Rename 'dnssec-keys' to 'trust-anchors'

8c37d3d3 · Matthijs Mekking · e2129fb1 · 8c37d3d3 · 8c37d3d3 · 8c37d3d3
Commit 8c37d3d3 authored Dec 04, 2019 by Matthijs Mekking 🏡
--- a/CHANGES
+++ b/CHANGES
+5332.	[func]		Renamed "dnssec-keys" configuration statement
+			to the more descriptive "trust-anchors".
+
 5331.	[func]		Use compiler-provided mechanisms for thread local
 			storage, and make the requirement for such mechanisms
 			explicit in configure. [GL #1444]

--- a/README.md
+++ b/README.md
@@ -131,8 +131,8 @@ include:
  for zones, enabling automatic key regeneration and rollover.
 * New new network manager based on libuv.
 * Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
-  permitting configuration of trust anchors in DS as well as
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+  statement, permitting configuration of trust anchors in DS as well as
  DNSKEY format.
 * YAML output for `dig`, `mdig`, and `delv`.


--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
 static dns_name_t *anchor_name = NULL;

 /* Default bind.keys contents */
-static char anchortext[] = DNSSEC_KEYS;
+static char anchortext[] = TRUST_ANCHORS;

 /*
 * Static function prototypes
@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	cfg_parser_t *parser = NULL;
 	const cfg_obj_t *trusted_keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
-	const cfg_obj_t *dnssec_keys = NULL;
+	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;

@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	INSIST(bindkeys != NULL);
 	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-	cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
+	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);

 	if (trusted_keys != NULL) {
 		CHECK(load_keys(trusted_keys, client));
@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (managed_keys != NULL) {
 		CHECK(load_keys(managed_keys, client));
 	}
-	if (dnssec_keys != NULL) {
-		CHECK(load_keys(dnssec_keys, client));
+	if (trust_anchors != NULL) {
+		CHECK(load_keys(trust_anchors, client));
 	}
 	result = ISC_R_SUCCESS;


--- a/bin/delv/delv.docbook
+++ b/bin/delv/delv.docbook
@@ -215,7 +215,7 @@
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>dnssec-keys</option>
+	    <command>delv</command> treats <option>trust-anchors</option>
 	    <option>initial-key</option> and <option>static-key</option>
 	    entries identically.  That is, even if a key is configured
 	    with <command>initial-key</command>, indicating that it is

--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
 # BEGIN DNSSEC KEYS\n"

 /* Imported from bind.keys.h: */
-DNSSEC_KEYS
+TRUST_ANCHORS

 "# END MANAGED KEYS\n\
 \n\

--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
 </literallayout>
  </refsection>

-  <refsection><info><title>DNSSEC-KEYS</title></info>
-    <literallayout class="normal">
-dnssec-keys { <replaceable>string</replaceable> ( static-key |
-    initial-key | static-ds | initial-ds )
-    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };
-</literallayout>
-  </refsection>
-
  <refsection><info><title>DYNDB</title></info>
    <literallayout class="normal">
 dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
@@ -156,7 +147,7 @@ logging {
  </refsection>

  <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
    <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key
    | initial-key | static-ds |
@@ -527,8 +518,17 @@ statistics-channels {
 </literallayout>
  </refsection>

+  <refsection><info><title>TRUST-ANCHORS</title></info>
+    <literallayout class="normal">
+trust-anchors { <replaceable>string</replaceable> ( static-key |
+    initial-key | static-ds | initial-ds )
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>quoted_string</replaceable>; ... };
+</literallayout>
+  </refsection>
+
  <refsection><info><title>TRUSTED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
    <literallayout class="normal">
 trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnsrps-options { <replaceable>unspecified-text</replaceable> };
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-	dnssec-keys { <replaceable>string</replaceable> ( static-key |
-	    initial-key | static-ds | initial-ds
-	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-	    <replaceable>quoted_string</replaceable>; ... };
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
 	    ] [ dscp <replaceable>integer</replaceable> ];
 	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
+	trust-anchors { <replaceable>string</replaceable> ( static-key |
+	    initial-key | static-ds | initial-ds
+	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+	    <replaceable>quoted_string</replaceable>; ... };
 	trusted-keys { <replaceable>string</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable>

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 	}

 	/*
-	 * Add the key to 'secroots'.  Keys from a "dnssec-keys" or
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
 	 * "managed-keys" statement may be either static or initializing
 	 * keys. If it's not initializing, we don't want to treat it as
 	 * managed, so we use 'initializing' twice here, for both the
@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
-	const cfg_obj_t *view_dnssec_keys = NULL;
+	const cfg_obj_t *view_trust_anchors = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
-	const cfg_obj_t *global_dnssec_keys = NULL;
+	const cfg_obj_t *global_trust_anchors = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);

-			/* managed-keys and dnssec-keys are synonyms. */
+			/* managed-keys and trust-anchors are synonyms. */
 			(void) cfg_map_get(voptions, "managed-keys",
 					   &view_managed_keys);
-			(void) cfg_map_get(voptions, "dnssec-keys",
-					   &view_dnssec_keys);
+			(void) cfg_map_get(voptions, "trust-anchors",
+					   &view_trust_anchors);

 			maps[i++] = voptions;
 		}
@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	if (config != NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &global_keys);

-		/* managed-keys and dnssec-keys are synonyms. */
+		/* managed-keys and trust-anchors are synonyms. */
 		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
-		(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+		(void)cfg_map_get(config, "trust-anchors",
+				  &global_trust_anchors);

 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,

 		/*
 		 * If bind.keys exists and is populated, it overrides
-		 * the dnssec-keys clause hard-coded in named_g_config.
+		 * the trust-anchors clause hard-coded in named_g_config.
 		 */
 		if (bindkeys != NULL) {
 			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "from '%s'",
 				      view->name, named_g_server->bindkeysfile);

-			(void)cfg_map_get(bindkeys, "dnssec-keys",
+			(void)cfg_map_get(bindkeys, "trust-anchors",
 					  &builtin_keys);

 			if (builtin_keys == NULL) {
@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "using built-in root key for view %s",
 				      view->name);

-			(void)cfg_map_get(named_g_config, "dnssec-keys",
+			(void)cfg_map_get(named_g_config, "trust-anchors",
 					  &builtin_keys);
 		}

@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,

 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
+		CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
 				     mctx));
 		CHECK(load_view_keys(view_managed_keys, view, true, NULL,
 				     mctx));

 		CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(global_dnssec_keys, view, true,
+		CHECK(load_view_keys(global_trust_anchors, view, true,
 				     NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, view, true,
 				     NULL, mctx));

--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -773,7 +773,7 @@
 	<listitem>
 	  <para>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <command>dnssec-keys</command> statements, or the
+	    configured via <command>trust-anchors</command> statements, or the
 	    managed-keys or trusted-keys statements (both deprecated), or
 	    via <command>dnssec-validation auto</command>) and negative trust
 	    anchors for the specified views.  If no view is specified, all

--- a/bin/tests/system/checkconf/bad-ds-key-1.conf
+++ b/bin/tests/system/checkconf/bad-ds-key-1.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };
--- a/bin/tests/system/checkconf/bad-ds-key-2.conf
+++ b/bin/tests/system/checkconf/bad-ds-key-2.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };
--- a/bin/tests/system/checkconf/bad-duplicate-key.conf
+++ b/bin/tests/system/checkconf/bad-duplicate-key.conf
@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };

-dnssec-keys {
+trust-anchors {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
@@ -23,7 +23,7 @@ dnssec-keys {
 		NQyrszHhWUU=";
 };

-dnssec-keys {
+trust-anchors {
 	example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

--- a/bin/tests/system/checkconf/bad-duplicate-root-key.conf
+++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };

-dnssec-keys {
+trust-anchors {
 	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

--- a/bin/tests/system/checkconf/bad-root-mixed-key.conf
+++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

--- a/bin/tests/system/checkconf/bad-static-initial-1.conf
+++ b/bin/tests/system/checkconf/bad-static-initial-1.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
 	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };
--- a/bin/tests/system/checkconf/bad-static-initial-2.conf
+++ b/bin/tests/system/checkconf/bad-static-initial-2.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };
--- a/bin/tests/system/checkconf/bad-static-initial-3.conf
+++ b/bin/tests/system/checkconf/bad-static-initial-3.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };
--- a/bin/tests/system/checkconf/bad-static-initial-4.conf
+++ b/bin/tests/system/checkconf/bad-static-initial-4.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
        example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };
--- a/bin/tests/system/checkconf/bad-validation-auto-key.conf
+++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf
@@ -13,7 +13,7 @@ options {
 	dnssec-validation auto;
 };

-dnssec-keys {
+trust-anchors {
 	. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

--- a/bin/tests/system/checkconf/check-mixed-keys.conf
+++ b/bin/tests/system/checkconf/check-mixed-keys.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

--- a/bin/tests/system/checkconf/check-root-ksk-2010.conf
+++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf
@@ -9,7 +9,7 @@
 * information regarding copyright ownership.
 */

-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from