From: Evan Hunt Date: Thu, 13 Mar 2025 19:20:55 +0000 (-0700) Subject: Remove -t option from dnssec-keygen/keyfromlabel X-Git-Tag: v9.21.7~25^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b667fed0625e36c862560d17407c099f4f9ab83;p=thirdparty%2Fbind9.git Remove -t option from dnssec-keygen/keyfromlabel The key type flag (indicating whether a key is valid for authentication, confidentiality, or both) is essentially unused. By default, all DNSKEY and KEY records are valid for both uses. Non-authenticating DNSKEY records are undefined and meaningless, and validity checks for flags in KEY records are sporadic at best. We can simplify the parameters to dnssec-keygen by removing the -t option completely. --- diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index d0a5fe1c195..a3fa8078c22 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -77,9 +77,6 @@ usage(void) { "OTHER\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); fprintf(stderr, " -p protocol: default: 3 [dnssec]\n"); - fprintf(stderr, " -t type: " - "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " - "(default: AUTHCONF)\n"); fprintf(stderr, " -y: permit keys that might collide\n"); fprintf(stderr, " -v verbose level\n"); fprintf(stderr, " -V: print version information\n"); @@ -111,7 +108,7 @@ usage(void) { int main(int argc, char **argv) { char *algname = NULL, *freeit = NULL; - char *nametype = NULL, *type = NULL; + char *nametype = NULL; const char *directory = NULL; const char *predecessor = NULL; dst_key_t *prevkey = NULL; @@ -233,7 +230,7 @@ main(int argc, char **argv) { } break; case 't': - type = isc_commandline_argument; + fatal("The -t option has been deprecated."); break; case 'v': verbose = strtol(isc_commandline_argument, &endp, 0); @@ -416,21 +413,6 @@ main(int argc, char **argv) { } } - if (type != NULL && (options & DST_TYPE_KEY) != 0) { - if (strcasecmp(type, "NOAUTH") == 0) { - flags |= DNS_KEYTYPE_NOAUTH; - } else if (strcasecmp(type, "NOCONF") == 0) { - flags |= DNS_KEYTYPE_NOCONF; - } else if (strcasecmp(type, "NOAUTHCONF") == 0) { - flags |= (DNS_KEYTYPE_NOAUTH | - DNS_KEYTYPE_NOCONF); - } else if (strcasecmp(type, "AUTHCONF") == 0) { - /* nothing */ - } else { - fatal("invalid type %s", type); - } - } - if (!oldstyle && prepub > 0) { if (setpub && setact && (activate - prepub) < publish) { fatal("Activation and publication dates " @@ -470,9 +452,6 @@ main(int argc, char **argv) { if (nametype != NULL) { fatal("-S and -n cannot be used together"); } - if (type != NULL) { - fatal("-S and -t cannot be used together"); - } if (setpub || unsetpub) { fatal("-S and -P cannot be used together"); } diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 2805bc612e0..dbeb5f03664 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} +:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-v** level] [**-V**] [**-y**] {name} Description ~~~~~~~~~~~ @@ -150,13 +150,6 @@ Options set to the activation date minus the prepublication interval, which defaults to 30 days. -.. option:: -t type - - This option indicates the type of the key. ``type`` must be one of AUTHCONF, - NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers - to the ability to authenticate data, and CONF to the ability to encrypt - data. - .. option:: -v level This option sets the debugging level. diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 973e9c13747..5515c65d382 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -83,7 +83,6 @@ struct keygen_ctx { dns_keystore_t *keystore; char *algname; char *nametype; - char *type; int protocol; int size; uint16_t tag_min; @@ -182,9 +181,6 @@ usage(void) { "records with (default: 0)\n"); fprintf(stderr, " -T : DNSKEY | KEY (default: DNSKEY; " "use KEY for SIG(0))\n"); - fprintf(stderr, " -t : " - "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " - "(default: AUTHCONF)\n"); fprintf(stderr, " -h: print usage and exit\n"); fprintf(stderr, " -m :\n"); fprintf(stderr, " usage | trace | record\n"); @@ -314,24 +310,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { } } - if (ctx->type != NULL && (ctx->options & DST_TYPE_KEY) != 0) { - if (strcasecmp(ctx->type, "NOAUTH") == 0) { - flags |= DNS_KEYTYPE_NOAUTH; - } else if (strcasecmp(ctx->type, "NOCONF") == 0) { - flags |= DNS_KEYTYPE_NOCONF; - } else if (strcasecmp(ctx->type, "NOAUTHCONF") == 0) { - flags |= (DNS_KEYTYPE_NOAUTH | - DNS_KEYTYPE_NOCONF); - if (ctx->size < 0) { - ctx->size = 0; - } - } else if (strcasecmp(ctx->type, "AUTHCONF") == 0) { - /* nothing */ - } else { - fatal("invalid type %s", ctx->type); - } - } - if (ctx->size < 0) { switch (ctx->alg) { case DST_ALG_RSASHA1: @@ -406,9 +384,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { if (ctx->nametype != NULL) { fatal("-S and -n cannot be used together"); } - if (ctx->type != NULL) { - fatal("-S and -t cannot be used together"); - } if (ctx->setpub || ctx->unsetpub) { fatal("-S and -P cannot be used together"); } @@ -566,12 +541,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) { fatal("invalid DNSKEY protocol: %d", ctx->protocol); } - if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { - if (ctx->size > 0) { - fatal("specified null key with non-zero size"); - } - } - switch (ctx->alg) { case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: @@ -997,8 +966,7 @@ main(int argc, char **argv) { if (strcasecmp(isc_commandline_argument, "KEY") == 0) { ctx.options |= DST_TYPE_KEY; } else if (strcasecmp(isc_commandline_argument, - "DNSKE" - "Y") == 0) + "DNSKEY") == 0) { /* default behavior */ } else { @@ -1007,7 +975,7 @@ main(int argc, char **argv) { } break; case 't': - ctx.type = isc_commandline_argument; + fatal("The -t option has been deprecated."); break; case 'v': endp = NULL; diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index ff73377ecb0..097ac2a2d3c 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -210,13 +210,6 @@ Options DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0). -.. option:: -t type - - This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type`` - must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default - is AUTHCONF. AUTH refers to the ability to authenticate data, and - CONF to the ability to encrypt data. - .. option:: -V This option prints version information.