From: Evan Hunt Date: Sat, 15 Mar 2025 05:41:12 +0000 (-0700) Subject: Remove -p option from dnssec-keygen/keyfromlabel X-Git-Tag: v9.21.7~25^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57ee9817ce0b4417848c7ae36a8d6f7b1bc9fa1c;p=thirdparty%2Fbind9.git Remove -p option from dnssec-keygen/keyfromlabel The -p (protocol) option for all keys defaults to 3 (DNSSEC). There is currently no practical reason to use any other value; we can simplify things by removing the option. --- diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 7b210f18cbe..e358eb98ff9 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -74,7 +74,6 @@ usage(void) { fprintf(stderr, " -L ttl: default key TTL\n"); fprintf(stderr, " -M :: allowed Key ID range\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); - fprintf(stderr, " -p protocol: default: 3 [dnssec]\n"); fprintf(stderr, " -y: permit keys that might collide\n"); fprintf(stderr, " -v verbose level\n"); fprintf(stderr, " -V: print version information\n"); @@ -119,7 +118,6 @@ main(int argc, char **argv) { bool oldstyle = false; isc_mem_t *mctx = NULL; int ch; - int protocol = -1; isc_result_t ret; isc_textregion_t r; char filename[255]; @@ -220,11 +218,7 @@ main(int argc, char **argv) { fatal("The -n option has been deprecated."); break; case 'p': - protocol = strtol(isc_commandline_argument, &endp, 10); - if (*endp != '\0' || protocol < 0 || protocol > 255) { - fatal("-p must be followed by a number " - "[0..255]"); - } + fatal("The -p option has been deprecated."); break; case 't': fatal("The -t option has been deprecated."); @@ -541,19 +535,11 @@ main(int argc, char **argv) { flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */ } - if (protocol == -1) { - protocol = DNS_KEYPROTO_DNSSEC; - } else if ((options & DST_TYPE_KEY) == 0 && - protocol != DNS_KEYPROTO_DNSSEC) - { - fatal("invalid DNSKEY protocol: %d", protocol); - } - isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label, - NULL, mctx, &key); + ret = dst_key_fromlabel(name, alg, flags, DNS_KEYPROTO_DNSSEC, rdclass, + label, NULL, mctx, &key); if (ret != ISC_R_SUCCESS) { char namestr[DNS_NAME_FORMATSIZE]; diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index c956cf13ec2..64d0ec720d0 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -127,12 +127,6 @@ Options values for ``tag_min`` and ``tag_max`` are [0..65535]. The default allows all key tag values to be accepted. -.. option:: -p protocol - - This option sets the protocol value for the key. The protocol is a number between - 0 and 255. The default is 3 (DNSSEC). Other possible values for this - argument are listed in :rfc:`2535` and its successors. - .. option:: -S key This option generates a key as an explicit successor to an existing key. The name, diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index ad91fce3126..74d5d4c53dd 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -82,7 +82,6 @@ struct keygen_ctx { const char *directory; dns_keystore_t *keystore; char *algname; - int protocol; int size; uint16_t tag_min; uint16_t tag_max; @@ -172,7 +171,6 @@ usage(void) { fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -L : default key TTL\n"); fprintf(stderr, " -M :: allowed Key ID range\n"); - fprintf(stderr, " -p : (default: 3 [dnssec])\n"); fprintf(stderr, " -s : strength value this key signs DNS " "records with (default: 0)\n"); fprintf(stderr, " -T : DNSKEY | KEY (default: DNSKEY; " @@ -511,14 +509,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } } - if (ctx->protocol == -1) { - ctx->protocol = DNS_KEYPROTO_DNSSEC; - } else if ((ctx->options & DST_TYPE_KEY) == 0 && - ctx->protocol != DNS_KEYPROTO_DNSSEC) - { - fatal("invalid DNSKEY protocol: %d", ctx->protocol); - } - switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: @@ -556,12 +546,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { mctx, ctx->alg, ctx->size, flags, &key); } else if (!ctx->quiet && show_progress) { ret = dst_key_generate(name, ctx->alg, ctx->size, 0, - flags, ctx->protocol, + flags, DNS_KEYPROTO_DNSSEC, ctx->rdclass, NULL, mctx, &key, &progress); } else { ret = dst_key_generate(name, ctx->alg, ctx->size, 0, - flags, ctx->protocol, + flags, DNS_KEYPROTO_DNSSEC, ctx->rdclass, NULL, mctx, &key, NULL); } @@ -792,7 +782,6 @@ main(int argc, char **argv) { keygen_ctx_t ctx = { .options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC, .prepub = -1, - .protocol = -1, .size = -1, .now = isc_stdtime_now(), }; @@ -914,14 +903,7 @@ main(int argc, char **argv) { case 'm': break; case 'p': - ctx.protocol = strtol(isc_commandline_argument, &endp, - 10); - if (*endp != '\0' || ctx.protocol < 0 || - ctx.protocol > 255) - { - fatal("-p must be followed by a number " - "[0..255]"); - } + fatal("The -p option has been deprecated."); break; case 'q': ctx.quiet = true; diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 5fda5613f67..e5618b2efd8 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -163,13 +163,6 @@ Options key tag values to be produced. This option is ignored when ``-k policy`` is specified. -.. option:: -p protocol - - This option sets the protocol value for the generated key, for use with - :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default - is 3 (DNSSEC). Other possible values for this argument are listed in - :rfc:`2535` and its successors. - .. option:: -q This option sets quiet mode, which suppresses unnecessary output, including progress