Commit 821f041d authored by Evan Hunt's avatar Evan Hunt

"dnssec-keys" is now a synonym for "managed-keys"

- managed-keys is now deprecated as well as trusted-keys, though
  it continues to work as a synonym for dnssec-keys
- references to managed-keys have been updated throughout the code.
- tests have been updated to use dnssec-keys format
- also the trusted-keys entries have been removed from the generated
  bind.keys.h file and are no longer generated by bindkeys.pl.
parent fec03258
......@@ -133,13 +133,13 @@ static bool use_tcp = false;
static char *anchorfile = NULL;
static char *trust_anchor = NULL;
static char *dlv_anchor = NULL;
static int trusted_keys = 0;
static int num_keys = 0;
static dns_fixedname_t afn, dfn;
static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = MANAGED_KEYS;
static char anchortext[] = DNSSEC_KEYS;
/*
* Static function prototypes
......@@ -642,7 +642,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
keyname, &rrdatabuf));
trusted_keys++;
num_keys++;
cleanup:
if (result == DST_R_NOCRYPTO)
......@@ -693,13 +693,15 @@ static isc_result_t
setup_dnsseckeys(dns_client_t *client) {
isc_result_t result;
cfg_parser_t *parser = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *dnssec_keys = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
if (!root_validation && !dlv_validation)
if (!root_validation && !dlv_validation) {
return (ISC_R_SUCCESS);
}
if (filename == NULL) {
#ifndef WIN32
......@@ -714,27 +716,33 @@ setup_dnsseckeys(dns_client_t *client) {
if (trust_anchor == NULL) {
trust_anchor = isc_mem_strdup(mctx, ".");
if (trust_anchor == NULL)
if (trust_anchor == NULL) {
fatal("out of memory");
}
}
if (trust_anchor != NULL)
if (trust_anchor != NULL) {
CHECK(convert_name(&afn, &anchor_name, trust_anchor));
if (dlv_anchor != NULL)
}
if (dlv_anchor != NULL) {
CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
}
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
if (access(filename, R_OK) != 0) {
if (anchorfile != NULL)
if (anchorfile != NULL) {
fatal("Unable to read key file '%s'", anchorfile);
}
} else {
result = cfg_parse_file(parser, filename,
&cfg_type_bindkeys, &bindkeys);
if (result != ISC_R_SUCCESS)
if (anchorfile != NULL)
if (result != ISC_R_SUCCESS) {
if (anchorfile != NULL) {
fatal("Unable to load keys from '%s'",
anchorfile);
}
}
}
if (bindkeys == NULL) {
......@@ -744,25 +752,34 @@ setup_dnsseckeys(dns_client_t *client) {
isc_buffer_add(&b, sizeof(anchortext) - 1);
result = cfg_parse_buffer(parser, &b, NULL, 0,
&cfg_type_bindkeys, 0, &bindkeys);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
fatal("Unable to parse built-in keys");
}
}
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &keys);
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
if (keys != NULL)
CHECK(load_keys(keys, client));
if (managed_keys != NULL)
if (trusted_keys != NULL) {
CHECK(load_keys(trusted_keys, client));
}
if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
}
if (dnssec_keys != NULL) {
CHECK(load_keys(dnssec_keys, client));
}
result = ISC_R_SUCCESS;
if (trusted_keys == 0)
if (num_keys == 0) {
fatal("No trusted keys were loaded");
}
if (dlv_validation)
if (dlv_validation) {
dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
}
cleanup:
......@@ -772,9 +789,10 @@ setup_dnsseckeys(dns_client_t *client) {
if (parser != NULL) {
cfg_parser_destroy(&parser);
}
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
isc_result_totext(result));
}
return (result);
}
......
......@@ -290,10 +290,10 @@ view \"_bind\" chaos {\n\
# \"dnssec-validation auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
MANAGED_KEYS
DNSSEC_KEYS
"# END MANAGED KEYS\n\
\n\
......
......@@ -901,7 +901,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
/*
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
* "managed-keys" * statement may be either static or initializing
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
* 'managed' and 'initializing' arguments to dns_keytable_add().
......@@ -1002,7 +1002,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_dnssec_keys = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_dnssec_keys = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
......@@ -1022,15 +1024,24 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (voptions != NULL) {
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
/* managed-keys and dnssec-keys are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
(void) cfg_map_get(voptions, "dnssec-keys",
&view_dnssec_keys);
maps[i++] = voptions;
}
}
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
/* managed-keys and dnssec-keys are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
maps[i++] = options;
......@@ -1061,7 +1072,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/*
* If bind.keys exists and is populated, it overrides
* the managed-keys clause hard-coded in named_g_config.
* the dnssec-keys clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
......@@ -1070,7 +1081,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "managed-keys",
(void)cfg_map_get(bindkeys, "dnssec-keys",
&builtin_keys);
if (builtin_keys == NULL) {
......@@ -1090,7 +1101,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "managed-keys",
(void)cfg_map_get(named_g_config, "dnssec-keys",
&builtin_keys);
}
......@@ -1110,11 +1121,14 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx));
CHECK(load_view_keys(view_dnssec_keys, view, true, NULL, mctx));
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
CHECK(load_view_keys(global_dnssec_keys, view, true,
NULL, mctx));
}
/*
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
managed-keys {
dnssec-keys {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
managed-keys {
dnssec-keys {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
managed-keys {
dnssec-keys {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -427,7 +427,7 @@ echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
ret=0
$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
grep "entry for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
grep "trust anchor for dlv.isc.org is present" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
......
......@@ -216,7 +216,7 @@ keyfile_to_keys_section() {
for keyname in $*; do
awk '!/^; /{
printf "\t\""$1"\" "
printf "'"$key_prefix"'"
printf "'"$key_prefix "'"
printf $4 " " $5 " " $6 " \""
for (i=7; i<=NF; i++) printf $i
printf "\";\n"
......@@ -226,17 +226,17 @@ keyfile_to_keys_section() {
}
# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
# provided to a *static* "managed-keys" section suitable for including in a
# provided to a *static* "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_trusted_keys() {
keyfile_to_keys_section "managed-keys" "static-key" $*
keyfile_to_keys_section "dnssec-keys" "static-key" $*
}
# keyfile_to_managed_keys: convert key data contained in the keyfile(s)
# provided to a "managed-keys" section suitable for including in a
# provided to a "dnssec-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_managed_keys() {
keyfile_to_keys_section "managed-keys" "initial-key" $*
keyfile_to_keys_section "dnssec-keys" "initial-key" $*
}
# nextpart*() - functions for reading files incrementally
......
......@@ -487,7 +487,7 @@ dlv DLV 30795 1 1 (
; type 65280-65534 (private use)
; keydata (internal type used for managed-keys)
; keydata (internal type used for managed keys)
keydata TYPE65533 \# 0
keydata TYPE65533 \# 6 010203040506
keydata TYPE65533 \# 18 010203040506010203040506010203040506
......
managed-keys {
dnssec-keys {
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
};
......@@ -2,17 +2,16 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
This is for testing managed-keys, in particular with problems
with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors.
ns1 is the root server that offers new KSKs and hosts one record for
testing. The TTL for the zone's records is 2 seconds.
ns2 is a validator that uses managed-keys. "-T mkeytimers=2/20/40"
ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
ns3 is a validator with a broken key in managed-keys.
ns3 is a validator with a broken initializing key in dnssec-keys.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
......
......@@ -41,6 +41,6 @@ zone "." {
};
# purposely broken key for testing
managed-keys {
dnssec-keys {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
......@@ -81,7 +81,7 @@ signzone () {
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/managed-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}${TP}
rm $DSFILENAME $1/tmp
}
......
......@@ -26,7 +26,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
managed-keys {
dnssec-keys {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
......
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
#define TRUSTED_KEYS "\
#define DNSSEC_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
......@@ -29,48 +29,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
trusted-keys {\n\
# This key (20326) was published in the root zone in 2017.\n\
. 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
R1AkUTV74bU=\";\n\
};\n\
"
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
# be configured elsewhere; if they are configured here, they will not be\n\
# recognized or used by named.\n\
#\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
# named.conf options, or else leave \"dnssec-validation\" unset. If\n\
# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
# ignored; keys will need to be explicitly configured in named.conf for\n\
# validation to work. \"auto\" is the default setting, unless named is\n\
# built with \"configure --disable-auto-validation\", in which case the\n\
# default is \"yes\".\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# Servers being set up for the first time can use the contents of this file\n\
# as initializing keys; thereafter, the keys in the managed key database\n\
# will be trusted and maintained automatically.\n\
#\n\
# These keys are current as of Mar 2019. If any key fails to initialize\n\
# correctly, it may have expired. In that event you should replace this\n\
# file with a current version. The latest version of bind.keys can always\n\
# be obtained from ISC at https://www.isc.org/bind-keys.\n\
#\n\
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
managed-keys {\n\
dnssec-keys {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
......
......@@ -3514,7 +3514,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
const cfg_obj_t *opts = NULL;
const cfg_obj_t *plugin_list = NULL;
bool autovalidation = false;
unsigned int tflags, mflags;
bool enablednssec, enablevalidation;
const char *valstr = "no";
unsigned int tflags = 0, dflags = 0, mflags = 0;
/*
* Get global options block
......@@ -3665,7 +3667,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
isc_symtab_destroy(&symtab);
/*
* Check trusted-keys and managed-keys.
* Check trusted-keys and dnssec-keys/managed-keys.
*/
tkeys = NULL;
if (voptions != NULL) {
......@@ -3675,7 +3677,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
(void)cfg_map_get(config, "trusted-keys", &tkeys);
}
tflags = 0;
for (element = cfg_list_first(tkeys);
element != NULL;
element = cfg_list_next(element))
......@@ -3695,27 +3696,88 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((tflags & ROOT_KSK_STATIC) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trusted-keys entry for the root zone "
"WILL FAIL after key rollover - use "
"managed-keys with initial-key instead.");
"dnssec-keys with initial-key instead.");
}
if ((tflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
"trust anchor for dlv.isc.org is present; "
"dlv.isc.org has been shut down");
}
keys = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "dnssec-keys", &keys);
}
if (keys == NULL) {
(void)cfg_map_get(config, "dnssec-keys", &keys);
}
for (element = cfg_list_first(keys);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *keylist = cfg_listelt_value(element);
for (element2 = cfg_list_first(keylist);
element2 != NULL;
element2 = cfg_list_next(element2))
{
obj = cfg_listelt_value(element2);
tresult = check_trusted_key(obj, true, &dflags,
logctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
}
}
if ((dflags & ROOT_KSK_STATIC) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"trusted-keys entry for dlv.isc.org is still "
"present: dlv.isc.org has been shut down");
"static-key entry for the root zone "
"WILL FAIL after key rollover - use "
"dnssec-keys with initial-key instead.");
}
if ((dflags & ROOT_KSK_2010) != 0 && (dflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"initial-key entry for the root zone "
"uses the 2010 key without the updated "
"2017 key");
}
if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"both trusted-keys and dnssec-keys "
"for the root zone are present");
}
if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"both initial-key and static-key entries for the "
"root zone are present");
}
if ((dflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"trust anchor for dlv.isc.org is present; "
"dlv.isc.org has been shut down");
}
/*
* "managed-keys" is a backward-compatible synonym for
* "dnssec-keys"; perform the same checks.
*/
mkeys = NULL;
if (voptions != NULL) {
(void)cfg_map_get(voptions, "managed-keys", &mkeys);
}
if (keys == NULL) {
if (mkeys == NULL) {
(void)cfg_map_get(config, "managed-keys", &mkeys);
}
mflags = 0;
for (element = cfg_list_first(mkeys);
element != NULL;
element = cfg_list_next(element))
......@@ -3735,34 +3797,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
}
if ((mflags & ROOT_KSK_STATIC) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"managed-keys static-key entry for the root zone "
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"static-key entry for the root zone "
"WILL FAIL after key rollover - use "
"managed-keys with initial-key instead.");
"dnssec-keys with initial-key instead.");
}
if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"managed-keys initial-key entry for the root zone "
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"initial-key entry for the root zone "
"uses the 2010 key without the updated "
"2017 key");
}
if ((tflags & ROOT_KSK_ANY) != 0 && (mflags & ROOT_KSK_ANY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"both trusted-keys and managed-keys for the "
"root zone are present");
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both trusted-keys and managed-keys "
"for the root zone are present");
}
if ((mflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"both initial-key and static-key entries for the "
"root zone are present");
}
if ((mflags & DLV_KSK_KEY) != 0) {
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
"managed-keys entry for dlv.isc.org still present; "
cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
"trust anchor for dlv.isc.org is present; "
"dlv.isc.org has been shut down");
}
......
......@@ -164,19 +164,13 @@ configure_key(isc_mem_t *mctx, const cfg_obj_t *key, irs_dnsconf_t *conf,
}
static isc_result_t
configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
dns_rdataclass_t rdclass)
configure_keygroup(irs_dnsconf_t *conf, const cfg_obj_t *keys,
dns_rdataclass_t rdclass)
{
isc_result_t result;