Mark some managed-keys instances deprecated

The 'managed-keys' (and 'trusted-keys') options have been deprecated
by 'dnssec-keys'.  Some documentation references to 'managed-keys'
had not yet been marked or noted as such.

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index f86e418b744bea2d0349ea52ca78542d58da2a01..672bc78b4e893b9f65801258c40d6e75063e2250 100644 (file)
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -156,7 +156,7 @@ logging {
 
 
   <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>See DNSSEC-KEYS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
     <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key |
     initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -652,7 +652,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
        lmdb-mapsize <replaceable>sizeval</replaceable>;
        managed-keys { <replaceable>string</replaceable> ( static-key |
            initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-           <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
+           <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated
        masterfile-format ( map | raw | text );
        masterfile-style ( full | relative );
        match-clients { <replaceable>address_match_element</replaceable>; ... };

diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 4ee0b7a80dfd8db2c1e38b7f3af100c6853a0870..acc14ac2cda751b32833a56f148d20e4e333c40e 100644 (file)
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -772,9 +772,8 @@
        <listitem>
          <para>
            Dump the security roots (i.e., trust anchors
-           configured via <command>dnssec-keys</command> statements,
-           or the synonymous <command>managed-keys</command> or
-           the deprecated <command>trusted-keys</command> statements, or
+           configured via <command>dnssec-keys</command> statements, or the
+           managed-keys or trusted-keys statements (both deprecated), or
            via <command>dnssec-validation auto</command>) and negative trust
            anchors for the specified views.  If no view is specified, all
            views are dumped.  Security roots will indicate whether

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index e300267c0c6f2ba0101f40ee291c920ecc5a5e16..cd75915bd0d5ff8a6df4f406999f3c319456352e 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2213,8 +2213,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
          if at least one trust anchor has been explicitly configured
          in <filename>named.conf</filename>
          using a <command>dnssec-keys</command> statement (or the
-         synonymous <command>managed-keys</command> or the deprecated
-         <command>trusted-keys</command> statements).
+         <command>managed-keys</command> and <command>trusted-keys</command>
+         statements, both deprecated).
        </para>
        <para>
          When <command>dnssec-validation</command> is set to
@@ -3209,8 +3209,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                  keys are kept up to date using RFC 5011
                  trust anchor maintenance, and if used with
                  <command>static-key</command>, keys are permanent.
-                 Identical to <command>managed-keys</command>,
-                 but has been added for improved clarity.
                </para>
              </entry>
            </row>
@@ -3220,8 +3218,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
              </entry>
              <entry colname="2">
                <para>
-                 is identical to <command>dnssec-keys</command>,
-                 and is retained for backward compatibility.
+                 is identical to <command>dnssec-keys</command>;
+                 this option is deprecated in favor
+                 of <command>dnssec-keys</command> with
+                 the <command>initial-key</command> keyword,
+                 and may be removed in a future release.
                </para>
              </entry>
            </row>
@@ -5054,10 +5055,11 @@ options {
                as insecure.
              </para>
              <para>
-               Configured trust anchors in <command>trusted-keys</command>
-               or <command>managed-keys</command> that match a disabled
-               algorithm will be ignored and treated as if they were not
-               configured at all.
+               Configured trust anchors in <command>dnssec-keys</command>
+               (or <command>managed-keys</command> or
+               <command>trusted-keys</command>, both deprecated)
+               that match a disabled algorithm will be ignored and treated
+               as if they were not configured at all.
              </para>
            </listitem>
          </varlistentry>
@@ -6435,8 +6437,8 @@ options {
                  If set to <userinput>yes</userinput>, DNSSEC validation is
                  enabled, but a trust anchor must be manually configured
                  using a <command>dnssec-keys</command> statement (or
-                 the synonymous <command>managed-keys</command>, or the
-                 deprecated <command>trusted-keys</command> statements).
+                 the <command>managed-keys</command> or the
+                 <command>trusted-keys</command> statements, both deprecated).
                  If there is no configured trust anchor, validation will
                  not take place.
                </para>
@@ -11015,9 +11017,9 @@ example.com                 CNAME   rpz-tcp-only.
            and Usage</title></info>
 
          <para>
-           The <command>managed-keys</command> statement is
-           identical to the <command>dnssec-keys</command>, and is
-           retained for backward compatibility.
+           The <command>managed-keys</command> statement has been
+           deprecated in favor of <xref linkend="dnssec_keys"/>
+           with the <command>initial-key</command> keyword.
          </para>
        </section>
 
@@ -11030,7 +11032,7 @@ example.com                 CNAME   rpz-tcp-only.
          <para>
            The <command>trusted-keys</command> statement has been
            deprecated in favor of <xref linkend="dnssec_keys"/>
-           with the <command>static</command> keyword.
+           with the <command>static-key</command> keyword.
          </para>
        </section>
 
@@ -11417,9 +11419,8 @@ view "external" {
                        For validation to succeed, a key-signing key
                        (KSK) for the zone must be configured as a trust
                        anchor in <filename>named.conf</filename>: that
-                       is, a key for the zone must either be specified
-                       in <command>managed-keys</command> or
-                       <command>trusted-keys</command>.  In the case
+                       is, a key for the zone must be specified in
+                       <command>dnssec-keys</command>.  In the case
                        of the root zone, you may also rely on the
                        built-in root trust anchor, which is enabled
                        when <xref endterm="dnssec_validation_term"

diff --git a/doc/misc/dnssec b/doc/misc/dnssec
index 84db388f8b1ad601ad6033a199661f7509118b50..9fe13ebd452f5ee63afb75e3459c93472c17b5f0 100644 (file)
--- a/doc/misc/dnssec
+++ b/doc/misc/dnssec
@@ -46,7 +46,7 @@ been implemented but should still be considered experimental.
 
 When acting as a caching name server, BIND9 is capable of performing
 basic DNSSEC validation of positive as well as nonexistence responses.
-This functionality is enabled by including a "trusted-keys" clause
+This functionality is enabled by including a "dnssec-keys" clause
 in the configuration file, containing the top-level zone key of the
 the DNSSEC tree.
 

diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl
index fdb9c39c14488e21006e9442323f79e283ad1732..e67213136d8668e18c638a276362fbbc69d3f1f4 100644 (file)
--- a/doc/misc/docbook-options.pl
+++ b/doc/misc/docbook-options.pl
@@ -148,7 +148,7 @@ END
 
                 if ($1 eq "managed-keys") {
                         print <<END;
-  <para>See DNSSEC-KEYS.</para>
+  <para>Deprecated - see DNSSEC-KEYS.</para>
 END
                 }
 

diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
index 7e6f78d9368ee90c4e6d4625b70e59932f6dee7c..2922f753c1606ffd3885ffe0c5742339cdc6471e 100644 (file)
--- a/lib/irs/include/irs/dnsconf.h
+++ b/lib/irs/include/irs/dnsconf.h
@@ -17,7 +17,7 @@
  *
  * \brief
  * The IRS dnsconf module parses an "advanced" configuration file related to
- * the DNS library, such as trusted keys for DNSSEC validation, and creates
+ * the DNS library, such as trust anchors for DNSSEC validation, and creates
  * the corresponding configuration objects for the DNS library modules.
  *
  * Notes:

diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
index bbc9c6fdb456859a85cddd6d5bdd12695239aa5d..03025fec890f5504e0fa5cd3ff369033e33cfbec 100644 (file)
--- a/lib/isccfg/dnsconf.c
+++ b/lib/isccfg/dnsconf.c
@@ -43,7 +43,8 @@ static cfg_type_t cfg_type_trustedkeys = {
  */
 static cfg_clausedef_t
 dnsconf_clauses[] = {
-       { "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+       { "trusted-keys", &cfg_type_trustedkeys,
+         CFG_CLAUSEFLAG_MULTI },
        { NULL, NULL, 0 }
 };