Rename 'dnssec-keys' to 'trust-anchors'

CHANGES

+5332.	[func]		Renamed "dnssec-keys" configuration statement
+			to the more descriptive "trust-anchors".
+
 5331.	[func]		Use compiler-provided mechanisms for thread local
 			storage, and make the requirement for such mechanisms
 			explicit in configure. [GL #1444]

README.md

@@ -131,8 +131,8 @@ include:
   for zones, enabling automatic key regeneration and rollover.
 * New new network manager based on libuv.
 * Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
-  permitting configuration of trust anchors in DS as well as
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+  statement, permitting configuration of trust anchors in DS as well as
   DNSKEY format.
 * YAML output for `dig`, `mdig`, and `delv`.
 

bin/delv/delv.c

@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
 static dns_name_t *anchor_name = NULL;
 
 /* Default bind.keys contents */
-static char anchortext[] = DNSSEC_KEYS;
+static char anchortext[] = TRUST_ANCHORS;
 
 /*
  * Static function prototypes
@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	cfg_parser_t *parser = NULL;
 	const cfg_obj_t *trusted_keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
-	const cfg_obj_t *dnssec_keys = NULL;
+	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;
 
@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	INSIST(bindkeys != NULL);
 	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-	cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
+	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
 
 	if (trusted_keys != NULL) {
 		CHECK(load_keys(trusted_keys, client));
@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (managed_keys != NULL) {
 		CHECK(load_keys(managed_keys, client));
 	}
-	if (dnssec_keys != NULL) {
-		CHECK(load_keys(dnssec_keys, client));
+	if (trust_anchors != NULL) {
+		CHECK(load_keys(trust_anchors, client));
 	}
 	result = ISC_R_SUCCESS;
 

bin/delv/delv.docbook

@@ -215,7 +215,7 @@
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>dnssec-keys</option>
+	    <command>delv</command> treats <option>trust-anchors</option>
 	    <option>initial-key</option> and <option>static-key</option>
 	    entries identically.  That is, even if a key is configured
 	    with <command>initial-key</command>, indicating that it is

bin/named/config.c

@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
 # BEGIN DNSSEC KEYS\n"
 
 /* Imported from bind.keys.h: */
-DNSSEC_KEYS
+TRUST_ANCHORS
 
 "# END MANAGED KEYS\n\
 \n\

bin/named/named.conf.docbook

@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
 </literallayout>
   </refsection>
 
-  <refsection><info><title>DNSSEC-KEYS</title></info>
-    <literallayout class="normal">
-dnssec-keys { <replaceable>string</replaceable> ( static-key |
-    initial-key | static-ds | initial-ds )
-    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };
-</literallayout>
-  </refsection>
-
   <refsection><info><title>DYNDB</title></info>
     <literallayout class="normal">
 dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
@@ -156,7 +147,7 @@ logging {
   </refsection>
 
   <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
     <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key
     | initial-key | static-ds |
@@ -527,8 +518,17 @@ statistics-channels {
 </literallayout>
   </refsection>
 
+  <refsection><info><title>TRUST-ANCHORS</title></info>
+    <literallayout class="normal">
+trust-anchors { <replaceable>string</replaceable> ( static-key |
+    initial-key | static-ds | initial-ds )
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>quoted_string</replaceable>; ... };
+</literallayout>
+  </refsection>
+
   <refsection><info><title>TRUSTED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
     <literallayout class="normal">
 trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
     <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnsrps-options { <replaceable>unspecified-text</replaceable> };
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-	dnssec-keys { <replaceable>string</replaceable> ( static-key |
-	    initial-key | static-ds | initial-ds
-	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-	    <replaceable>quoted_string</replaceable>; ... };
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
 	    ] [ dscp <replaceable>integer</replaceable> ];
 	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
+	trust-anchors { <replaceable>string</replaceable> ( static-key |
+	    initial-key | static-ds | initial-ds
+	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+	    <replaceable>quoted_string</replaceable>; ... };
 	trusted-keys { <replaceable>string</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable>

bin/named/server.c

@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 	}
 
 	/*
-	 * Add the key to 'secroots'.  Keys from a "dnssec-keys" or
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
 	 * "managed-keys" statement may be either static or initializing
 	 * keys. If it's not initializing, we don't want to treat it as
 	 * managed, so we use 'initializing' twice here, for both the
@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
-	const cfg_obj_t *view_dnssec_keys = NULL;
+	const cfg_obj_t *view_trust_anchors = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
-	const cfg_obj_t *global_dnssec_keys = NULL;
+	const cfg_obj_t *global_trust_anchors = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);
 
-			/* managed-keys and dnssec-keys are synonyms. */
+			/* managed-keys and trust-anchors are synonyms. */
 			(void) cfg_map_get(voptions, "managed-keys",
 					   &view_managed_keys);
-			(void) cfg_map_get(voptions, "dnssec-keys",
-					   &view_dnssec_keys);
+			(void) cfg_map_get(voptions, "trust-anchors",
+					   &view_trust_anchors);
 
 			maps[i++] = voptions;
 		}
@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	if (config != NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &global_keys);
 
-		/* managed-keys and dnssec-keys are synonyms. */
+		/* managed-keys and trust-anchors are synonyms. */
 		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
-		(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+		(void)cfg_map_get(config, "trust-anchors",
+				  &global_trust_anchors);
 
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 		/*
 		 * If bind.keys exists and is populated, it overrides
-		 * the dnssec-keys clause hard-coded in named_g_config.
+		 * the trust-anchors clause hard-coded in named_g_config.
 		 */
 		if (bindkeys != NULL) {
 			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "from '%s'",
 				      view->name, named_g_server->bindkeysfile);
 
-			(void)cfg_map_get(bindkeys, "dnssec-keys",
+			(void)cfg_map_get(bindkeys, "trust-anchors",
 					  &builtin_keys);
 
 			if (builtin_keys == NULL) {
@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "using built-in root key for view %s",
 				      view->name);
 
-			(void)cfg_map_get(named_g_config, "dnssec-keys",
+			(void)cfg_map_get(named_g_config, "trust-anchors",
 					  &builtin_keys);
 		}
 
@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
+		CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
 				     mctx));
 		CHECK(load_view_keys(view_managed_keys, view, true, NULL,
 				     mctx));
 
 		CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(global_dnssec_keys, view, true,
+		CHECK(load_view_keys(global_trust_anchors, view, true,
 				     NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, view, true,
 				     NULL, mctx));

bin/rndc/rndc.docbook

@@ -773,7 +773,7 @@
 	<listitem>
 	  <para>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <command>dnssec-keys</command> statements, or the
+	    configured via <command>trust-anchors</command> statements, or the
 	    managed-keys or trusted-keys statements (both deprecated), or
 	    via <command>dnssec-validation auto</command>) and negative trust
 	    anchors for the specified views.  If no view is specified, all

bin/tests/system/checkconf/bad-ds-key-1.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-ds-key-2.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-duplicate-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
@@ -23,7 +23,7 @@ dnssec-keys {
 		NQyrszHhWUU=";
 };
 
-dnssec-keys {
+trust-anchors {
 	example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

bin/tests/system/checkconf/bad-duplicate-root-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/bad-root-mixed-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/bad-static-initial-1.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
 	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/bad-static-initial-2.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-static-initial-3.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-static-initial-4.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
         example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-validation-auto-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation auto;
 };
 
-dnssec-keys {
+trust-anchors {
 	. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

bin/tests/system/checkconf/check-mixed-keys.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-ksk-2010.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-ksk-2017.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/check-root-ksk-both.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-static-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
         . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
 };

bin/tests/system/checkconf/check-root-static-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/good-dup-managed-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/good-initial-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/good-static-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/tests.sh

@@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
+echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
 ret=0
 $CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
 grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1

bin/tests/system/conf.sh.common

@@ -264,31 +264,31 @@ keyfile_to_dskeys() {
 }
 
 # keyfile_to_static_keys: convert key data contained in the keyfile(s)
-# provided to a *static-key* "dnssec-keys" section suitable for including in a
-# resolver's configuration file
+# provided to a *static-key* "trust-anchors" section suitable for including in
+# a resolver's configuration file
 keyfile_to_static_keys() {
-    keyfile_to_keys "dnssec-keys" "static-key" $*
+    keyfile_to_keys "trust-anchors" "static-key" $*
 }
 
 # keyfile_to_initial_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-key* "dnssec-keys" section suitable for including
+# provided to an *initial-key* "trust-anchors" section suitable for including
 # in a resolver's configuration file
 keyfile_to_initial_keys() {
-    keyfile_to_keys "dnssec-keys" "initial-key" $*
+    keyfile_to_keys "trust-anchors" "initial-key" $*
 }
 
 # keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
-# provided to a *static-ds* "dnssec-keys" section suitable for including in a
+# provided to a *static-ds* "trust-anchors" section suitable for including in a
 # resolver's configuration file
 keyfile_to_static_ds() {
-    keyfile_to_dskeys "dnssec-keys" "static-ds" $*
+    keyfile_to_dskeys "trust-anchors" "static-ds" $*
 }
 
 # keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-ds* "dnssec-keys" section suitable for including
+# provided to an *initial-ds* "trust-anchors" section suitable for including
 # in a resolver's configuration file
 keyfile_to_initial_ds() {
-    keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
+    keyfile_to_dskeys "trust-anchors" "initial-ds" $*
 }
 
 # keyfile_to_key_id: convert a key file name to a key ID

bin/tests/system/legacy/ns1/trusted.conf

-dnssec-keys {
+trust-anchors {
     "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
 };

bin/tests/system/mkeys/README

@@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys.  "-T mkeytimers=2/20/40"
 is used so it will attempt do automated updates frequently. "-T tat=1"
 is used so it will send TAT queries once per second.
 
-ns3 is a validator with a broken initializing key in dnssec-keys.
+ns3 is a validator with a broken initializing key in trust-anchors.
 
 ns4 is a validator with a deliberately broken managed-keys.bind and
 managed-keys.jnl, causing RFC 5011 initialization to fail.

bin/tests/system/mkeys/ns3/named.conf.in

@@ -41,6 +41,6 @@ zone "." {
 };
 
 # purposely broken key for testing
-dnssec-keys {
+trust-anchors {
     "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
 };

bin/tests/system/rpz/setup.sh

@@ -86,7 +86,7 @@ signzone () {
     KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
     cat $1/$3 $1/$KEYNAME.key > $1/tmp
     $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
-    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
     DSFILENAME=dsset-${2}${TP}
     rm $DSFILENAME $1/tmp
 }

bind.keys

@@ -26,7 +26,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust
 # anchor information for the root zone.
 
-dnssec-keys {
+trust-anchors {
         # This key (20326) was published in the root zone in 2017.
         . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

bind.keys.h

 #ifndef BIND_KEYS_H
 #define BIND_KEYS_H 1
-#define DNSSEC_KEYS "\
+#define TRUST_ANCHORS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
 # which are included as part of BIND 9.  The only trust anchors it contains\n\
 # are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
@@ -29,7 +29,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
 # anchor information for the root zone.\n\
 \n\
-dnssec-keys {\n\
+trust-anchors {\n\
         # This key (20326) was published in the root zone in 2017.\n\
         . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\

doc/arm/Bv9ARM-book.xml

@@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  <userinput>yes</userinput>, DNSSEC validation will only occur
 	  if at least one trust anchor has been explicitly configured
 	  in <filename>named.conf</filename>
-	  using a <command>dnssec-keys</command> statement (or the
+	  using a <command>trust-anchors</command> statement (or the
 	  <command>managed-keys</command> and <command>trusted-keys</command>
 	  statements, both deprecated).
 	</para>
@@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  The keys specified in <command>dnssec-keys</command>
+	  The keys specified in <command>trust-anchors</command>
 	  copies of DNSKEY RRs for zones that are used to form the
 	  first link in the cryptographic chain of trust.  Keys configured
 	  with the keyword <command>static-key</command> or
@@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  <command>dnssec-keys</command> is described in more detail
+	  <command>trust-anchors</command> is described in more detail
 	  later in this document.
 	</para>
 
@@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 <programlisting>
-dnssec-keys {
+trust-anchors {
 	/* Root Key */
 	"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
 				 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    </row>
 	    <row rowsep="0">
 	      <entry colname="1">
-		<para><command>dnssec-keys</command></para>
+		<para><command>trust-anchors</command></para>
 	      </entry>
 	      <entry colname="2">
 		<para>
@@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  is identical to <command>dnssec-keys</command>;
+		  is identical to <command>trust-anchors</command>;
 		  this option is deprecated in favor
-		  of <command>dnssec-keys</command> with
+		  of <command>trust-anchors</command> with
 		  the <command>initial-key</command> keyword,
 		  and may be removed in a future release.
 		</para>
@@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		<para>
 		  defines permanent trusted DNSSEC keys;
 		  this option is deprecated in favor
-		  of <command>dnssec-keys</command> with
+		  of <command>trust-anchors</command> with
 		  the <command>static-key</command> keyword,
 		  and may be removed in a future release.
 		</para>
@@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		track managed DNSSEC keys (i.e., those configured using
 		the <command>initial-key</command> or
 		<command>initial-ds</command> keywords in a
-		<command>dnssec-keys</command> statement).  By default,
+		<command>trust-anchors</command> statement).  By default,
 		this is the working directory.  The directory
 		<emphasis>must</emphasis> be writable by the effective
 		user ID of the <command>named</command> process.
@@ -5062,7 +5062,7 @@ options {
 		as insecure.
 	      </para>
 	      <para>
-		Configured trust anchors in <command>dnssec-keys</command>
+		Configured trust anchors in <command>trust-anchors</command>
 		(or <command>managed-keys</command> or
 		<command>trusted-keys</command>, both deprecated)
 		that match a disabled algorithm will be ignored and treated
@@ -5100,7 +5100,7 @@ options {
 		they are secure.  If <userinput>no</userinput>, then normal
 		DNSSEC validation applies allowing for insecure answers to
 		be accepted.  The specified domain must be defined as a
-		trust anchor, for instance in a <command>dnssec-keys</command>
+		trust anchor, for instance in a <command>trust-anchors</command>
 		statement, or <command>dnssec-validation auto</command> must
 		be active.
 	      </para>
@@ -6217,7 +6217,7 @@ options {
 		  Causes <command>named</command> to send specially-formed
 		  queries once per day to domains for which trust anchors
 		  have been configured via, e.g.,
-		  <command>dnssec-keys</command> or
+		  <command>trust-anchors</command> or
 		  <command>dnssec-validation auto</command>.
 		</para>
 		<para>
@@ -6432,7 +6432,7 @@ options {
 		<para>
 		  If set to <userinput>yes</userinput>, DNSSEC validation is
 		  enabled, but a trust anchor must be manually configured
-		  using a <command>dnssec-keys</command> statement (or
+		  using a <command>trust-anchors</command> statement (or
 		  the <command>managed-keys</command> or the
 		  <command>trusted-keys</command> statements, both deprecated).
 		  If there is no configured trust anchor, validation will
@@ -10848,14 +10848,14 @@ example.com                 CNAME   rpz-tcp-only.
 	  </para>
 	</section>
 
-	<section xml:id="dnssec_keys"><info><title><command>dnssec-keys</command> Statement Grammar</title></info>
-	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="dnssec-keys.grammar.xml"/>
+	<section xml:id="trust_anchors"><info><title><command>trust-anchors</command> Statement Grammar</title></info>
+	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="trust-anchors.grammar.xml"/>
 	</section>
-	<section xml:id="dnssec-keys"><info><title><command>dnssec-keys</command> Statement Definition
+	<section xml:id="trust-anchors"><info><title><command>trust-anchors</command> Statement Definition
 	    and Usage</title></info>
 
 	  <para>
-	    The <command>dnssec-keys</command> statement defines DNSSEC
+	    The <command>trust-anchors</command> statement defines DNSSEC
 	    trust anchors.  DNSSEC is described in <xref linkend="DNSSEC"/>.
 	  </para>
 	  <para>
@@ -10874,21 +10874,21 @@ example.com                 CNAME   rpz-tcp-only.
 	    the <command>validate-except</command> option).
 	  </para>
 	  <para>
-	    All keys listed in <command>dnssec-keys</command>, and
+	    All keys listed in <command>trust-anchors</command>, and
 	    their corresponding zones, are deemed to exist regardless
 	    of what parent zones say.  Only keys configured as trust anchors
 	    are used to validate the DNSKEY RRset for the corresponding
 	    name. The parent's DS RRset will not be used.
 	  </para>
 	  <para>
-	    <command>dnssec-keys</command> may be set at the top level
+	    <command>trust-anchors</command> may be set at the top level