Commit 8c37d3d3 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Rename 'dnssec-keys' to 'trust-anchors'

parent e2129fb1
Pipeline #27165 passed with stages
in 53 minutes and 57 seconds
5332. [func] Renamed "dnssec-keys" configuration statement
to the more descriptive "trust-anchors".
5331. [func] Use compiler-provided mechanisms for thread local
storage, and make the requirement for such mechanisms
explicit in configure. [GL #1444]
......
......@@ -131,8 +131,8 @@ include:
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
......
......@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
static char anchortext[] = TRUST_ANCHORS;
/*
* Static function prototypes
......@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_parser_t *parser = NULL;
const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *dnssec_keys = NULL;
const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
......@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
if (trusted_keys != NULL) {
CHECK(load_keys(trusted_keys, client));
......@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
}
if (dnssec_keys != NULL) {
CHECK(load_keys(dnssec_keys, client));
if (trust_anchors != NULL) {
CHECK(load_keys(trust_anchors, client));
}
result = ISC_R_SUCCESS;
......
......@@ -215,7 +215,7 @@
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>dnssec-keys</option>
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
......
......@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
DNSSEC_KEYS
TRUST_ANCHORS
"# END MANAGED KEYS\n\
\n\
......
......@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
......@@ -156,7 +147,7 @@ logging {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
......@@ -527,8 +518,17 @@ statistics-channels {
</literallayout>
</refsection>
<refsection><info><title>TRUST-ANCHORS</title></info>
<literallayout class="normal">
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
......@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
......@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
......
......@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
}
/*
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
* Add the key to 'secroots'. Keys from a "trust-anchors" or
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
......@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_dnssec_keys = NULL;
const cfg_obj_t *view_trust_anchors = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_dnssec_keys = NULL;
const cfg_obj_t *global_trust_anchors = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
......@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
(void) cfg_map_get(voptions, "dnssec-keys",
&view_dnssec_keys);
(void) cfg_map_get(voptions, "trust-anchors",
&view_trust_anchors);
maps[i++] = voptions;
}
......@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
(void)cfg_map_get(config, "trust-anchors",
&global_trust_anchors);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
......@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/*
* If bind.keys exists and is populated, it overrides
* the dnssec-keys clause hard-coded in named_g_config.
* the trust-anchors clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
......@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "dnssec-keys",
(void)cfg_map_get(bindkeys, "trust-anchors",
&builtin_keys);
if (builtin_keys == NULL) {
......@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "dnssec-keys",
(void)cfg_map_get(named_g_config, "trust-anchors",
&builtin_keys);
}
......@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
mctx));
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_dnssec_keys, view, true,
CHECK(load_view_keys(global_trust_anchors, view, true,
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
......
......@@ -773,7 +773,7 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>dnssec-keys</command> statements, or the
configured via <command>trust-anchors</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......@@ -23,7 +23,7 @@ dnssec-keys {
NQyrszHhWUU=";
};
dnssec-keys {
trust-anchors {
example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation auto;
};
dnssec-keys {
trust-anchors {
. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
. static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
ret=0
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
......
......@@ -264,31 +264,31 @@ keyfile_to_dskeys() {
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static-key* "dnssec-keys" section suitable for including in a
# resolver's configuration file
# provided to a *static-key* "trust-anchors" section suitable for including in
# a resolver's configuration file
keyfile_to_static_keys() {
keyfile_to_keys "dnssec-keys" "static-key" $*
keyfile_to_keys "trust-anchors" "static-key" $*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
# provided to an *initial-key* "dnssec-keys" section suitable for including
# provided to an *initial-key* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys() {
keyfile_to_keys "dnssec-keys" "initial-key" $*
keyfile_to_keys "trust-anchors" "initial-key" $*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
# provided to a *static-ds* "dnssec-keys" section suitable for including in a
# provided to a *static-ds* "trust-anchors" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds() {
keyfile_to_dskeys "dnssec-keys" "static-ds" $*
keyfile_to_dskeys "trust-anchors" "static-ds" $*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
# provided to an *initial-ds* "dnssec-keys" section suitable for including
# provided to an *initial-ds* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds() {
keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
keyfile_to_dskeys "trust-anchors" "initial-ds" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
......
dnssec-keys {
trust-anchors {
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
};
......@@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
ns3 is a validator with a broken initializing key in dnssec-keys.
ns3 is a validator with a broken initializing key in trust-anchors.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
......
......@@ -41,6 +41,6 @@ zone "." {
};
# purposely broken key for testing
dnssec-keys {
trust-anchors {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
......@@ -86,7 +86,7 @@ signzone () {
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}${TP}
rm $DSFILENAME $1/tmp
}
......
......@@ -26,7 +26,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
......
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
#define DNSSEC_KEYS "\
#define TRUST_ANCHORS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
......@@ -29,7 +29,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
dnssec-keys {\n\
trust-anchors {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
......
......@@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
using a <command>dnssec-keys</command> statement (or the
using a <command>trust-anchors</command> statement (or the
<command>managed-keys</command> and <command>trusted-keys</command>
statements, both deprecated).
</para>
......@@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
The keys specified in <command>dnssec-keys</command>
The keys specified in <command>trust-anchors</command>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <command>static-key</command> or
......@@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
<command>dnssec-keys</command> is described in more detail
<command>trust-anchors</command> is described in more detail
later in this document.
</para>
......@@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<programlisting>
dnssec-keys {
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
......@@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row>
<row rowsep="0">
<entry colname="1">
<para><command>dnssec-keys</command></para>
<para><command>trust-anchors</command></para>
</entry>
<entry colname="2">
<para>
......@@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry>
<entry colname="2">
<para>
is identical to <command>dnssec-keys</command>;
is identical to <command>trust-anchors</command>;
this option is deprecated in favor
of <command>dnssec-keys</command> with
of <command>trust-anchors</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para>
......@@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <command>dnssec-keys</command> with
of <command>trust-anchors</command> with
the <command>static-key</command> keyword,
and may be removed in a future release.
</para>
......@@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
track managed DNSSEC keys (i.e., those configured using
the <command>initial-key</command> or
<command>initial-ds</command> keywords in a
<command>dnssec-keys</command> statement). By default,
<command>trust-anchors</command> statement). By default,