Commit 8c37d3d3 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Rename 'dnssec-keys' to 'trust-anchors'

parent e2129fb1
Pipeline #27165 passed with stages
in 53 minutes and 57 seconds
5332. [func] Renamed "dnssec-keys" configuration statement
to the more descriptive "trust-anchors".
5331. [func] Use compiler-provided mechanisms for thread local
storage, and make the requirement for such mechanisms
explicit in configure. [GL #1444]
......
......@@ -131,8 +131,8 @@ include:
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
......
......@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
static char anchortext[] = TRUST_ANCHORS;
/*
* Static function prototypes
......@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_parser_t *parser = NULL;
const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *dnssec_keys = NULL;
const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
......@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
if (trusted_keys != NULL) {
CHECK(load_keys(trusted_keys, client));
......@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
}
if (dnssec_keys != NULL) {
CHECK(load_keys(dnssec_keys, client));
if (trust_anchors != NULL) {
CHECK(load_keys(trust_anchors, client));
}
result = ISC_R_SUCCESS;
......
......@@ -215,7 +215,7 @@
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>dnssec-keys</option>
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
......
......@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
DNSSEC_KEYS
TRUST_ANCHORS
"# END MANAGED KEYS\n\
\n\
......
......@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
......@@ -156,7 +147,7 @@ logging {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
......@@ -527,8 +518,17 @@ statistics-channels {
</literallayout>
</refsection>
<refsection><info><title>TRUST-ANCHORS</title></info>
<literallayout class="normal">
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
......@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
......@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
......
......@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
}
/*
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
* Add the key to 'secroots'. Keys from a "trust-anchors" or
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
......@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_dnssec_keys = NULL;
const cfg_obj_t *view_trust_anchors = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_dnssec_keys = NULL;
const cfg_obj_t *global_trust_anchors = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
......@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
(void) cfg_map_get(voptions, "dnssec-keys",
&view_dnssec_keys);
(void) cfg_map_get(voptions, "trust-anchors",
&view_trust_anchors);
maps[i++] = voptions;
}
......@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
(void)cfg_map_get(config, "trust-anchors",
&global_trust_anchors);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
......@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/*
* If bind.keys exists and is populated, it overrides
* the dnssec-keys clause hard-coded in named_g_config.
* the trust-anchors clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
......@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "dnssec-keys",
(void)cfg_map_get(bindkeys, "trust-anchors",
&builtin_keys);
if (builtin_keys == NULL) {
......@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "dnssec-keys",
(void)cfg_map_get(named_g_config, "trust-anchors",
&builtin_keys);
}
......@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
mctx));
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_dnssec_keys, view, true,
CHECK(load_view_keys(global_trust_anchors, view, true,
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
......
......@@ -773,7 +773,7 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>dnssec-keys</command> statements, or the
configured via <command>trust-anchors</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......@@ -23,7 +23,7 @@ dnssec-keys {
NQyrszHhWUU=";
};
dnssec-keys {
trust-anchors {
example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation auto;
};
dnssec-keys {
trust-anchors {
. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment