Rename 'dnssec-keys' to 'trust-anchors'

CHANGES

+5332.	[func]		Renamed "dnssec-keys" configuration statement
+			to the more descriptive "trust-anchors".
+
 5331.	[func]		Use compiler-provided mechanisms for thread local
 			storage, and make the requirement for such mechanisms
 			explicit in configure. [GL #1444]

README.md

@@ -131,8 +131,8 @@ include:
   for zones, enabling automatic key regeneration and rollover.
 * New new network manager based on libuv.
 * Support for the new GeoIP2 geolocation API
-* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
-  permitting configuration of trust anchors in DS as well as
+* Improved DNSSEC trust anchor configuration using the `trust-anchors`
+  statement, permitting configuration of trust anchors in DS as well as
   DNSKEY format.
 * YAML output for `dig`, `mdig`, and `delv`.
 

bin/delv/delv.c

@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
 static dns_name_t *anchor_name = NULL;
 
 /* Default bind.keys contents */
-static char anchortext[] = DNSSEC_KEYS;
+static char anchortext[] = TRUST_ANCHORS;
 
 /*
  * Static function prototypes
@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	cfg_parser_t *parser = NULL;
 	const cfg_obj_t *trusted_keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
-	const cfg_obj_t *dnssec_keys = NULL;
+	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;
 
@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
 	INSIST(bindkeys != NULL);
 	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
-	cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
+	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
 
 	if (trusted_keys != NULL) {
 		CHECK(load_keys(trusted_keys, client));
@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (managed_keys != NULL) {
 		CHECK(load_keys(managed_keys, client));
 	}
-	if (dnssec_keys != NULL) {
-		CHECK(load_keys(dnssec_keys, client));
+	if (trust_anchors != NULL) {
+		CHECK(load_keys(trust_anchors, client));
 	}
 	result = ISC_R_SUCCESS;
 

bin/delv/delv.docbook

@@ -215,7 +215,7 @@
 	  </para>
 	  <para>
 	    Note: When reading the trust anchor file,
-	    <command>delv</command> treats <option>dnssec-keys</option>
+	    <command>delv</command> treats <option>trust-anchors</option>
 	    <option>initial-key</option> and <option>static-key</option>
 	    entries identically.  That is, even if a key is configured
 	    with <command>initial-key</command>, indicating that it is

bin/named/config.c

@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
 # BEGIN DNSSEC KEYS\n"
 
 /* Imported from bind.keys.h: */
-DNSSEC_KEYS
+TRUST_ANCHORS
 
 "# END MANAGED KEYS\n\
 \n\

bin/named/named.conf.docbook

@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
 </literallayout>
   </refsection>
 
-  <refsection><info><title>DNSSEC-KEYS</title></info>
-    <literallayout class="normal">
-dnssec-keys { <replaceable>string</replaceable> ( static-key |
-    initial-key | static-ds | initial-ds )
-    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };
-</literallayout>
-  </refsection>
-
   <refsection><info><title>DYNDB</title></info>
     <literallayout class="normal">
 dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
@@ -156,7 +147,7 @@ logging {
   </refsection>
 
   <refsection><info><title>MANAGED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
     <literallayout class="normal">
 managed-keys { <replaceable>string</replaceable> ( static-key
     | initial-key | static-ds |
@@ -527,8 +518,17 @@ statistics-channels {
 </literallayout>
   </refsection>
 
+  <refsection><info><title>TRUST-ANCHORS</title></info>
+    <literallayout class="normal">
+trust-anchors { <replaceable>string</replaceable> ( static-key |
+    initial-key | static-ds | initial-ds )
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>quoted_string</replaceable>; ... };
+</literallayout>
+  </refsection>
+
   <refsection><info><title>TRUSTED-KEYS</title></info>
-  <para>Deprecated - see DNSSEC-KEYS.</para>
+  <para>Deprecated - see TRUST-ANCHORS.</para>
     <literallayout class="normal">
 trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
     <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	dnsrps-options { <replaceable>unspecified-text</replaceable> };
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
-	dnssec-keys { <replaceable>string</replaceable> ( static-key |
-	    initial-key | static-ds | initial-ds
-	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-	    <replaceable>quoted_string</replaceable>; ... };
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
 	    ] [ dscp <replaceable>integer</replaceable> ];
 	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
+	trust-anchors { <replaceable>string</replaceable> ( static-key |
+	    initial-key | static-ds | initial-ds
+	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+	    <replaceable>quoted_string</replaceable>; ... };
 	trusted-keys { <replaceable>string</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable>

bin/named/server.c

@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 	}
 
 	/*
-	 * Add the key to 'secroots'.  Keys from a "dnssec-keys" or
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
 	 * "managed-keys" statement may be either static or initializing
 	 * keys. If it's not initializing, we don't want to treat it as
 	 * managed, so we use 'initializing' twice here, for both the
@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
-	const cfg_obj_t *view_dnssec_keys = NULL;
+	const cfg_obj_t *view_trust_anchors = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
-	const cfg_obj_t *global_dnssec_keys = NULL;
+	const cfg_obj_t *global_trust_anchors = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);
 
-			/* managed-keys and dnssec-keys are synonyms. */
+			/* managed-keys and trust-anchors are synonyms. */
 			(void) cfg_map_get(voptions, "managed-keys",
 					   &view_managed_keys);
-			(void) cfg_map_get(voptions, "dnssec-keys",
-					   &view_dnssec_keys);
+			(void) cfg_map_get(voptions, "trust-anchors",
+					   &view_trust_anchors);
 
 			maps[i++] = voptions;
 		}
@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	if (config != NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &global_keys);
 
-		/* managed-keys and dnssec-keys are synonyms. */
+		/* managed-keys and trust-anchors are synonyms. */
 		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
-		(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+		(void)cfg_map_get(config, "trust-anchors",
+				  &global_trust_anchors);
 
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 		/*
 		 * If bind.keys exists and is populated, it overrides
-		 * the dnssec-keys clause hard-coded in named_g_config.
+		 * the trust-anchors clause hard-coded in named_g_config.
 		 */
 		if (bindkeys != NULL) {
 			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "from '%s'",
 				      view->name, named_g_server->bindkeysfile);
 
-			(void)cfg_map_get(bindkeys, "dnssec-keys",
+			(void)cfg_map_get(bindkeys, "trust-anchors",
 					  &builtin_keys);
 
 			if (builtin_keys == NULL) {
@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "using built-in root key for view %s",
 				      view->name);
 
-			(void)cfg_map_get(named_g_config, "dnssec-keys",
+			(void)cfg_map_get(named_g_config, "trust-anchors",
 					  &builtin_keys);
 		}
 
@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
+		CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
 				     mctx));
 		CHECK(load_view_keys(view_managed_keys, view, true, NULL,
 				     mctx));
 
 		CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
-		CHECK(load_view_keys(global_dnssec_keys, view, true,
+		CHECK(load_view_keys(global_trust_anchors, view, true,
 				     NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, view, true,
 				     NULL, mctx));

bin/rndc/rndc.docbook

@@ -773,7 +773,7 @@
 	<listitem>
 	  <para>
 	    Dump the security roots (i.e., trust anchors
-	    configured via <command>dnssec-keys</command> statements, or the
+	    configured via <command>trust-anchors</command> statements, or the
 	    managed-keys or trusted-keys statements (both deprecated), or
 	    via <command>dnssec-validation auto</command>) and negative trust
 	    anchors for the specified views.  If no view is specified, all

bin/tests/system/checkconf/bad-ds-key-1.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-ds-key-2.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-duplicate-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
@@ -23,7 +23,7 @@ dnssec-keys {
 		NQyrszHhWUU=";
 };
 
-dnssec-keys {
+trust-anchors {
 	example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

bin/tests/system/checkconf/bad-duplicate-root-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/bad-root-mixed-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/bad-static-initial-1.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
 	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/bad-static-initial-2.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-static-initial-3.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
         example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-static-initial-4.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
         example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
         example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
 };

bin/tests/system/checkconf/bad-validation-auto-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation auto;
 };
 
-dnssec-keys {
+trust-anchors {
 	. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
 		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
 		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX

bin/tests/system/checkconf/check-mixed-keys.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-ksk-2010.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-ksk-2017.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/check-root-ksk-both.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-static-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
         . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
 };

bin/tests/system/checkconf/check-root-static-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/good-dup-managed-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-dnssec-keys {
+trust-anchors {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/good-initial-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/good-static-ds.conf

@@ -9,6 +9,6 @@
  * information regarding copyright ownership.
  */
 
-dnssec-keys {
+trust-anchors {
 	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
 };

bin/tests/system/checkconf/tests.sh

@@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
+echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
 ret=0
 $CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
 grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1

bin/tests/system/conf.sh.common

@@ -264,31 +264,31 @@ keyfile_to_dskeys() {
 }
 
 # keyfile_to_static_keys: convert key data contained in the keyfile(s)
-# provided to a *static-key* "dnssec-keys" section suitable for including in a
-# resolver's configuration file
+# provided to a *static-key* "trust-anchors" section suitable for including in
+# a resolver's configuration file
 keyfile_to_static_keys() {
-    keyfile_to_keys "dnssec-keys" "static-key" $*
+    keyfile_to_keys "trust-anchors" "static-key" $*
 }
 
 # keyfile_to_initial_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-key* "dnssec-keys" section suitable for including
+# provided to an *initial-key* "trust-anchors" section suitable for including
 # in a resolver's configuration file
 keyfile_to_initial_keys() {
-    keyfile_to_keys "dnssec-keys" "initial-key" $*
+    keyfile_to_keys "trust-anchors" "initial-key" $*
 }
 
 # keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
-# provided to a *static-ds* "dnssec-keys" section suitable for including in a
+# provided to a *static-ds* "trust-anchors" section suitable for including in a
 # resolver's configuration file
 keyfile_to_static_ds() {
-    keyfile_to_dskeys "dnssec-keys" "static-ds" $*
+    keyfile_to_dskeys "trust-anchors" "static-ds" $*
 }
 
 # keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
-# provided to an *initial-ds* "dnssec-keys" section suitable for including
+# provided to an *initial-ds* "trust-anchors" section suitable for including
 # in a resolver's configuration file
 keyfile_to_initial_ds() {
-    keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
+    keyfile_to_dskeys "trust-anchors" "initial-ds" $*
 }
 
 # keyfile_to_key_id: convert a key file name to a key ID

bin/tests/system/legacy/ns1/trusted.conf

-dnssec-keys {
+trust-anchors {
     "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
 };

bin/tests/system/mkeys/README

@@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys.  "-T mkeytimers=2/20/40"
 is used so it will attempt do automated updates frequently. "-T tat=1"
 is used so it will send TAT queries once per second.
 
-ns3 is a validator with a broken initializing key in dnssec-keys.
+ns3 is a validator with a broken initializing key in trust-anchors.
 
 ns4 is a validator with a deliberately broken managed-keys.bind and
 managed-keys.jnl, causing RFC 5011 initialization to fail.

bin/tests/system/mkeys/ns3/named.conf.in

@@ -41,6 +41,6 @@ zone "." {
 };
 
 # purposely broken key for testing
-dnssec-keys {
+trust-anchors {
     "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
 };

bin/tests/system/rpz/setup.sh

@@ -86,7 +86,7 @@ signzone () {
     KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
     cat $1/$3 $1/$KEYNAME.key > $1/tmp
     $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
-    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
     DSFILENAME=dsset-${2}${TP}
     rm $DSFILENAME $1/tmp
 }

bind.keys

@@ -26,7 +26,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust
 # anchor information for the root zone.
 
-dnssec-keys {
+trust-anchors {
         # This key (20326) was published in the root zone in 2017.
         . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

bind.keys.h

 #ifndef BIND_KEYS_H
 #define BIND_KEYS_H 1
-#define DNSSEC_KEYS "\
+#define TRUST_ANCHORS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
 # which are included as part of BIND 9.  The only trust anchors it contains\n\
 # are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
@@ -29,7 +29,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
 # anchor information for the root zone.\n\
 \n\
-dnssec-keys {\n\
+trust-anchors {\n\
         # This key (20326) was published in the root zone in 2017.\n\
         . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\

doc/arm/Bv9ARM-book.xml

@@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	  <userinput>yes</userinput>, DNSSEC validation will only occur
 	  if at least one trust anchor has been explicitly configured
 	  in <filename>named.conf</filename>
-	  using a <command>dnssec-keys</command> statement (or the
+	  using a <command>trust-anchors</command> statement (or the
 	  <command>managed-keys</command> and <command>trusted-keys</command>
 	  statements, both deprecated).
 	</para>
@@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  The keys specified in <command>dnssec-keys</command>
+	  The keys specified in <command>trust-anchors</command>
 	  copies of DNSKEY RRs for zones that are used to form the
 	  first link in the cryptographic chain of trust.  Keys configured
 	  with the keyword <command>static-key</command> or
@@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 	<para>
-	  <command>dnssec-keys</command> is described in more detail
+	  <command>trust-anchors</command> is described in more detail
 	  later in this document.
 	</para>
 
@@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	</para>
 
 <programlisting>
-dnssec-keys {
+trust-anchors {
 	/* Root Key */
 	"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
 				 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
@@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    </row>
 	    <row rowsep="0">
 	      <entry colname="1">
-		<para><command>dnssec-keys</command></para>
+		<para><command>trust-anchors</command></para>
 	      </entry>
 	      <entry colname="2">
 		<para>
@@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	      </entry>
 	      <entry colname="2">
 		<para>
-		  is identical to <command>dnssec-keys</command>;
+		  is identical to <command>trust-anchors</command>;
 		  this option is deprecated in favor
-		  of <command>dnssec-keys</command> with
+		  of <command>trust-anchors</command> with
 		  the <command>initial-key</command> keyword,
 		  and may be removed in a future release.
 		</para>
@@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 		<para>
 		  defines permanent trusted DNSSEC keys;
 		  this option is deprecated in favor
-		  of <command>dnssec-keys</command> with
+		  of <command>trust-anchors</command> with
 		  the <command>static-key</command> keyword,
 		  and may be removed in a future release.
 		</para>
@@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		track managed DNSSEC keys (i.e., those configured using
 		the <command>initial-key</command> or
 		<command>initial-ds</command> keywords in a
-		<command>dnssec-keys</command> statement).  By default,
+		<command>trust-anchors</command> statement).  By default,