From: Matthijs Mekking Date: Wed, 4 Dec 2019 10:06:40 +0000 (+0100) Subject: Rename 'dnssec-keys' to 'trust-anchors' X-Git-Tag: v9.15.7~37^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c37d3d320d9fd752446e148feb19d478aa27a77;p=thirdparty%2Fbind9.git Rename 'dnssec-keys' to 'trust-anchors' --- diff --git a/CHANGES b/CHANGES index 0e1a46cabf4..6a108ae3d19 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5332. [func] Renamed "dnssec-keys" configuration statement + to the more descriptive "trust-anchors". + 5331. [func] Use compiler-provided mechanisms for thread local storage, and make the requirement for such mechanisms explicit in configure. [GL #1444] diff --git a/README.md b/README.md index 2fb6ca18d1e..3c72e033438 100644 --- a/README.md +++ b/README.md @@ -131,8 +131,8 @@ include: for zones, enabling automatic key regeneration and rollover. * New new network manager based on libuv. * Support for the new GeoIP2 geolocation API -* Improved DNSSEC trust anchor configuration using `dnssec-keys`, - permitting configuration of trust anchors in DS as well as +* Improved DNSSEC trust anchor configuration using the `trust-anchors` + statement, permitting configuration of trust anchors in DS as well as DNSKEY format. * YAML output for `dig`, `mdig`, and `delv`. diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 153165b1e0b..c8a75cda9c5 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -140,7 +140,7 @@ static dns_fixedname_t afn; static dns_name_t *anchor_name = NULL; /* Default bind.keys contents */ -static char anchortext[] = DNSSEC_KEYS; +static char anchortext[] = TRUST_ANCHORS; /* * Static function prototypes @@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) { cfg_parser_t *parser = NULL; const cfg_obj_t *trusted_keys = NULL; const cfg_obj_t *managed_keys = NULL; - const cfg_obj_t *dnssec_keys = NULL; + const cfg_obj_t *trust_anchors = NULL; cfg_obj_t *bindkeys = NULL; const char *filename = anchorfile; @@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) { INSIST(bindkeys != NULL); cfg_map_get(bindkeys, "trusted-keys", &trusted_keys); cfg_map_get(bindkeys, "managed-keys", &managed_keys); - cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys); + cfg_map_get(bindkeys, "trust-anchors", &trust_anchors); if (trusted_keys != NULL) { CHECK(load_keys(trusted_keys, client)); @@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) { if (managed_keys != NULL) { CHECK(load_keys(managed_keys, client)); } - if (dnssec_keys != NULL) { - CHECK(load_keys(dnssec_keys, client)); + if (trust_anchors != NULL) { + CHECK(load_keys(trust_anchors, client)); } result = ISC_R_SUCCESS; diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook index 8d009b6780a..ecde9059682 100644 --- a/bin/delv/delv.docbook +++ b/bin/delv/delv.docbook @@ -215,7 +215,7 @@ Note: When reading the trust anchor file, - delv treats + delv treats and entries identically. That is, even if a key is configured with initial-key, indicating that it is diff --git a/bin/named/config.c b/bin/named/config.c index c16c4b231ce..e124a78970b 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\ # BEGIN DNSSEC KEYS\n" /* Imported from bind.keys.h: */ -DNSSEC_KEYS +TRUST_ANCHORS "# END MANAGED KEYS\n\ \n\ diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index 8bdfd300752..e07c2b80498 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -110,15 +110,6 @@ dlz string { - DNSSEC-KEYS - -dnssec-keys { string ( static-key | - initial-key | static-ds | initial-ds ) - integer integer integer - quoted_string; ... }; - - - DYNDB dyndb string quoted_string { @@ -156,7 +147,7 @@ logging { MANAGED-KEYS - Deprecated - see DNSSEC-KEYS. + Deprecated - see TRUST-ANCHORS. managed-keys { string ( static-key | initial-key | static-ds | @@ -527,8 +518,17 @@ statistics-channels { + TRUST-ANCHORS + +trust-anchors { string ( static-key | + initial-key | static-ds | initial-ds ) + integer integer integer + quoted_string; ... }; + + + TRUSTED-KEYS - Deprecated - see DNSSEC-KEYS. + Deprecated - see TRUST-ANCHORS. trusted-keys { string integer integer integer @@ -607,10 +607,6 @@ view string [ class ] { dnsrps-options { unspecified-text }; dnssec-accept-expired boolean; dnssec-dnskey-kskonly boolean; - dnssec-keys { string ( static-key | - initial-key | static-ds | initial-ds - ) integer integer integer - quoted_string; ... }; dnssec-loadkeys-interval integer; dnssec-must-be-secure string boolean; dnssec-secure-to-insecure boolean; @@ -801,6 +797,10 @@ view string [ class ] { transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] [ dscp integer ]; trust-anchor-telemetry boolean; // experimental + trust-anchors { string ( static-key | + initial-key | static-ds | initial-ds + ) integer integer integer + quoted_string; ... }; trusted-keys { string integer integer integer diff --git a/bin/named/server.c b/bin/named/server.c index 628ed0d28a9..549a6056f19 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, } /* - * Add the key to 'secroots'. Keys from a "dnssec-keys" or + * Add the key to 'secroots'. Keys from a "trust-anchors" or * "managed-keys" statement may be either static or initializing * keys. If it's not initializing, we don't want to treat it as * managed, so we use 'initializing' twice here, for both the @@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *view_keys = NULL; const cfg_obj_t *global_keys = NULL; const cfg_obj_t *view_managed_keys = NULL; - const cfg_obj_t *view_dnssec_keys = NULL; + const cfg_obj_t *view_trust_anchors = NULL; const cfg_obj_t *global_managed_keys = NULL; - const cfg_obj_t *global_dnssec_keys = NULL; + const cfg_obj_t *global_trust_anchors = NULL; const cfg_obj_t *maps[4]; const cfg_obj_t *voptions = NULL; const cfg_obj_t *options = NULL; @@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, (void) cfg_map_get(voptions, "trusted-keys", &view_keys); - /* managed-keys and dnssec-keys are synonyms. */ + /* managed-keys and trust-anchors are synonyms. */ (void) cfg_map_get(voptions, "managed-keys", &view_managed_keys); - (void) cfg_map_get(voptions, "dnssec-keys", - &view_dnssec_keys); + (void) cfg_map_get(voptions, "trust-anchors", + &view_trust_anchors); maps[i++] = voptions; } @@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, if (config != NULL) { (void)cfg_map_get(config, "trusted-keys", &global_keys); - /* managed-keys and dnssec-keys are synonyms. */ + /* managed-keys and trust-anchors are synonyms. */ (void)cfg_map_get(config, "managed-keys", &global_managed_keys); - (void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys); + (void)cfg_map_get(config, "trust-anchors", + &global_trust_anchors); (void)cfg_map_get(config, "options", &options); if (options != NULL) { @@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, /* * If bind.keys exists and is populated, it overrides - * the dnssec-keys clause hard-coded in named_g_config. + * the trust-anchors clause hard-coded in named_g_config. */ if (bindkeys != NULL) { isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY, @@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, "from '%s'", view->name, named_g_server->bindkeysfile); - (void)cfg_map_get(bindkeys, "dnssec-keys", + (void)cfg_map_get(bindkeys, "trust-anchors", &builtin_keys); if (builtin_keys == NULL) { @@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, "using built-in root key for view %s", view->name); - (void)cfg_map_get(named_g_config, "dnssec-keys", + (void)cfg_map_get(named_g_config, "trust-anchors", &builtin_keys); } @@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, if (view->rdclass == dns_rdataclass_in) { CHECK(load_view_keys(view_keys, view, false, NULL, mctx)); - CHECK(load_view_keys(view_dnssec_keys, view, true, NULL, + CHECK(load_view_keys(view_trust_anchors, view, true, NULL, mctx)); CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx)); CHECK(load_view_keys(global_keys, view, false, NULL, mctx)); - CHECK(load_view_keys(global_dnssec_keys, view, true, + CHECK(load_view_keys(global_trust_anchors, view, true, NULL, mctx)); CHECK(load_view_keys(global_managed_keys, view, true, NULL, mctx)); diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index 83b7eb291ba..c290684969e 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -773,7 +773,7 @@ Dump the security roots (i.e., trust anchors - configured via dnssec-keys statements, or the + configured via trust-anchors statements, or the managed-keys or trusted-keys statements (both deprecated), or via dnssec-validation auto) and negative trust anchors for the specified views. If no view is specified, all diff --git a/bin/tests/system/checkconf/bad-ds-key-1.conf b/bin/tests/system/checkconf/bad-ds-key-1.conf index ffc9c56a1f6..c222c60abe8 100644 --- a/bin/tests/system/checkconf/bad-ds-key-1.conf +++ b/bin/tests/system/checkconf/bad-ds-key-1.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; }; diff --git a/bin/tests/system/checkconf/bad-ds-key-2.conf b/bin/tests/system/checkconf/bad-ds-key-2.conf index bcaf4e1651f..87adbb9439c 100644 --- a/bin/tests/system/checkconf/bad-ds-key-2.conf +++ b/bin/tests/system/checkconf/bad-ds-key-2.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; }; diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf index 6fd31a7ebca..90e5c6bf0e2 100644 --- a/bin/tests/system/checkconf/bad-duplicate-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation yes; }; -dnssec-keys { +trust-anchors { example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY @@ -23,7 +23,7 @@ dnssec-keys { NQyrszHhWUU="; }; -dnssec-keys { +trust-anchors { example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf index 9517db941e3..e7039d623c7 100644 --- a/bin/tests/system/checkconf/bad-duplicate-root-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation yes; }; -dnssec-keys { +trust-anchors { . initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY diff --git a/bin/tests/system/checkconf/bad-root-mixed-key.conf b/bin/tests/system/checkconf/bad-root-mixed-key.conf index ba3a02a3f0a..16e91bf5bec 100644 --- a/bin/tests/system/checkconf/bad-root-mixed-key.conf +++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/bad-static-initial-1.conf b/bin/tests/system/checkconf/bad-static-initial-1.conf index 406b12b8a16..a21495774ab 100644 --- a/bin/tests/system/checkconf/bad-static-initial-1.conf +++ b/bin/tests/system/checkconf/bad-static-initial-1.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; }; diff --git a/bin/tests/system/checkconf/bad-static-initial-2.conf b/bin/tests/system/checkconf/bad-static-initial-2.conf index a8805b56a0c..42ae4229259 100644 --- a/bin/tests/system/checkconf/bad-static-initial-2.conf +++ b/bin/tests/system/checkconf/bad-static-initial-2.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; }; diff --git a/bin/tests/system/checkconf/bad-static-initial-3.conf b/bin/tests/system/checkconf/bad-static-initial-3.conf index 53bdc2cf8e6..8e85f8fa42c 100644 --- a/bin/tests/system/checkconf/bad-static-initial-3.conf +++ b/bin/tests/system/checkconf/bad-static-initial-3.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3"; example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; }; diff --git a/bin/tests/system/checkconf/bad-static-initial-4.conf b/bin/tests/system/checkconf/bad-static-initial-4.conf index bc2996236b5..d2c499cdf31 100644 --- a/bin/tests/system/checkconf/bad-static-initial-4.conf +++ b/bin/tests/system/checkconf/bad-static-initial-4.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU="; example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="; }; diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf index 3b7f94ccdc6..295b3933290 100644 --- a/bin/tests/system/checkconf/bad-validation-auto-key.conf +++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation auto; }; -dnssec-keys { +trust-anchors { . static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf index 5cd5352b618..acdb67addca 100644 --- a/bin/tests/system/checkconf/check-mixed-keys.conf +++ b/bin/tests/system/checkconf/check-mixed-keys.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf index edd2b85804b..d499ca75442 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2010.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf index af363306468..2cdcc327b71 100644 --- a/bin/tests/system/checkconf/check-root-ksk-2017.conf +++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (20326) was published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf index 755ef942790..408e832ce15 100644 --- a/bin/tests/system/checkconf/check-root-ksk-both.conf +++ b/bin/tests/system/checkconf/check-root-ksk-both.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from diff --git a/bin/tests/system/checkconf/check-root-static-ds.conf b/bin/tests/system/checkconf/check-root-static-ds.conf index 42af9ba801f..9f4f0552609 100644 --- a/bin/tests/system/checkconf/check-root-static-ds.conf +++ b/bin/tests/system/checkconf/check-root-static-ds.conf @@ -9,6 +9,6 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"; }; diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf index e416944fe66..4f3bf5bdc72 100644 --- a/bin/tests/system/checkconf/check-root-static-key.conf +++ b/bin/tests/system/checkconf/check-root-static-key.conf @@ -9,7 +9,7 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { # This key (20326) was published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf index 391b83c2bc4..ee738c70fb8 100644 --- a/bin/tests/system/checkconf/good-dup-managed-key.conf +++ b/bin/tests/system/checkconf/good-dup-managed-key.conf @@ -13,7 +13,7 @@ options { dnssec-validation yes; }; -dnssec-keys { +trust-anchors { example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY diff --git a/bin/tests/system/checkconf/good-initial-ds.conf b/bin/tests/system/checkconf/good-initial-ds.conf index 31939c26dd9..01c25a364c1 100644 --- a/bin/tests/system/checkconf/good-initial-ds.conf +++ b/bin/tests/system/checkconf/good-initial-ds.conf @@ -9,6 +9,6 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; }; diff --git a/bin/tests/system/checkconf/good-static-ds.conf b/bin/tests/system/checkconf/good-static-ds.conf index fd5b393bfe5..dcb59d4ed1d 100644 --- a/bin/tests/system/checkconf/good-static-ds.conf +++ b/bin/tests/system/checkconf/good-static-ds.conf @@ -9,6 +9,6 @@ * information regarding copyright ownership. */ -dnssec-keys { +trust-anchors { example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index a25753e1bf2..1ae5b93601e 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "check that using dnssec-keys and managed-keys generates an error ($n)" +echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 $CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 6e4fafe5124..e3975ce9a2a 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -264,31 +264,31 @@ keyfile_to_dskeys() { } # keyfile_to_static_keys: convert key data contained in the keyfile(s) -# provided to a *static-key* "dnssec-keys" section suitable for including in a -# resolver's configuration file +# provided to a *static-key* "trust-anchors" section suitable for including in +# a resolver's configuration file keyfile_to_static_keys() { - keyfile_to_keys "dnssec-keys" "static-key" $* + keyfile_to_keys "trust-anchors" "static-key" $* } # keyfile_to_initial_keys: convert key data contained in the keyfile(s) -# provided to an *initial-key* "dnssec-keys" section suitable for including +# provided to an *initial-key* "trust-anchors" section suitable for including # in a resolver's configuration file keyfile_to_initial_keys() { - keyfile_to_keys "dnssec-keys" "initial-key" $* + keyfile_to_keys "trust-anchors" "initial-key" $* } # keyfile_to_static_ds_keys: convert key data contained in the keyfile(s) -# provided to a *static-ds* "dnssec-keys" section suitable for including in a +# provided to a *static-ds* "trust-anchors" section suitable for including in a # resolver's configuration file keyfile_to_static_ds() { - keyfile_to_dskeys "dnssec-keys" "static-ds" $* + keyfile_to_dskeys "trust-anchors" "static-ds" $* } # keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s) -# provided to an *initial-ds* "dnssec-keys" section suitable for including +# provided to an *initial-ds* "trust-anchors" section suitable for including # in a resolver's configuration file keyfile_to_initial_ds() { - keyfile_to_dskeys "dnssec-keys" "initial-ds" $* + keyfile_to_dskeys "trust-anchors" "initial-ds" $* } # keyfile_to_key_id: convert a key file name to a key ID diff --git a/bin/tests/system/legacy/ns1/trusted.conf b/bin/tests/system/legacy/ns1/trusted.conf index e1abe9ad4b2..a51b6715e4d 100644 --- a/bin/tests/system/legacy/ns1/trusted.conf +++ b/bin/tests/system/legacy/ns1/trusted.conf @@ -1,3 +1,3 @@ -dnssec-keys { +trust-anchors { "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB"; }; diff --git a/bin/tests/system/mkeys/README b/bin/tests/system/mkeys/README index 7ae3f3c2f5d..6576cb4726b 100644 --- a/bin/tests/system/mkeys/README +++ b/bin/tests/system/mkeys/README @@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40" is used so it will attempt do automated updates frequently. "-T tat=1" is used so it will send TAT queries once per second. -ns3 is a validator with a broken initializing key in dnssec-keys. +ns3 is a validator with a broken initializing key in trust-anchors. ns4 is a validator with a deliberately broken managed-keys.bind and managed-keys.jnl, causing RFC 5011 initialization to fail. diff --git a/bin/tests/system/mkeys/ns3/named.conf.in b/bin/tests/system/mkeys/ns3/named.conf.in index 914d1eb3de5..615b3d14b06 100644 --- a/bin/tests/system/mkeys/ns3/named.conf.in +++ b/bin/tests/system/mkeys/ns3/named.conf.in @@ -41,6 +41,6 @@ zone "." { }; # purposely broken key for testing -dnssec-keys { +trust-anchors { "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q=="; }; diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh index f0949880a71..0763ed9ace0 100644 --- a/bin/tests/system/rpz/setup.sh +++ b/bin/tests/system/rpz/setup.sh @@ -86,7 +86,7 @@ signzone () { KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2` cat $1/$3 $1/$KEYNAME.key > $1/tmp $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null - sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf + sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf DSFILENAME=dsset-${2}${TP} rm $DSFILENAME $1/tmp } diff --git a/bind.keys b/bind.keys index e04e4c0567a..6d4217f1a6d 100644 --- a/bind.keys +++ b/bind.keys @@ -26,7 +26,7 @@ # See https://data.iana.org/root-anchors/root-anchors.xml for current trust # anchor information for the root zone. -dnssec-keys { +trust-anchors { # This key (20326) was published in the root zone in 2017. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv diff --git a/bind.keys.h b/bind.keys.h index 9fd13febe00..8e83c13fd05 100644 --- a/bind.keys.h +++ b/bind.keys.h @@ -1,6 +1,6 @@ #ifndef BIND_KEYS_H #define BIND_KEYS_H 1 -#define DNSSEC_KEYS "\ +#define TRUST_ANCHORS "\ # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\ # which are included as part of BIND 9. The only trust anchors it contains\n\ # are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\ @@ -29,7 +29,7 @@ # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ # anchor information for the root zone.\n\ \n\ -dnssec-keys {\n\ +trust-anchors {\n\ # This key (20326) was published in the root zone in 2017.\n\ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index cb0de373a3c..f57a1dcd0a1 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; yes, DNSSEC validation will only occur if at least one trust anchor has been explicitly configured in named.conf - using a dnssec-keys statement (or the + using a trust-anchors statement (or the managed-keys and trusted-keys statements, both deprecated). @@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; - The keys specified in dnssec-keys + The keys specified in trust-anchors copies of DNSKEY RRs for zones that are used to form the first link in the cryptographic chain of trust. Keys configured with the keyword static-key or @@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; - dnssec-keys is described in more detail + trust-anchors is described in more detail later in this document. @@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;}; -dnssec-keys { +trust-anchors { /* Root Key */ "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh @@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. - dnssec-keys + trust-anchors @@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. - is identical to dnssec-keys; + is identical to trust-anchors; this option is deprecated in favor - of dnssec-keys with + of trust-anchors with the initial-key keyword, and may be removed in a future release. @@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. defines permanent trusted DNSSEC keys; this option is deprecated in favor - of dnssec-keys with + of trust-anchors with the static-key keyword, and may be removed in a future release. @@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] track managed DNSSEC keys (i.e., those configured using the initial-key or initial-ds keywords in a - dnssec-keys statement). By default, + trust-anchors statement). By default, this is the working directory. The directory must be writable by the effective user ID of the named process. @@ -5062,7 +5062,7 @@ options { as insecure. - Configured trust anchors in dnssec-keys + Configured trust anchors in trust-anchors (or managed-keys or trusted-keys, both deprecated) that match a disabled algorithm will be ignored and treated @@ -5100,7 +5100,7 @@ options { they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be defined as a - trust anchor, for instance in a dnssec-keys + trust anchor, for instance in a trust-anchors statement, or dnssec-validation auto must be active. @@ -6217,7 +6217,7 @@ options { Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via, e.g., - dnssec-keys or + trust-anchors or dnssec-validation auto. @@ -6432,7 +6432,7 @@ options { If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured - using a dnssec-keys statement (or + using a trust-anchors statement (or the managed-keys or the trusted-keys statements, both deprecated). If there is no configured trust anchor, validation will @@ -10848,14 +10848,14 @@ example.com CNAME rpz-tcp-only. -
<command>dnssec-keys</command> Statement Grammar - +
<command>trust-anchors</command> Statement Grammar +
-
<command>dnssec-keys</command> Statement Definition + <section xml:id="trust-anchors"><info><title><command>trust-anchors</command> Statement Definition and Usage - The dnssec-keys statement defines DNSSEC + The trust-anchors statement defines DNSSEC trust anchors. DNSSEC is described in . @@ -10874,21 +10874,21 @@ example.com CNAME rpz-tcp-only. the validate-except option). - All keys listed in dnssec-keys, and + All keys listed in trust-anchors, and their corresponding zones, are deemed to exist regardless of what parent zones say. Only keys configured as trust anchors are used to validate the DNSKEY RRset for the corresponding name. The parent's DS RRset will not be used. - dnssec-keys may be set at the top level + trust-anchors may be set at the top level of named.conf or within a view. If it is set in both places, the configurations are additive: keys defined at the top level are inherited by all views, but keys defined in a view are only used within that view. - The dnssec-keys statement can contain + The trust-anchors statement can contain multiple trust anchor entries, each consisting of a domain name, followed by an "anchor type" keyword indicating the trust anchor's format, followed by the key or digest data. @@ -10928,7 +10928,7 @@ example.com CNAME rpz-tcp-only. static-ds would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had - updated the dnssec-keys statement with + updated the trust-anchors statement with the new key. @@ -10964,7 +10964,7 @@ example.com CNAME rpz-tcp-only. initial-key or initial-ds configured in named.conf, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the trust anchor specified in dnssec-keys. + using the trust anchor specified in trust-anchors. If the DNSKEY RRset is validly signed by a key matching the trust anchor, then it is used as the basis for a new managed keys database. @@ -10973,10 +10973,10 @@ example.com CNAME rpz-tcp-only. From that point on, whenever named runs, it sees the initial-key or initial-ds listed in - dnssec-keys, checks to + trust-anchors, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The - key specified in the dnssec-keys + key specified in the trust-anchors statement is not used to validate answers; it is superseded by the key or keys stored in the managed keys database. @@ -10985,7 +10985,7 @@ example.com CNAME rpz-tcp-only. The next time named runs after an initial-key or initial-ds trust anchor has been removed from the - dnssec-keys statement (or changed to + trust-anchors statement (or changed to a static-key or static-ds), the corresponding keys will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used @@ -11261,7 +11261,7 @@ example.com CNAME rpz-tcp-only. The managed-keys statement has been - deprecated in favor of + deprecated in favor of with the initial-key keyword.
@@ -11274,7 +11274,7 @@ example.com CNAME rpz-tcp-only. The trusted-keys statement has been - deprecated in favor of + deprecated in favor of with the static-key keyword.
@@ -11663,7 +11663,7 @@ view "external" { (KSK) for the zone must be configured as a trust anchor in named.conf: that is, a key for the zone must be specified in - dnssec-keys. In the case + trust-anchors. In the case of the root zone, you may also rely on the built-in root trust anchor, which is enabled when To configure a validating resolver to use RFC 5011 to maintain a trust anchor, configure the trust anchor using a - dnssec-keys statement and the + trust-anchors statement and the initial-key or initial-ds keyword. Information about this can be found in - . + .
Authoritative Server diff --git a/doc/arm/notes-9.15.7.xml b/doc/arm/notes-9.15.7.xml new file mode 100644 index 00000000000..a6ce57b9d33 --- /dev/null +++ b/doc/arm/notes-9.15.7.xml @@ -0,0 +1,33 @@ + + +
Notes for BIND 9.15.7 + +
Feature Changes + + + + The dnssec-keys configuration statement, + which was introduced in 9.15.1 and revised in 9.15.6, has now + been renamed to the more descriptive + trust-anchors. + + + (See the sections on + and + + for prior discussion of this feature.) + + + +
+ +
diff --git a/doc/arm/dnssec-keys.grammar.xml b/doc/arm/trust-anchors.grammar.xml similarity index 89% rename from doc/arm/dnssec-keys.grammar.xml rename to doc/arm/trust-anchors.grammar.xml index 6c602292b5c..d25fd5dd441 100644 --- a/doc/arm/dnssec-keys.grammar.xml +++ b/doc/arm/trust-anchors.grammar.xml @@ -12,7 +12,7 @@ -dnssec-keys { string ( static-key | +trust-anchors { string ( static-key | initial-key | static-ds | initial-ds ) integer integer integer quoted_string; ... }; diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in index d6a0dcf1d92..be4371eda64 100644 --- a/doc/misc/Makefile.in +++ b/doc/misc/Makefile.in @@ -75,6 +75,6 @@ docbook: options ${PERL} docbook-grammars.pl options.active options > ${top_srcdir}/doc/arm/options.grammar.xml ${PERL} docbook-grammars.pl options.active server > ${top_srcdir}/doc/arm/server.grammar.xml ${PERL} docbook-grammars.pl options.active statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml - ${PERL} docbook-grammars.pl options.active dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml + ${PERL} docbook-grammars.pl options.active trust-anchors > ${top_srcdir}/doc/arm/trust-anchors.grammar.xml ${PERL} docbook-grammars.pl options.active managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml ${PERL} docbook-grammars.pl options.active trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml diff --git a/doc/misc/dnssec b/doc/misc/dnssec index 9fe13ebd452..b01122cb0ca 100644 --- a/doc/misc/dnssec +++ b/doc/misc/dnssec @@ -46,7 +46,7 @@ been implemented but should still be considered experimental. When acting as a caching name server, BIND9 is capable of performing basic DNSSEC validation of positive as well as nonexistence responses. -This functionality is enabled by including a "dnssec-keys" clause +This functionality is enabled by including a "trust-anchors" clause in the configuration file, containing the top-level zone key of the the DNSSEC tree. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 0dc28db3257..603ad4caeef 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3655,7 +3655,7 @@ check_non_ds_keys(isc_symtab_t *symtab, const cfg_obj_t *keylist, * Check for conflicts between static and initialiizing keys. */ static isc_result_t -check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys, +check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta, const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys, bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx) { @@ -3676,10 +3676,10 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys, /* * First we record all the static keys (i.e., old-style - * trusted-keys and dnssec-keys configured with "static-key"), + * trusted-keys and trust-anchors configured with "static-key"), * and all the DS-style trust anchors. */ - for (elt = cfg_list_first(global_dkeys); + for (elt = cfg_list_first(global_ta); elt != NULL; elt = cfg_list_next(elt)) { @@ -3696,7 +3696,7 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys, } } - for (elt = cfg_list_first(view_dkeys); + for (elt = cfg_list_first(view_ta); elt != NULL; elt = cfg_list_next(elt)) { @@ -3739,10 +3739,10 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys, /* * Next, ensure that there's no conflict between the - * static keys and the dnssec-keys configured with "initial-key", - * or between DS-style and DNSKEY-style dnssec-keys. + * static keys and the trust-anchors configured with "initial-key", + * or between DS-style and DNSKEY-style trust-anchors. */ - for (elt = cfg_list_first(global_dkeys); + for (elt = cfg_list_first(global_ta); elt != NULL; elt = cfg_list_next(elt)) { @@ -3758,7 +3758,7 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys, } } - for (elt = cfg_list_first(view_dkeys); + for (elt = cfg_list_first(view_ta); elt != NULL; elt = cfg_list_next(elt)) { @@ -3965,7 +3965,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *zones = NULL; const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL; const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL; - const cfg_obj_t *view_dkeys = NULL, *global_dkeys = NULL; + const cfg_obj_t *view_ta = NULL, *global_ta = NULL; const cfg_obj_t *check_keys[2] = { NULL, NULL }; const cfg_obj_t *keys = NULL; #ifndef HAVE_DLOPEN @@ -4137,11 +4137,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, */ if (voptions != NULL) { (void)cfg_map_get(voptions, "trusted-keys", &view_tkeys); - (void)cfg_map_get(voptions, "dnssec-keys", &view_dkeys); + (void)cfg_map_get(voptions, "trust-anchors", &view_ta); (void)cfg_map_get(voptions, "managed-keys", &view_mkeys); } (void)cfg_map_get(config, "trusted-keys", &global_tkeys); - (void)cfg_map_get(config, "dnssec-keys", &global_dkeys); + (void)cfg_map_get(config, "trust-anchors", &global_ta); (void)cfg_map_get(config, "managed-keys", &global_mkeys); /* @@ -4178,7 +4178,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, ISC_LOG_WARNING, "trusted-keys entry for the root " "zone WILL FAIL after key " - "rollover - use dnssec-keys " + "rollover - use trust-anchors " "with initial-key " "or initial-ds instead."); } @@ -4191,24 +4191,24 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, * Check dnssec/managed-keys. (Only one or the other can be used.) */ if ((view_mkeys != NULL || global_mkeys != NULL) && - (view_dkeys != NULL || global_dkeys != NULL)) + (view_ta != NULL || global_ta != NULL)) { keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys; cfg_obj_log(keys, logctx, ISC_LOG_ERROR, "use of managed-keys is not allowed when " - "dnssec-keys is also in use"); + "trust-anchors is also in use"); result = ISC_R_FAILURE; } - if (view_dkeys == NULL && global_dkeys == NULL) { - view_dkeys = view_mkeys; - global_dkeys = global_mkeys; + if (view_ta == NULL && global_ta == NULL) { + view_ta = view_mkeys; + global_ta = global_mkeys; } - check_keys[0] = view_dkeys; - check_keys[1] = global_dkeys; + check_keys[0] = view_ta; + check_keys[1] = global_ta; for (i = 0; i < 2; i++) { if (check_keys[i] != NULL) { unsigned int flags = 0; @@ -4238,7 +4238,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, ISC_LOG_WARNING, "static entry for the root " "zone WILL FAIL after key " - "rollover - use dnssec-keys " + "rollover - use trust-anchors " "with initial-key " "or initial-ds instead."); } @@ -4258,14 +4258,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) { - keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys; + keys = (view_ta != NULL) ? view_ta : global_ta; cfg_obj_log(keys, logctx, ISC_LOG_WARNING, - "both trusted-keys and dnssec-keys " + "both trusted-keys and trust-anchors " "for the root zone are present"); } if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) { - keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys; + keys = (view_ta != NULL) ? view_ta : global_ta; cfg_obj_log(keys, logctx, ISC_LOG_WARNING, "both initial and static entries for the " "root zone are present"); @@ -4282,7 +4282,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, autovalidation = true; } - tresult = check_ta_conflicts(global_dkeys, view_dkeys, + tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys, view_tkeys, autovalidation, mctx, logctx); if (tresult != ISC_R_SUCCESS) { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index acee6d76785..58845ebdc8c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -4300,10 +4300,10 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode, * statements with the set of trust anchors found in the managed-keys.bind * zone. If a domain is no longer named in managed-keys, delete all keys * from that domain from the key zone. If a domain is configured as an - * initial-key in dnssec-keys, but there are no references to it in the + * initial-key in trust-anchors, but there are no references to it in the * key zone, load the key zone with the initializing key(s) for that * domain and schedule a key refresh. If a domain is configured as - * an initial-ds in dnssec-keys, fetch the DNSKEY RRset, load the key + * an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key * zone with the matching key, and schedule a key refresh. */ static isc_result_t @@ -4335,7 +4335,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { /* * Walk the zone DB. If we find any keys whose names are no longer - * in dnssec-keys, or which have been changed from initial to static, + * in trust-anchors, or which have been changed from initial to static, * (meaning they are permanent and not RFC5011-maintained), delete * them from the zone. Otherwise call load_secroots(), which * loads keys into secroots as appropriate. diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c index 1521c041b8f..1a3e8d19c17 100644 --- a/lib/irs/dnsconf.c +++ b/lib/irs/dnsconf.c @@ -198,7 +198,7 @@ configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj, } keys = NULL; - cfg_map_get(cfgobj, "dnssec-keys", &keys); + cfg_map_get(cfgobj, "trust-anchors", &keys); if (keys == NULL) { return (ISC_R_SUCCESS); } diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h index 2922f753c16..a7df6c37bbe 100644 --- a/lib/irs/include/irs/dnsconf.h +++ b/lib/irs/include/irs/dnsconf.h @@ -23,9 +23,9 @@ * Notes: * This module is very experimental and the configuration syntax or library * interfaces may change in future versions. Currently, only static - * key configuration is supported; "trusted-keys" and "dnssec-keys"/ + * key configuration is supported; "trusted-keys" and "trust-anchors"/ * "managed-keys" statements will be parsed exactly as they are in - * named.conf, except that "dnssec-keys" and "managed-keys" entries will + * named.conf, except that "trust-anchors" and "managed-keys" entries will * be treated as if they were configured with "static-key", even if they * were actually configured with "initial-key". */ diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 8628cfdaa63..81e5a1f487e 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -459,7 +459,7 @@ static cfg_type_t cfg_type_dnsseckey = { /*% * A key initialization specifier, as used in the - * "dnssec-keys" (or synonymous "managed-keys") statement. + * "trust-anchors" (or synonymous "managed-keys") statement. */ static const char *anchortype_enums[] = { "static-key", "initial-key", "static-ds", "initial-ds", NULL @@ -1056,11 +1056,11 @@ namedconf_or_view_clauses[] = { { "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI }, { "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI }, { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, - { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, { "managed-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI }, { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, + { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, @@ -1072,9 +1072,9 @@ namedconf_or_view_clauses[] = { */ static cfg_clausedef_t bindkeys_clauses[] = { - { "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, { "managed-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, + { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED }, { NULL, NULL, 0 } @@ -2389,7 +2389,7 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = { &cfg_rep_map, namedconf_clausesets }; -/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */ +/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */ static cfg_clausedef_t * bindkeys_clausesets[] = { bindkeys_clauses, diff --git a/util/bindkeys.pl b/util/bindkeys.pl index 2fd9219ee32..633b2d3d9f7 100755 --- a/util/bindkeys.pl +++ b/util/bindkeys.pl @@ -23,7 +23,7 @@ while (<>) { $lines .= $_ . "\n"; } -my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n"; +my $mkey = '#define TRUST_ANCHORS "\\' . "\n" . $lines . "\"\n"; print "#ifndef BIND_KEYS_H\n"; print "#define BIND_KEYS_H 1\n"; diff --git a/util/copyrights b/util/copyrights index 3e87c024f35..fa513a38d29 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1417,7 +1417,6 @@ ./doc/arm/controls.grammar.xml SGML 2018,2019 ./doc/arm/delegation-only.zoneopt.xml SGML 2018,2019 ./doc/arm/dlz.xml SGML 2012,2013,2014,2015,2016,2018,2019 -./doc/arm/dnssec-keys.grammar.xml SGML 2019 ./doc/arm/dnssec-policy.grammar.xml SGML 2019 ./doc/arm/dnssec.xml SGML 2010,2011,2015,2016,2017,2018,2019 ./doc/arm/dyndb.xml SGML 2015,2016,2018,2019 @@ -1478,6 +1477,7 @@ ./doc/arm/notes-9.15.4.xml SGML 2019 ./doc/arm/notes-9.15.5.xml SGML 2019 ./doc/arm/notes-9.15.6.xml SGML 2019 +./doc/arm/notes-9.15.7.xml SGML 2019 ./doc/arm/notes-download.xml SGML 2019 ./doc/arm/notes-eol.xml SGML 2019 ./doc/arm/notes-intro.xml SGML 2019 @@ -1502,6 +1502,7 @@ ./doc/arm/static-stub.zoneopt.xml SGML 2018,2019 ./doc/arm/statistics-channels.grammar.xml SGML 2018,2019 ./doc/arm/stub.zoneopt.xml SGML 2018,2019 +./doc/arm/trust-anchors.grammar.xml SGML 2019 ./doc/arm/trusted-keys.grammar.xml SGML 2018,2019 ./doc/design/addressdb TXT.BRIEF 2000,2001,2004,2016,2018,2019 ./doc/design/cds-child TXT.BRIEF 2015,2016,2018,2019