Remove -s option from dnssec-keygen

The -s option (previously incorrectly documented as "strength")
actually set the signatory flags for KEY fields, which are unused.
The option is not needed.

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 74d5d4c53ddf5ebb8775481ab96901e09a9ba937..75819f270b9d833dfc08e5c3421f8f6543f4dafd 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -85,7 +85,6 @@ struct keygen_ctx {
        int size;
        uint16_t tag_min;
        uint16_t tag_max;
-       int signatory;
        dns_rdataclass_t rdclass;
        int options;
        int dbits;
@@ -171,8 +170,6 @@ usage(void) {
        fprintf(stderr, "    -F: FIPS mode\n");
        fprintf(stderr, "    -L <ttl>: default key TTL\n");
        fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
-       fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
-                       "records with (default: 0)\n");
        fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
                        "use KEY for SIG(0))\n");
        fprintf(stderr, "    -h: print usage and exit\n");
@@ -498,9 +495,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                ctx->directory = ".";
        }
 
-       if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
-               flags |= ctx->signatory;
-       } else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+       if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
                if (ctx->ksk || ctx->wantksk) {
                        flags |= DNS_KEYFLAG_KSK;
                }
@@ -913,14 +908,7 @@ main(int argc, char **argv) {
                              "System random data is always used.\n");
                        break;
                case 's':
-                       ctx.signatory = strtol(isc_commandline_argument, &endp,
-                                              10);
-                       if (*endp != '\0' || ctx.signatory < 0 ||
-                           ctx.signatory > 15)
-                       {
-                               fatal("-s must be followed by a number "
-                                     "[0..15]");
-                       }
+                       fatal("The -s option has been deprecated.");
                        break;
                case 'T':
                        if (strcasecmp(isc_commandline_argument, "KEY") == 0) {

diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index e5618b2efd8988de07a6f9aebc41e0cde15298ff..3f14007f77947f5bc6e699b34092861dc8dcd63f 100644 (file)
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -183,11 +183,6 @@ Options
    set to the activation date minus the prepublication interval,
    which defaults to 30 days.
 
-.. option:: -s strength
-
-   This option specifies the strength value of the key. The strength is a number
-   between 0 and 15, and currently has no defined purpose in DNSSEC.
-
 .. option:: -T rrtype
 
    This option specifies the resource record type to use for the key. ``rrtype``