+2677. [func] Changes to key metadata behavior:
+ - Keys without "publish" or "active" dates set will
+ no longer be used for smart signing. However,
+ those dates will be set to "now" by default when
+ a key is created; to generate a key but not use
+ it yet, use dnssec-keygen -G.
+ - New "inactive" date (dnssec-keygen/settime -I)
+ sets the time when a key is no longer used for
+ signing but is still published.
+ - The "unpublished" date (-U) is deprecated in
+ favor of "deleted" (-D).
+ [rt20247]
+
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
/*! \file */
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
- fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
+ fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
+ fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
- " dates\n");
+ " all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL, *engine = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
- isc_stdtime_t unpublish = 0, delete = 0;
+ isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
- isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
- isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
+ "a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case 'a':
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
+ case 'G':
+ genonly = ISC_TRUE;
+ break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
unsetrev = ISC_TRUE;
}
break;
- case 'U':
- if (setunpub || unsetunpub)
- fatal("-U specified more than once");
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
- setunpub = ISC_TRUE;
- unpublish = strtotime(isc_commandline_argument,
- now, now);
+ setinact = ISC_TRUE;
+ inactive = strtotime(isc_commandline_argument,
+ now, now);
} else {
- unsetunpub = ISC_TRUE;
+ unsetinact = ISC_TRUE;
}
break;
case 'D':
/*
* Set key timing metadata (unless using -C)
+ *
+ * Publish and activation dates are set to "now" by default, but
+ * can be overridden. Creation date is always set to "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
+ if (genonly && (setpub || setact))
+ fatal("cannot use -G together with -P or -A options");
+
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
+ else if (!genonly)
+ dst_key_settime(key, DST_TIME_PUBLISH, now);
+
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+ else if (!genonly)
+ dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE, revoke);
- if (setunpub)
- dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
+
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
- if (setpub || setact || setrev || setunpub ||
+ if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
- unsetrev || unsetunpub || unsetdel)
+ unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
- "-P, -A, -R, -U, or -D options");
+ "-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.9 2009/09/07 12:54:59 fdupont Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+ <arg><option>-G</option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
- <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-G</term>
+ <listitem>
+ <para>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-h</term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
- not be used to sign it.
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
- it.
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
</para>
</listitem>
</varlistentry>
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
- Sets the date on which the key is to be unpublished. After that
- date, the key will no longer be included in the zone, but it
- may remain in the key repository.
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
- date, the key can be removed from the key repository.
- NOTE: Keys are not currently deleted automatically; this field
- is included for informational purposes and for future
- development.
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
/*! \file */
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
fprintf(stderr, "Date options:\n");
- fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
- fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
+ fprintf(stderr, " -P date/[+-]offset: set key publication date "
+ "(default: now)\n");
+ fprintf(stderr, " -A date/[+-]offset: set key activation date "
+ "(default: now)\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
- fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
+ fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
+ fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
- "dates\n");
+ "all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
int dbits = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
- isc_stdtime_t unpublish = 0, delete = 0;
+ isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
- isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
- isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hP:A:R:U:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
case 'z':
/* already the default */
break;
+ case 'G':
+ genonly = ISC_TRUE;
+ break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
unsetrev = ISC_TRUE;
}
break;
- case 'U':
- if (setunpub || unsetunpub)
- fatal("-U specified more than once");
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
- setunpub = ISC_TRUE;
- unpublish = strtotime(isc_commandline_argument,
- now, now);
+ setinact = ISC_TRUE;
+ inactive = strtotime(isc_commandline_argument,
+ now, now);
} else {
- unsetunpub = ISC_TRUE;
+ unsetinact = ISC_TRUE;
}
break;
case 'D':
/*
* Set key timing metadata (unless using -C)
+ *
+ * Publish and activation dates are set to "now" by default,
+ * but can be overridden. Creation date is always set to
+ * "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
+ if (genonly && (setpub || setact))
+ fatal("cannot use -G together with "
+ "-P or -A options");
+
if (setpub)
- dst_key_settime(key, DST_TIME_PUBLISH,
- publish);
+ dst_key_settime(key, DST_TIME_PUBLISH, publish);
+ else if (!genonly)
+ dst_key_settime(key, DST_TIME_PUBLISH, now);
+
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE,
activate);
+ else if (!genonly)
+ dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
if (setrev)
- dst_key_settime(key, DST_TIME_REVOKE,
- revoke);
- if (setunpub)
- dst_key_settime(key, DST_TIME_UNPUBLISH,
- unpublish);
+ dst_key_settime(key, DST_TIME_REVOKE, revoke);
+
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE,
+ inactive);
+
if (setdel)
- dst_key_settime(key, DST_TIME_DELETE,
- delete);
+ dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
- if (setpub || setact || setrev || setunpub ||
+ if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
- unsetrev || unsetunpub || unsetdel)
+ unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
- "-P, -A, -R, -U, or -D options");
+ "-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+ <arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
- <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-G</term>
+ <listitem>
+ <para>
+ Generate a key, but do not publish it or sign with it. This
+ option is incompatible with -P and -A.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
- not be used to sign it.
+ not be used to sign it. If not set, and if the -G option has
+ not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
- it.
+ it. If not set, and if the -G option has not been used, the
+ default is "now".
</para>
</listitem>
</varlistentry>
</varlistentry>
<varlistentry>
- <term>-U <replaceable class="parameter">date/offset</replaceable></term>
+ <term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
- Sets the date on which the key is to be unpublished. After that
- date, the key will no longer be included in the zone, but it
- may remain in the key repository.
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
- date, the key can be removed from the key repository.
- NOTE: Keys are not currently deleted automatically; this field
- is included for informational purposes and for future
- development.
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
/*! \file */
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
- fprintf(stderr, " -U date/[+-]offset/none: set key "
- "unpublication date\n");
+ fprintf(stderr, " -I date/[+-]offset/none: set key "
+ "inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
isc_buffer_t buf;
int major, minor;
isc_stdtime_t now;
- isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
+ isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
- isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
- isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
- isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE;
+ isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t forceupdate = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "fK:uhp:v:P:A:R:U:D:")) != -1) {
+ "fK:uhp:v:P:A:R:I:D:")) != -1) {
switch (ch) {
case 'f':
forceupdate = ISC_TRUE;
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
- printunpub = ISC_TRUE;
+ printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
case 'R':
printrev = ISC_TRUE;
break;
- case 'U':
- printunpub = ISC_TRUE;
+ case 'I':
+ printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
now, now);
}
break;
- case 'U':
- if (setunpub || unsetunpub)
- fatal("-U specified more than once");
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
- unsetunpub = ISC_TRUE;
+ unsetinact = ISC_TRUE;
} else {
- setunpub = ISC_TRUE;
- unpub = strtotime(isc_commandline_argument,
+ setinact = ISC_TRUE;
+ inact = strtotime(isc_commandline_argument,
now, now);
}
break;
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
- if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+ if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
dst_key_unsettime(key, DST_TIME_REVOKE);
}
- if (setunpub)
- dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
- else if (unsetunpub)
- dst_key_unsettime(key, DST_TIME_UNPUBLISH);
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE, inact);
+ else if (unsetinact)
+ dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
- if (printunpub)
- printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
+ if (printinact)
+ printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-settime</command>
- <arg><option>-fr</option></arg>
+ <arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
- <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
- <option>-R</option>, <option>-U</option>, and <option>-D</option>
+ <option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<command>dnssec-signzone</command> or other signing software to
determine when a key is to be published, whether it should be
</varlistentry>
<varlistentry>
- <term>-U <replaceable class="parameter">date/offset</replaceable></term>
+ <term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
- Sets the date on which the key is to be unpublished. After that
- date, the key will no longer be included in the zone, but it
- may remain in the key repository.
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
- date, the key can be removed from the key repository.
- NOTE: Keys are not currently deleted automatically; this field
- is included for informational purposes and for future
- development.
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
*/
/*
- * $Id: dnssec.c,v 1.101 2009/09/10 05:09:31 each Exp $
+ * $Id: dnssec.c,v 1.102 2009/09/14 18:45:45 each Exp $
*/
/*! \file */
static void
get_hints(dns_dnsseckey_t *key) {
isc_result_t result;
- isc_stdtime_t now, publish, active, revoke, unpublish, delete;
+ isc_stdtime_t now, publish, active, revoke, inactive, delete;
isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
- isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
+ isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
isc_boolean_t delset = ISC_FALSE;
REQUIRE(key != NULL && key->key != NULL);
if (result == ISC_R_SUCCESS)
revset = ISC_TRUE;
- result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
+ result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
if (result == ISC_R_SUCCESS)
- remset = ISC_TRUE;
+ inactset = ISC_TRUE;
result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
if (result == ISC_R_SUCCESS)
delset = ISC_TRUE;
- /* No metadata set: Publish and sign. */
- if (!pubset && !actset && !revset && !remset && !delset) {
- key->hint_sign = ISC_TRUE;
- key->hint_publish = ISC_TRUE;
- }
-
/* Metadata says publish (but possibly not activate) */
- if (pubset && publish < now)
+ if (pubset && publish <= now)
key->hint_publish = ISC_TRUE;
/* Metadata says activate (so we must also publish) */
- if (actset && active < now) {
+ if (actset && active <= now) {
key->hint_sign = ISC_TRUE;
key->hint_publish = ISC_TRUE;
}
key->prepublish = active - now;
}
+ /*
+ * Key has been marked inactive: we can continue publishing,
+ * but don't sign.
+ */
+ if (key->hint_publish && inactset && inactive <= now) {
+ key->hint_sign = ISC_FALSE;
+ }
+
/*
* Metadata says revoke. If the key is published,
* we *have to* sign with it per RFC5011--even if it was
}
/*
- * Metadata says unpublish or delete, so don't publish
- * this key or sign with it.
+ * Metadata says delete, so don't publish this key or sign with it.
*/
- if ((remset && unpublish < now) ||
- (delset && delete < now)) {
+ if (delset && delete <= now) {
key->hint_publish = ISC_FALSE;
key->hint_sign = ISC_FALSE;
key->hint_remove = ISC_TRUE;
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.29 2009/09/03 04:09:58 marka Exp $
+ * $Id: dst_api.c,v 1.30 2009/09/14 18:45:45 each Exp $
*/
/*! \file */
printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
- printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
+ printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
printtime(key, DST_TIME_DELETE, "; Delete", fp);
}
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dst.h,v 1.18 2009/09/14 18:45:45 each Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
#define DST_TIME_PUBLISH 1
#define DST_TIME_ACTIVATE 2
#define DST_TIME_REVOKE 3
-#define DST_TIME_UNPUBLISH 4
+#define DST_TIME_INACTIVE 4
#define DST_TIME_DELETE 5
#define DST_MAX_TIMES 5
projects / thirdparty / bind9.git / commitdiff
