358. [cleanup] Rename the intermediate files used by the dnssec

programs.

358. [cleanup] Rename the intermediate files used by the dnssec
programs.
529a6b52 · Brian Wellington · 862a026a · 529a6b52 · 529a6b52 · 529a6b52
Commit 529a6b52 authored Jul 31, 2000 by Brian Wellington
--- a/CHANGES
+++ b/CHANGES
+ 358.	[cleanup]	Rename the intermediate files used by the dnssec
+			programs.
+
 357.	[bug]		The zone file parser crashed when seeing a quoted
 			$INCLUDE.


--- a/bin/dnssec/dnssec-makekeyset.8
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -147,14 +147,14 @@ to print a short summary of its options and arguments.
 If
 .Nm dnssec-makekeyset
 is successful, it creates a file name of the form
-.Ar nnnn.keyset .
+.Ar keyset-nnnn. .
 This file contains the KEY and SIG records for domain
 .Dv nnnn ,
 the domain name part from the key file identifier produced when
 .Nm dnssec-keygen
 created the domain's public and private keys.
 The
-.Ar .keyset
+.Ar keyset
 file can then be transferred to the DNS administrator of the parent
 zone for them to sign the contents with
 .Xr dnssec-signkey 8 .
@@ -174,7 +174,7 @@ the command line when running
 .Pp
 .Nm dnssec-makekeyset
 will create a file called
-.Pa example.com.keyset
+.Pa keyset-example.com.
 containing a SIG and KEY record for
 .Dv example.com.
 These records will have a TTL of 86400 seconds (1 day).
@@ -184,7 +184,7 @@ The SIG record becomes valid at noon UTC on July 1st 2000 and expires
 The DNS administrator for
 .Dv example.com
 could then send
-.Pa example.com.keyset
+.Pa keyset-example.com.
 to the DNS administrator for
 .Dv .com
 so that they could sign the resource records in the file.

--- a/bin/dnssec/dnssec-makekeyset.c
+++ b/bin/dnssec/dnssec-makekeyset.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-makekeyset.c,v 1.29 2000/07/30 20:53:49 bwelling Exp $ */
+/* $Id: dnssec-makekeyset.c,v 1.30 2000/07/31 15:28:12 bwelling Exp $ */

 #include <config.h>

@@ -103,6 +103,8 @@ usage(void) {
 	fprintf(stderr, "\t\tSIG end time  - "
 			     "absolute|from start|from now (now + 30 days)\n");
 	fprintf(stderr, "\t-t ttl\n");
+	fprintf(stderr, "\t-p\n");
+	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-r randomdev:\n");
 	fprintf(stderr, "\t\ta file containing random data\n");
 	fprintf(stderr, "\t-v level:\n");
@@ -138,6 +140,8 @@ main(int argc, char *argv[]) {
 	isc_log_t *log = NULL;
 	keynode_t *keynode;
 	dns_name_t *savedname = NULL;
+	unsigned int eflags;
+	isc_boolean_t pseudorandom = ISC_FALSE;

 	result = isc_mem_create(0, 0, &mctx);
 	if (result != ISC_R_SUCCESS)
@@ -146,7 +150,7 @@ main(int argc, char *argv[]) {

 	dns_result_register();

-	while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:h")) != -1)
+	while ((ch = isc_commandline_parse(argc, argv, "s:e:t:r:v:ph")) != -1)
 	{
 		switch (ch) {
 		case 's':
@@ -184,6 +188,10 @@ main(int argc, char *argv[]) {
 				fatal("verbose level must be numeric");
 			break;

+		case 'p':
+			pseudorandom = ISC_TRUE;
+			break;
+
 		case 'h':
 		default:
 			usage();
@@ -200,8 +208,10 @@ main(int argc, char *argv[]) {
 	setup_entropy(mctx, randomfile, &ectx);
 	if (randomfile != NULL)
 		isc_mem_free(mctx, randomfile);
-	result = dst_lib_init(mctx, ectx,
-			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	eflags = ISC_ENTROPY_BLOCKING;
+	if (!pseudorandom)
+		eflags |= ISC_ENTROPY_GOODONLY;
+	result = dst_lib_init(mctx, ectx, eflags);
 	if (result != ISC_R_SUCCESS)
 		fatal("could not initialize dst");

@@ -266,12 +276,12 @@ main(int argc, char *argv[]) {
 		}
 		if (output == NULL) {
 			output = isc_mem_allocate(mctx,
-						  strlen(namestr) +
-						  strlen("keyset") + 1);
+						  strlen("keyset-") +
+						  strlen(namestr) + 1);
 			if (output == NULL)
 				fatal("out of memory");
-			strcpy(output, namestr);
-			strcat(output, "keyset");
+			strcpy(output, "keyset-");
+			strcat(output, namestr);
 		}
 		if (domain == NULL) {
 			dns_fixedname_init(&fdomain);

--- a/bin/dnssec/dnssec-signkey.8
+++ b/bin/dnssec/dnssec-signkey.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
+.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -34,7 +34,7 @@
 .Nm dnssec-signkey
 is used to sign a key set for a child zone.
 Typically this would be provided by a 
-.Ar .keyset
+.Ar keyset
 file generated by
 .Xr dnssec-makekeyset 8 .
 This provides a mechanism for a DNSSEC-aware zone to sign the keys of
@@ -43,7 +43,7 @@ The child zone's key set gets signed with the zone keys for its parent
 zone.
 .Ar keyset
 will be the pathname of the child zone's
-.Ar .keyset
+.Ar keyset
 file.
 Each
 .Ar keyfile
@@ -102,7 +102,7 @@ The default level is zero.
 When
 .Nm dnssec-signkey
 completes successfully, it generates a file called
-.Ar nnnn.signedkey
+.Ar signedkey-nnnn.
 containing the signed keys for child zone
 .Ar nnnn .
 The keys from the
@@ -125,13 +125,13 @@ The DNS administrator for a DNSSEC-aware
 zone would use the following command to make
 .Nm dnssec-signkey
 sign the
-.Ar .keyset
+.Ar keyset
 file for
 .Dv example.com
 created in the example shown in the man page for
 .Xr dnssec-makekeyset 8 :
 .Pp
-.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
+.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
 .Pp
 where
 .Dv Kcom.+003+51944
@@ -143,7 +143,7 @@ zone.
 .Pp
 .Nm dnssec-signkey
 will produce a file called
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
 which has the keys for
 .Dv example.com
 signed by the

--- a/bin/dnssec/dnssec-signkey.c
+++ b/bin/dnssec/dnssec-signkey.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signkey.c,v 1.28 2000/06/22 21:49:03 tale Exp $ */
+/* $Id: dnssec-signkey.c,v 1.29 2000/07/31 15:28:13 bwelling Exp $ */

 #include <config.h>

@@ -212,14 +212,14 @@ main(int argc, char *argv[]) {

 	setup_logging(verbose, mctx, &log);

-	if (strlen(argv[0]) < 8 ||
-	    strcmp(argv[0] + strlen(argv[0]) - 7, ".keyset") != 0)
-		fatal("keyset file must end in .keyset");
+	if (strlen(argv[0]) < 8 || strncmp(argv[0], "keyset-", 7) != 0)
+		fatal("keyset file '%s' must start with keyset-", argv[0]);

 	dns_fixedname_init(&fdomain);
 	domain = dns_fixedname_name(&fdomain);
-	isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
-	isc_buffer_add(&b, strlen(argv[0]) - 7);
+	isc_buffer_init(&b, argv[0] + strlen("keyset-"),
+			strlen(argv[0]) - strlen("keyset-"));
+	isc_buffer_add(&b, strlen(argv[0]) - strlen("keyset-"));
 	result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("'%s' does not contain a valid domain name", argv[0]);
@@ -230,11 +230,11 @@ main(int argc, char *argv[]) {
 	tdomain[r.length] = 0;

 	output = isc_mem_allocate(mctx,
-				  strlen(tdomain) + strlen("signedkey") + 1);
+				  strlen("signedkey-") + strlen(tdomain) + 1);
 	if (output == NULL)
 		fatal("out of memory");
-	strcpy(output, tdomain);
-	strcat(output, "signedkey");
+	strcpy(output, "signedkey-");
+	strcat(output, tdomain);

 	db = NULL;
 	result = dns_db_create(mctx, "rbt", domain, dns_dbtype_zone,

--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
+.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -40,7 +40,7 @@
 .Nm dnssec-signzone
 is used to sign a zone.
 Any
-.Ar .signedkey
+.Ar signedkey
 files for the zone to be signed should be present in the current
 directory, along with the keys that will be used to sign the zone.
 If no
@@ -57,7 +57,7 @@ Each
 argument would be an identification string for a key created with
 .Xr dnssec-keygen 8 .
 If the zone to be signed has any secure subzones, the
-.Ar .signedkey
+.Ar signedkey
 files for those subzones need to be available in the
 current working directory used by
 .Nm dnssec-signzone .
@@ -222,18 +222,14 @@ The zone file for this zone is
 which is the same as the origin, so there is no need to use the
 .Fl o
 option to set the origin.
-This zone file contains the keyset for
-.Dv example.com
-that was created by
-.Xr dnssec-makekeyset 8 .
 The zone's keys were either appended to the zone file or
 incorporated using a 
 .Dv $INCLUDE 
 statement.
 If there was a
-.Ar .signedkey
+.Ar signedkey
 file from the parent zone - i.e. 
-.Dv example.com.signedkey 
+.Dv signedkey-example.com.
 - it should be present in the current directory.
 This allows the parent zone's signature to be included in the signed
 version of the
@@ -258,5 +254,4 @@ so that it can be loaded by the name server.
 .Sh SEE ALSO
 .Xr RFC2535,
 .Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 .
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signzone.c,v 1.81 2000/06/22 21:49:04 tale Exp $ */
+/* $Id: dnssec-signzone.c,v 1.82 2000/07/31 15:28:14 bwelling Exp $ */

 #include <config.h>

@@ -512,18 +512,19 @@ importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 {
 	unsigned char filename[256];
 	isc_buffer_t b;
-	isc_region_t r;
 	dns_db_t *newdb = NULL;
 	dns_dbnode_t *newnode = NULL;
 	dns_rdataset_t newset, sigset;
 	dns_rdata_t rdata, newrdata;
 	isc_result_t result;

-	isc_buffer_init(&b, filename, sizeof(filename) - 10);
+	isc_buffer_init(&b, filename, sizeof(filename));
+	isc_buffer_putstr(&b, "signedkey-");
 	result = dns_name_totext(name, ISC_FALSE, &b);
 	check_result(result, "dns_name_totext()");
-	isc_buffer_usedregion(&b, &r);
-	strcpy((char *)r.base + r.length, "signedkey");
+	if (isc_buffer_availablelength(&b) == 0)
+		fatal("name '%s' is too long", nametostr(name));
+	isc_buffer_putmem(&b, "", 1);
 	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
 			       dns_db_class(db), 0, NULL, &newdb);
 	check_result(result, "dns_db_create()");
@@ -588,7 +589,6 @@ static isc_boolean_t
 haschildkey(dns_db_t *db, dns_name_t *name) {
 	unsigned char filename[256];
 	isc_buffer_t b;
-	isc_region_t r;
 	dns_db_t *newdb = NULL;
 	dns_dbnode_t *newnode = NULL;
 	dns_rdataset_t set, sigset;
@@ -601,11 +601,13 @@ haschildkey(dns_db_t *db, dns_name_t *name) {
 	dns_rdataset_init(&set);
 	dns_rdataset_init(&sigset);

-	isc_buffer_init(&b, filename, sizeof(filename) - 10);
+	isc_buffer_init(&b, filename, sizeof(filename));
+	isc_buffer_putstr(&b, "signedkey-");
 	result = dns_name_totext(name, ISC_FALSE, &b);
 	check_result(result, "dns_name_totext()");
-	isc_buffer_usedregion(&b, &r);
-	strcpy((char *)r.base + r.length, "signedkey");
+	if (isc_buffer_availablelength(&b) == 0)
+		fatal("name '%s' is too long", nametostr(name));
+	isc_buffer_putmem(&b, "", 1);
 	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
 			      dns_db_class(db), 0, NULL, &newdb);
 	check_result(result, "dns_db_create()");
@@ -839,6 +841,10 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 				signset(db, version, node, name, &keyset);
 alreadyhavenullkey:
 				dns_rdataset_disassociate(&keyset);
+			} else if (isdelegation) {
+				vbprintf(2, "child key for %s found\n",
+					 nametostr(name));
+
 			}
 #endif
 		}

--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,9 +15,9 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-# $Id: clean.sh,v 1.6 2000/07/27 09:39:19 tale Exp $
+# $Id: clean.sh,v 1.7 2000/07/31 15:28:15 bwelling Exp $

-rm -f */K* */.keyset */*.keyset */*.signedkey */*.signed */trusted.conf
+rm -f */K* */keyset-* */signedkey-* */*.signed */trusted.conf
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db
 rm -f dig.out.* 

--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.8 2000/07/27 09:39:24 tale Exp $
+# $Id: sign.sh,v 1.9 2000/07/31 15:28:16 bwelling Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -30,11 +30,11 @@ keyname=`$KEYGEN -a RSA -b 768 -n zone -r $RANDFILE $zone`

 (cd ../ns2 && sh sign.sh )

-cp ../ns2/example.keyset .
+cp ../ns2/keyset-example. .

-$KEYSIGNER -r $RANDFILE example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-example. $keyname

-cat example.signedkey >> ../ns2/example.db.signed
+cat signedkey-example. >> ../ns2/example.db.signed

 $KEYSETTOOL -r $RANDFILE -t 3600 $keyname


--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.11 2000/07/27 09:39:31 tale Exp $
+# $Id: sign.sh,v 1.12 2000/07/31 15:28:18 bwelling Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -33,21 +33,21 @@ keyname=`$KEYGEN -r $RANDFILE -a RSA -b 768 -n zone $zone`

 ( cd ../ns3 && sh sign.sh )

-cp ../ns3/secure.example.keyset .
+cp ../ns3/keyset-secure.example. .

-$KEYSIGNER -r $RANDFILE secure.example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-secure.example. $keyname

 # This will leave two copies of the child's zone key in the signed db file;
 # that shouldn't cause any problems.
-cat secure.example.signedkey >>../ns3/secure.example.db.signed
+cat signedkey-secure.example. >>../ns3/secure.example.db.signed

-cp ../ns3/bogus.example.keyset .
+cp ../ns3/keyset-bogus.example. .

-$KEYSIGNER -r $RANDFILE bogus.example.keyset $keyname
+$KEYSIGNER -r $RANDFILE keyset-bogus.example. $keyname

 # This will leave two copies of the child's zone key in the signed db file;
 # that shouldn't cause any problems.
-cat bogus.example.signedkey >>../ns3/bogus.example.db.signed
+cat signedkey-bogus.example. >>../ns3/bogus.example.db.signed

 $KEYSETTOOL -r $RANDFILE -t 3600 $keyname


--- a/doc/man/dnssec/dnssec-makekeyset.8
+++ b/doc/man/dnssec/dnssec-makekeyset.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-makekeyset.8,v 1.5 2000/07/27 09:42:33 tale Exp $
+.\" $Id: dnssec-makekeyset.8,v 1.6 2000/07/31 15:28:19 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-MAKEKEYSET 8
@@ -147,14 +147,14 @@ to print a short summary of its options and arguments.
 If
 .Nm dnssec-makekeyset
 is successful, it creates a file name of the form
-.Ar nnnn.keyset .
+.Ar keyset-nnnn. .
 This file contains the KEY and SIG records for domain
 .Dv nnnn ,
 the domain name part from the key file identifier produced when
 .Nm dnssec-keygen
 created the domain's public and private keys.
 The
-.Ar .keyset
+.Ar keyset
 file can then be transferred to the DNS administrator of the parent
 zone for them to sign the contents with
 .Xr dnssec-signkey 8 .
@@ -174,7 +174,7 @@ the command line when running
 .Pp
 .Nm dnssec-makekeyset
 will create a file called
-.Pa example.com.keyset
+.Pa keyset-example.com.
 containing a SIG and KEY record for
 .Dv example.com.
 These records will have a TTL of 86400 seconds (1 day).
@@ -184,7 +184,7 @@ The SIG record becomes valid at noon UTC on July 1st 2000 and expires
 The DNS administrator for
 .Dv example.com
 could then send
-.Pa example.com.keyset
+.Pa keyset-example.com.
 to the DNS administrator for
 .Dv .com
 so that they could sign the resource records in the file.

--- a/doc/man/dnssec/dnssec-signkey.8
+++ b/doc/man/dnssec/dnssec-signkey.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-signkey.8,v 1.6 2000/07/27 09:42:34 tale Exp $
+.\" $Id: dnssec-signkey.8,v 1.7 2000/07/31 15:28:20 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNKEY 8
@@ -34,7 +34,7 @@
 .Nm dnssec-signkey
 is used to sign a key set for a child zone.
 Typically this would be provided by a 
-.Ar .keyset
+.Ar keyset
 file generated by
 .Xr dnssec-makekeyset 8 .
 This provides a mechanism for a DNSSEC-aware zone to sign the keys of
@@ -43,7 +43,7 @@ The child zone's key set gets signed with the zone keys for its parent
 zone.
 .Ar keyset
 will be the pathname of the child zone's
-.Ar .keyset
+.Ar keyset
 file.
 Each
 .Ar keyfile
@@ -102,7 +102,7 @@ The default level is zero.
 When
 .Nm dnssec-signkey
 completes successfully, it generates a file called
-.Ar nnnn.signedkey
+.Ar signedkey-nnnn.
 containing the signed keys for child zone
 .Ar nnnn .
 The keys from the
@@ -125,13 +125,13 @@ The DNS administrator for a DNSSEC-aware
 zone would use the following command to make
 .Nm dnssec-signkey
 sign the
-.Ar .keyset
+.Ar keyset
 file for
 .Dv example.com
 created in the example shown in the man page for
 .Xr dnssec-makekeyset 8 :
 .Pp
-.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
+.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
 .Pp
 where
 .Dv Kcom.+003+51944
@@ -143,7 +143,7 @@ zone.
 .Pp
 .Nm dnssec-signkey
 will produce a file called
-.Dv example.com.signedkey
+.Dv signedkey-example.com.
 which has the keys for
 .Dv example.com
 signed by the

--- a/doc/man/dnssec/dnssec-signzone.8
+++ b/doc/man/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" 
-.\" $Id: dnssec-signzone.8,v 1.8 2000/07/27 09:42:35 tale Exp $
+.\" $Id: dnssec-signzone.8,v 1.9 2000/07/31 15:28:21 bwelling Exp $
 .\" 
 .Dd Jun 30, 2000
 .Dt DNSSEC-SIGNZONE 8
@@ -40,7 +40,7 @@
 .Nm dnssec-signzone
 is used to sign a zone.
 Any
-.Ar .signedkey
+.Ar signedkey
 files for the zone to be signed should be present in the current
 directory, along with the keys that will be used to sign the zone.
 If no
@@ -57,7 +57,7 @@ Each
 argument would be an identification string for a key created with
 .Xr dnssec-keygen 8 .
 If the zone to be signed has any secure subzones, the
-.Ar .signedkey
+.Ar signedkey
 files for those subzones need to be available in the
 current working directory used by
 .Nm dnssec-signzone .
@@ -222,18 +222,14 @@ The zone file for this zone is
 which is the same as the origin, so there is no need to use the
 .Fl o
 option to set the origin.
-This zone file contains the keyset for
-.Dv example.com
-that was created by
-.Xr dnssec-makekeyset 8 .
 The zone's keys were either appended to the zone file or
 incorporated using a 
 .Dv $INCLUDE 
 statement.
 If there was a
-.Ar .signedkey
+.Ar signedkey
 file from the parent zone - i.e. 
-.Dv example.com.signedkey 
+.Dv signedkey-example.com.
 - it should be present in the current directory.
 This allows the parent zone's signature to be included in the signed
 version of the
@@ -258,5 +254,4 @@ so that it can be loaded by the name server.
 .Sh SEE ALSO
 .Xr RFC2535,
 .Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
 .Xr dnssec-signkey 8 .