From: Evan Hunt Date: Sat, 15 Mar 2025 19:07:42 +0000 (-0700) Subject: Remove -d option from dnssec-keygen X-Git-Tag: v9.21.7~25^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=529bdd10288e4f780e66e6a075b27fe5c203c765;p=thirdparty%2Fbind9.git Remove -d option from dnssec-keygen The -d (digestbits) option was only applicable to HMAC keys, which are no longer created by dnssec-keygen. The option can be removed. --- diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 75819f270b9..c134a4c8817 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -87,7 +87,6 @@ struct keygen_ctx { uint16_t tag_max; dns_rdataclass_t rdclass; int options; - int dbits; dns_ttl_t ttl; bool wantzsk; bool wantksk; @@ -563,8 +562,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { algstr, isc_result_totext(ret)); } - dst_key_setbits(key, ctx->dbits); - /* * Set key timing metadata (unless using -C) * @@ -838,10 +835,7 @@ main(int argc, char **argv) { classname = isc_commandline_argument; break; case 'd': - ctx.dbits = strtol(isc_commandline_argument, &endp, 10); - if (*endp != '\0' || ctx.dbits < 0) { - fatal("-d requires a non-negative number"); - } + fatal("The -d option has been deprecated."); break; case 'E': fatal("%s", isc_result_totext(DST_R_NOENGINE)); diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 3f14007f779..ef12dbb134e 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -87,13 +87,6 @@ Options This option indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used. -.. option:: -d bits - - This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and - RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128 - and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256, - ECDSAP384SHA384, ED25519, and ED448. - .. option:: -f flag This option sets the specified flag in the flag field of the KEY/DNSKEY record.