Commit 8c37d3d3 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Rename 'dnssec-keys' to 'trust-anchors'

parent e2129fb1
Pipeline #27165 passed with stages
in 53 minutes and 57 seconds
5332. [func] Renamed "dnssec-keys" configuration statement
to the more descriptive "trust-anchors".
5331. [func] Use compiler-provided mechanisms for thread local
storage, and make the requirement for such mechanisms
explicit in configure. [GL #1444]
......
......@@ -131,8 +131,8 @@ include:
for zones, enabling automatic key regeneration and rollover.
* New new network manager based on libuv.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
permitting configuration of trust anchors in DS as well as
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
......
......@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
static dns_name_t *anchor_name = NULL;
/* Default bind.keys contents */
static char anchortext[] = DNSSEC_KEYS;
static char anchortext[] = TRUST_ANCHORS;
/*
* Static function prototypes
......@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_parser_t *parser = NULL;
const cfg_obj_t *trusted_keys = NULL;
const cfg_obj_t *managed_keys = NULL;
const cfg_obj_t *dnssec_keys = NULL;
const cfg_obj_t *trust_anchors = NULL;
cfg_obj_t *bindkeys = NULL;
const char *filename = anchorfile;
......@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
INSIST(bindkeys != NULL);
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
if (trusted_keys != NULL) {
CHECK(load_keys(trusted_keys, client));
......@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
if (managed_keys != NULL) {
CHECK(load_keys(managed_keys, client));
}
if (dnssec_keys != NULL) {
CHECK(load_keys(dnssec_keys, client));
if (trust_anchors != NULL) {
CHECK(load_keys(trust_anchors, client));
}
result = ISC_R_SUCCESS;
......
......@@ -215,7 +215,7 @@
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>dnssec-keys</option>
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
......
......@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
# BEGIN DNSSEC KEYS\n"
/* Imported from bind.keys.h: */
DNSSEC_KEYS
TRUST_ANCHORS
"# END MANAGED KEYS\n\
\n\
......
......@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
......@@ -156,7 +147,7 @@ logging {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
......@@ -527,8 +518,17 @@ statistics-channels {
</literallayout>
</refsection>
<refsection><info><title>TRUST-ANCHORS</title></info>
<literallayout class="normal">
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para>
<para>Deprecated - see TRUST-ANCHORS.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
......@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
......@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
......
......@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
}
/*
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
* Add the key to 'secroots'. Keys from a "trust-anchors" or
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
......@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_dnssec_keys = NULL;
const cfg_obj_t *view_trust_anchors = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_dnssec_keys = NULL;
const cfg_obj_t *global_trust_anchors = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
......@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
(void) cfg_map_get(voptions, "dnssec-keys",
&view_dnssec_keys);
(void) cfg_map_get(voptions, "trust-anchors",
&view_trust_anchors);
maps[i++] = voptions;
}
......@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
/* managed-keys and dnssec-keys are synonyms. */
/* managed-keys and trust-anchors are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
(void)cfg_map_get(config, "trust-anchors",
&global_trust_anchors);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
......@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/*
* If bind.keys exists and is populated, it overrides
* the dnssec-keys clause hard-coded in named_g_config.
* the trust-anchors clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
......@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "dnssec-keys",
(void)cfg_map_get(bindkeys, "trust-anchors",
&builtin_keys);
if (builtin_keys == NULL) {
......@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "dnssec-keys",
(void)cfg_map_get(named_g_config, "trust-anchors",
&builtin_keys);
}
......@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
mctx));
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_dnssec_keys, view, true,
CHECK(load_view_keys(global_trust_anchors, view, true,
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
......
......@@ -773,7 +773,7 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>dnssec-keys</command> statements, or the
configured via <command>trust-anchors</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......@@ -23,7 +23,7 @@ dnssec-keys {
NQyrszHhWUU=";
};
dnssec-keys {
trust-anchors {
example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
};
......@@ -13,7 +13,7 @@ options {
dnssec-validation auto;
};
dnssec-keys {
trust-anchors {
. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
......
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
. static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
......@@ -9,7 +9,7 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
......
......@@ -13,7 +13,7 @@ options {
dnssec-validation yes;
};
dnssec-keys {
trust-anchors {
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
......
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
dnssec-keys {
trust-anchors {
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
};
......@@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
ret=0
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
......
......@@ -264,31 +264,31 @@ keyfile_to_dskeys() {
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static-key* "dnssec-keys" section suitable for including in a
# resolver's configuration file
# provided to a *static-key* "trust-anchors" section suitable for including in
# a resolver's configuration file
keyfile_to_static_keys() {
keyfile_to_keys "dnssec-keys" "static-key" $*
keyfile_to_keys "trust-anchors" "static-key" $*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
# provided to an *initial-key* "dnssec-keys" section suitable for including
# provided to an *initial-key* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys() {
keyfile_to_keys "dnssec-keys" "initial-key" $*
keyfile_to_keys "trust-anchors" "initial-key" $*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
# provided to a *static-ds* "dnssec-keys" section suitable for including in a
# provided to a *static-ds* "trust-anchors" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds() {
keyfile_to_dskeys "dnssec-keys" "static-ds" $*
keyfile_to_dskeys "trust-anchors" "static-ds" $*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
# provided to an *initial-ds* "dnssec-keys" section suitable for including
# provided to an *initial-ds* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds() {
keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
keyfile_to_dskeys "trust-anchors" "initial-ds" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
......
dnssec-keys {
trust-anchors {
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
};
......@@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
ns3 is a validator with a broken initializing key in dnssec-keys.
ns3 is a validator with a broken initializing key in trust-anchors.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
......
......@@ -41,6 +41,6 @@ zone "." {
};
# purposely broken key for testing
dnssec-keys {
trust-anchors {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
......@@ -86,7 +86,7 @@ signzone () {
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
cat $1/$3 $1/$KEYNAME.key > $1/tmp
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
DSFILENAME=dsset-${2}${TP}
rm $DSFILENAME $1/tmp
}
......
......@@ -26,7 +26,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
dnssec-keys {
trust-anchors {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
......
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
#define DNSSEC_KEYS "\
#define TRUST_ANCHORS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
......@@ -29,7 +29,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
dnssec-keys {\n\
trust-anchors {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
......
......@@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
using a <command>dnssec-keys</command> statement (or the
using a <command>trust-anchors</command> statement (or the
<command>managed-keys</command> and <command>trusted-keys</command>
statements, both deprecated).
</para>
......@@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
The keys specified in <command>dnssec-keys</command>
The keys specified in <command>trust-anchors</command>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <command>static-key</command> or
......@@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
<command>dnssec-keys</command> is described in more detail
<command>trust-anchors</command> is described in more detail
later in this document.
</para>
......@@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<programlisting>
dnssec-keys {
trust-anchors {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
......@@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row>
<row rowsep="0">
<entry colname="1">
<para><command>dnssec-keys</command></para>
<para><command>trust-anchors</command></para>
</entry>
<entry colname="2">
<para>
......@@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry>
<entry colname="2">
<para>
is identical to <command>dnssec-keys</command>;
is identical to <command>trust-anchors</command>;
this option is deprecated in favor
of <command>dnssec-keys</command> with
of <command>trust-anchors</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para>
......@@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <command>dnssec-keys</command> with
of <command>trust-anchors</command> with
the <command>static-key</command> keyword,
and may be removed in a future release.
</para>
......@@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
track managed DNSSEC keys (i.e., those configured using
the <command>initial-key</command> or
<command>initial-ds</command> keywords in a
<command>dnssec-keys</command> statement). By default,
<command>trust-anchors</command> statement). By default,
this is the working directory. The directory
<emphasis>must</emphasis> be writable by the effective
user ID of the <command>named</command> process.
......@@ -5062,7 +5062,7 @@ options {
as insecure.
</para>
<para>
Configured trust anchors in <command>dnssec-keys</command>
Configured trust anchors in <command>trust-anchors</command>
(or <command>managed-keys</command> or
<command>trusted-keys</command>, both deprecated)
that match a disabled algorithm will be ignored and treated
......@@ -5100,7 +5100,7 @@ options {
they are secure. If <userinput>no</userinput>, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be defined as a
trust anchor, for instance in a <command>dnssec-keys</command>
trust anchor, for instance in a <command>trust-anchors</command>
statement, or <command>dnssec-validation auto</command> must
be active.
</para>
......@@ -6217,7 +6217,7 @@ options {
Causes <command>named</command> to send specially-formed
queries once per day to domains for which trust anchors
have been configured via, e.g.,
<command>dnssec-keys</command> or
<command>trust-anchors</command> or
<command>dnssec-validation auto</command>.
</para>
<para>
......@@ -6432,7 +6432,7 @@ options {
<para>
If set to <userinput>yes</userinput>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <command>dnssec-keys</command> statement (or
using a <command>trust-anchors</command> statement (or
the <command>managed-keys</command> or the
<command>trusted-keys</command> statements, both deprecated).
If there is no configured trust anchor, validation will
......@@ -10848,14 +10848,14 @@ example.com CNAME rpz-tcp-only.
</para>
</section>
<section xml:id="dnssec_keys"><info><title><command>dnssec-keys</command> Statement Grammar</title></info>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="dnssec-keys.grammar.xml"/>
<section xml:id="trust_anchors"><info><title><command>trust-anchors</command> Statement Grammar</title></info>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="trust-anchors.grammar.xml"/>
</section>
<section xml:id="dnssec-keys"><info><title><command>dnssec-keys</command> Statement Definition
<section xml:id="trust-anchors"><info><title><command>trust-anchors</command> Statement Definition
and Usage</title></info>
<para>
The <command>dnssec-keys</command> statement defines DNSSEC
The <command>trust-anchors</command> statement defines DNSSEC
trust anchors. DNSSEC is described in <xref linkend="DNSSEC"/>.
</para>
<para>
......@@ -10874,21 +10874,21 @@ example.com CNAME rpz-tcp-only.
the <command>validate-except</command> option).
</para>
<para>
All keys listed in <command>dnssec-keys</command>, and
All keys listed in <command>trust-anchors</command>, and
their corresponding zones, are deemed to exist regardless
of what parent zones say. Only keys configured as trust anchors
are used to validate the DNSKEY RRset for the corresponding
name. The parent's DS RRset will not be used.
</para>
<para>
<command>dnssec-keys</command> may be set at the top level
<command>trust-anchors</command> may be set at the top level