+2799. [cleanup] Changed the "secure-to-insecure" option to
+ "dnssec-secure-to-insecure", and "dnskey-ksk-only"
+ to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes. This requires
-secure-to-insecure to be set in named.conf.
+dnssec-secure-to-insecure to be set in named.conf.
Periodic re-signing.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.43 2009/11/03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
- <command>dnskey-ksk-only yes;</command> zone option in
+ <command>dnssec-dnskey-kskonly yes;</command> zone option in
<command>named</command>.)
</para>
</listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: config.c,v 1.104 2009/10/26 23:14:53 each Exp $ */
+/* $Id: config.c,v 1.105 2009/12/03 23:18:16 each Exp $ */
/*! \file */
max-refresh-time 2419200; /* 4 weeks */\n\
min-refresh-time 300;\n\
multi-master no;\n\
- secure-to-insecure no;\n\
+ dnssec-secure-to-insecure no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
- dnskey-ksk-only no;\n\
+ dnssec-dnskey-kskonly no;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
- dnskey-ksk-only <replaceable>boolean</replaceable>;
+ dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
- secure-to-insecure <replaceable>boolean</replaceable>;
+ dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
- dnskey-ksk-only <replaceable>boolean</replaceable>;
+ dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
key-directory <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
- secure-to-insecure <replaceable>boolean</replaceable>;
+ dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
ixfr-from-differences <replaceable>boolean</replaceable>;
journal <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
- secure-to-insecure <replaceable>boolean</replaceable>;
+ dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
allow-query { <replaceable>address_match_element</replaceable>; ... };
allow-query-on { <replaceable>address_match_element</replaceable>; ... };
<optional>...</optional>
}</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
- dnskey-ksk-only <replaceable>boolean</replaceable>;
+ dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.171 2009/11/24 03:42:32 each Exp $ */
+/* $Id: update.c,v 1.172 2009/12/03 23:18:16 each Exp $ */
#include <config.h>
&had_dnskey));
if (had_dnskey && !has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
- "update rejected: all DNSKEY records "
- "removed and 'secure-to-insecure' "
+ "update rejected: all DNSKEY "
+ "records removed and "
+ "'dnssec-secure-to-insecure' "
"not set");
result = DNS_R_REFUSED;
goto failure;
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zoneconf.c,v 1.159 2009/10/22 03:43:16 each Exp $ */
+/* $Id: zoneconf.c,v 1.160 2009/12/03 23:18:17 each Exp $ */
/*% */
cfg_obj_asboolean(obj));
obj = NULL;
- result = ns_config_get(maps, "dnskey-ksk-only", &obj);
+ result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
- result = ns_config_get(maps, "secure-to-insecure", &obj);
+ result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
INSIST(obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
cfg_obj_asboolean(obj));
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.447 2009/11/28 15:57:37 vjs Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.448 2009/12/03 23:18:17 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
- <optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
- <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
+ <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
</varlistentry>
<varlistentry>
- <term><command>dnskey-ksk-only</command></term>
+ <term><command>dnssec-dnskey-kskonly</command></term>
<listitem>
<para>
When this option and <command>update-check-ksk</command>
</varlistentry>
<varlistentry>
- <term><command>secure-to-insecure</command></term>
+ <term><command>dnssec-secure-to-insecure</command></term>
<listitem>
<para>
Allow a zone to transition from secure to insecure by
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
- <optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
- <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
<optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
</varlistentry>
<varlistentry>
- <term><command>dnskey-ksk-only</command></term>
+ <term><command>dnssec-dnskey-kskonly</command></term>
<listitem>
<para>
See the description of
- <command>dnskey-ksk-only</command> in <xref linkend="boolean_options"/>.
+ <command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
</varlistentry>
<varlistentry>
- <term><command>secure-to-insecure</command></term>
+ <term><command>dnssec-secure-to-insecure</command></term>
<listitem>
<para>
See the description of
- <command>secure-to-insecure</command> in <xref linkend="boolean_options"/>.
+ <command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: check.c,v 1.112 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: check.c,v 1.113 2009/12/03 23:18:17 each Exp $ */
/*! \file */
{ "min-retry-time", SLAVEZONE | STUBZONE },
{ "max-refresh-time", SLAVEZONE | STUBZONE },
{ "min-refresh-time", SLAVEZONE | STUBZONE },
- { "secure-to-insecure", MASTERZONE },
+ { "dnssec-secure-to-insecure", MASTERZONE },
{ "sig-validity-interval", MASTERZONE },
{ "sig-re-signing-interval", MASTERZONE },
{ "sig-signing-nodes", MASTERZONE },
{ "check-srv-cname", MASTERZONE },
{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
{ "update-check-ksk", MASTERZONE },
- { "dnskey-ksk-only", MASTERZONE },
+ { "dnssec-dnskey-kskonly", MASTERZONE },
{ "auto-dnssec", MASTERZONE },
{ "try-tcp-refresh", SLAVEZONE },
};
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: zone.h,v 1.170 2009/10/12 20:48:12 each Exp $ */
+/* $Id: zone.h,v 1.171 2009/12/03 23:18:17 each Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U /*%< try tcp refresh on udp failure */
#define DNS_ZONEOPT_NOTIFYTOSOA 0x02000000U /*%< Notify the SOA MNAME */
#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U /*%< nsec3-test-zone */
-#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
-#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnskey-ksk-only */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
+#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnssec-dnskey-kskonly */
#ifndef NOMINUM_PUBLIC
/*
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: namedconf.c,v 1.111 2009/11/28 15:57:37 vjs Exp $ */
+/* $Id: namedconf.c,v 1.112 2009/12/03 23:18:17 each Exp $ */
/*! \file */
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-wildcard", &cfg_type_boolean, 0 },
{ "dialup", &cfg_type_dialuptype, 0 },
- { "dnskey-ksk-only", &cfg_type_boolean, 0 },
+ { "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
+ { "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
{ "key-directory", &cfg_type_qstring, 0 },
{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
{ "notify-to-soa", &cfg_type_boolean, 0 },
{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
- { "secure-to-insecure", &cfg_type_boolean, 0 },
{ "sig-signing-nodes", &cfg_type_uint32, 0 },
{ "sig-signing-signatures", &cfg_type_uint32, 0 },
{ "sig-signing-type", &cfg_type_uint32, 0 },
projects / thirdparty / bind9.git / commitdiff
