))); \
+#define KASP_LOCK(k) \
+ if ((k) != NULL) { \
+ LOCK(&((k)->lock)); \
}
-#define KASP_UNLOCK(k) \
- if ((k) != NULL) { \
- UNLOCK((&((k)->lock))); \
+#define KASP_UNLOCK(k) \
+ if ((k) != NULL) { \
+ UNLOCK(&((k)->lock)); \
}
/*
} while (0)
#endif /* ifdef DNS_ZONE_CHECKLOCK */
-#define ZONEDB_INITLOCK(l) isc_rwlock_init((l))
+#define ZONEDB_INITLOCK(l) isc_rwlock_init(l)
#define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
#define ZONEDB_LOCK(l, t) RWLOCK((l), (t))
#define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t))
}
/*
- * Synchronize the set of initializing keys found in managed-keys {}
+ * Synchronize the set of initializing keys found in trust-anchors {}
* statements with the set of trust anchors found in the managed-keys.bind
- * zone. If a domain is no longer named in managed-keys, delete all keys
+ * zone. If a domain is no longer named in trust-anchors, delete all keys
* from that domain from the key zone. If a domain is configured as an
* initial-key in trust-anchors, but there are no references to it in the
* key zone, load the key zone with the initializing key(s) for that
failure:
if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
- "error during managed-keys processing (%s): "
+ "error during trust anchor processing (%s): "
"DNSSEC validation may be at risk",
isc_result_totext(result));
}
#define ROOT_KSK_2017 0x08
static isc_result_t
-check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) {
+check_trust_anchor(const cfg_obj_t *key, unsigned int *flagsp) {
+ bool managed = true;
const char *str = NULL, *namestr = NULL;
dns_fixedname_t fkeyname;
dns_name_t *keyname = NULL;
STATIC_DNSKEY,
INIT_DS,
STATIC_DS,
- TRUSTED
} anchortype;
/*
result = ISC_R_FAILURE;
}
- if (managed) {
- atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
-
- if (strcasecmp(atstr, "static-key") == 0) {
- managed = false;
- anchortype = STATIC_DNSKEY;
- } else if (strcasecmp(atstr, "static-ds") == 0) {
- managed = false;
- anchortype = STATIC_DS;
- } else if (strcasecmp(atstr, "initial-key") == 0) {
- anchortype = INIT_DNSKEY;
- } else if (strcasecmp(atstr, "initial-ds") == 0) {
- anchortype = INIT_DS;
- } else {
- cfg_obj_log(key, ISC_LOG_ERROR,
- "key '%s': "
- "invalid initialization method '%s'",
- namestr, atstr);
- result = ISC_R_FAILURE;
-
- /*
- * We can't interpret the trust anchor, so
- * we skip all other checks.
- */
- goto cleanup;
- }
+ atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
+ if (strcasecmp(atstr, "static-key") == 0) {
+ managed = false;
+ anchortype = STATIC_DNSKEY;
+ } else if (strcasecmp(atstr, "static-ds") == 0) {
+ managed = false;
+ anchortype = STATIC_DS;
+ } else if (strcasecmp(atstr, "initial-key") == 0) {
+ anchortype = INIT_DNSKEY;
+ } else if (strcasecmp(atstr, "initial-ds") == 0) {
+ anchortype = INIT_DS;
} else {
- atstr = "trusted-key";
- anchortype = TRUSTED;
+ cfg_obj_log(key, ISC_LOG_ERROR,
+ "key '%s': "
+ "invalid initialization method '%s'",
+ namestr, atstr);
+ result = ISC_R_FAILURE;
+ /*
+ * We can't interpret the trust anchor, so
+ * we skip all other checks.
+ */
+ goto cleanup;
}
switch (anchortype) {
case INIT_DNSKEY:
case STATIC_DNSKEY:
- case TRUSTED:
if (rdata1 > 0xffff) {
cfg_obj_log(key, ISC_LOG_ERROR, "flags too big: %u",
rdata1);
*/
static isc_result_t
check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
- const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys,
bool autovalidation, isc_mem_t *mctx) {
isc_result_t result, tresult;
const cfg_listelt_t *elt = NULL;
}
/*
- * First we record all the static keys (i.e., old-style
- * trusted-keys and trust-anchors configured with "static-key"),
- * and all the DS-style trust anchors.
+ * First we record all the static keys (trust-anchors configured with
+ * "static-key"), and all the DS-style trust anchors.
*/
for (elt = cfg_list_first(global_ta); elt != NULL;
elt = cfg_list_next(elt))
}
}
- for (elt = cfg_list_first(global_tkeys); elt != NULL;
- elt = cfg_list_next(elt))
- {
- keylist = cfg_listelt_value(elt);
- tresult = record_static_keys(statictab, mctx, keylist,
- autovalidation);
- if (result == ISC_R_SUCCESS) {
- result = tresult;
- }
- }
-
- for (elt = cfg_list_first(view_tkeys); elt != NULL;
- elt = cfg_list_next(elt))
- {
- keylist = cfg_listelt_value(elt);
- tresult = record_static_keys(statictab, mctx, keylist,
- autovalidation);
- if (result == ISC_R_SUCCESS) {
- result = tresult;
- }
- }
-
/*
* Next, ensure that there's no conflict between the
* static keys and the trust-anchors configured with "initial-key".
isc_symtab_t *files, isc_symtab_t *keydirs, unsigned int flags,
isc_symtab_t *inview, isc_mem_t *mctx) {
const cfg_obj_t *zones = NULL;
- const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
- const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
const cfg_obj_t *view_ta = NULL, *global_ta = NULL;
const cfg_obj_t *check_keys[2] = { NULL, NULL };
const cfg_obj_t *keys = NULL;
const cfg_obj_t *opts = NULL;
const cfg_obj_t *plugin_list = NULL;
bool autovalidation = false;
- unsigned int tflags = 0, dflags = 0;
+ unsigned int dflags = 0;
int i;
bool check_plugins = (flags & BIND_CHECK_PLUGINS) != 0;
bool check_algorithms = (flags & BIND_CHECK_ALGORITHMS) != 0;
* Load all DNSSEC keys.
*/
if (voptions != NULL) {
- (void)cfg_map_get(voptions, "trusted-keys", &view_tkeys);
(void)cfg_map_get(voptions, "trust-anchors", &view_ta);
- (void)cfg_map_get(voptions, "managed-keys", &view_mkeys);
}
- (void)cfg_map_get(config, "trusted-keys", &global_tkeys);
(void)cfg_map_get(config, "trust-anchors", &global_ta);
- (void)cfg_map_get(config, "managed-keys", &global_mkeys);
-
- /*
- * Check trusted-keys.
- */
- check_keys[0] = view_tkeys;
- check_keys[1] = global_tkeys;
- for (i = 0; i < 2; i++) {
- if (check_keys[i] != NULL) {
- unsigned int taflags = 0;
-
- for (element = cfg_list_first(check_keys[i]);
- element != NULL; element = cfg_list_next(element))
- {
- const cfg_obj_t *keylist =
- cfg_listelt_value(element);
- for (element2 = cfg_list_first(keylist);
- element2 != NULL;
- element2 = cfg_list_next(element2))
- {
- obj = cfg_listelt_value(element2);
- tresult = check_trust_anchor(obj, false,
- &taflags);
- if (tresult != ISC_R_SUCCESS) {
- result = tresult;
- }
- }
- }
-
- if ((taflags & ROOT_KSK_STATIC) != 0) {
- cfg_obj_log(check_keys[i], ISC_LOG_WARNING,
- "trusted-keys entry for the root "
- "zone WILL FAIL after key "
- "rollover - use trust-anchors "
- "with initial-key "
- "or initial-ds instead.");
- }
-
- tflags |= taflags;
- }
- }
-
- /*
- * Check dnssec/managed-keys. (Only one or the other can be used.)
- */
- if ((view_mkeys != NULL || global_mkeys != NULL) &&
- (view_ta != NULL || global_ta != NULL))
- {
- keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys;
-
- cfg_obj_log(keys, ISC_LOG_ERROR,
- "use of managed-keys is not allowed when "
- "trust-anchors is also in use");
- result = ISC_R_FAILURE;
- }
-
- if (view_ta == NULL && global_ta == NULL) {
- view_ta = view_mkeys;
- global_ta = global_mkeys;
- }
check_keys[0] = view_ta;
check_keys[1] = global_ta;
element2 = cfg_list_next(element2))
{
obj = cfg_listelt_value(element2);
- tresult = check_trust_anchor(obj, true,
+ tresult = check_trust_anchor(obj,
&taflags);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
- if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
- keys = (view_ta != NULL) ? view_ta : global_ta;
- cfg_obj_log(keys, ISC_LOG_WARNING,
- "both trusted-keys and trust-anchors "
- "for the root zone are present");
- }
-
if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
keys = (view_ta != NULL) ? view_ta : global_ta;
cfg_obj_log(keys, ISC_LOG_WARNING,
if (!cfg_obj_isboolean(obj)) {
autovalidation = true;
} else if (cfg_obj_asboolean(obj)) {
- if (global_ta == NULL && view_ta == NULL &&
- global_tkeys == NULL && view_tkeys == NULL)
- {
+ if (global_ta == NULL && view_ta == NULL) {
cfg_obj_log(obj, ISC_LOG_ERROR,
"the 'dnssec-validation yes' "
"option requires configured "
}
}
- tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys,
- view_tkeys, autovalidation, mctx);
+ tresult = check_ta_conflicts(global_ta, view_ta, autovalidation, mctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
doc_maxduration, &cfg_rep_duration, maxduration_enums
};
-/*%
- * A dnssec key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t dnsseckey_fields[] = {
- { "name", &cfg_type_astring, 0 },
- { "anchortype", &cfg_type_void, 0 },
- { "rdata1", &cfg_type_uint32, 0 },
- { "rdata2", &cfg_type_uint32, 0 },
- { "rdata3", &cfg_type_uint32, 0 },
- { "data", &cfg_type_qstring, 0 },
- { NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_dnsseckey = { "dnsseckey", cfg_parse_tuple,
- cfg_print_tuple, cfg_doc_tuple,
- &cfg_rep_tuple, dnsseckey_fields };
-
/*%
* Optional enums.
*
}
/*%
- * A key initialization specifier, as used in the
- * "trust-anchors" (or synonymous "managed-keys") statement.
+ * A key initialization specifier, as used in the "trust-anchors" statement.
*/
static const char *anchortype_enums[] = { "static-key", "initial-key",
"static-ds", "initial-ds", NULL };
&cfg_rep_list,
&cfg_type_astring };
-/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
-static cfg_type_t cfg_type_trustedkeys = { "trustedkeys",
- cfg_parse_bracketed_list,
- cfg_print_bracketed_list,
- cfg_doc_bracketed_list,
- &cfg_rep_list,
- &cfg_type_dnsseckey };
-
/*%
* A list of managed trust anchors. Each entry contains a name, a keyword
* ("static-key", initial-key", "static-ds" or "initial-ds"), and the
{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
{ "managed-keys", &cfg_type_dnsseckeys,
- CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+ CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
- { "trusted-keys", &cfg_type_trustedkeys,
- CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+ { "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC },
{ NULL, NULL, 0 }
};
*/
static cfg_clausedef_t bindkeys_clauses[] = {
{ "managed-keys", &cfg_type_dnsseckeys,
- CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+ CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
- { "trusted-keys", &cfg_type_trustedkeys,
- CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+ { "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ NULL, NULL, 0 }
};
cfg_print_mapbody, cfg_doc_mapbody,
&cfg_rep_map, namedconf_clausesets };
-/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */
+/*% The bind.keys syntax (trust-anchors). */
static cfg_clausedef_t *bindkeys_clausesets[] = { bindkeys_clauses, NULL };
cfg_type_t cfg_type_bindkeys = { "bindkeys", cfg_parse_mapbody,
cfg_print_mapbody, cfg_doc_mapbody,
projects / thirdparty / bind9.git / commitdiff
