Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
635
Issues
635
List
Boards
Labels
Service Desk
Milestones
Merge Requests
107
Merge Requests
107
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
8c37d3d3
Commit
8c37d3d3
authored
Dec 04, 2019
by
Matthijs Mekking
🏡
1
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename 'dnssec-keys' to 'trust-anchors'
parent
e2129fb1
Pipeline
#27165
passed with stages
in 53 minutes and 57 seconds
Changes
48
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
48 changed files
with
182 additions
and
144 deletions
+182
-144
CHANGES
CHANGES
+3
-0
README.md
README.md
+2
-2
bin/delv/delv.c
bin/delv/delv.c
+5
-5
bin/delv/delv.docbook
bin/delv/delv.docbook
+1
-1
bin/named/config.c
bin/named/config.c
+1
-1
bin/named/named.conf.docbook
bin/named/named.conf.docbook
+15
-15
bin/named/server.c
bin/named/server.c
+14
-13
bin/rndc/rndc.docbook
bin/rndc/rndc.docbook
+1
-1
bin/tests/system/checkconf/bad-ds-key-1.conf
bin/tests/system/checkconf/bad-ds-key-1.conf
+1
-1
bin/tests/system/checkconf/bad-ds-key-2.conf
bin/tests/system/checkconf/bad-ds-key-2.conf
+1
-1
bin/tests/system/checkconf/bad-duplicate-key.conf
bin/tests/system/checkconf/bad-duplicate-key.conf
+2
-2
bin/tests/system/checkconf/bad-duplicate-root-key.conf
bin/tests/system/checkconf/bad-duplicate-root-key.conf
+1
-1
bin/tests/system/checkconf/bad-root-mixed-key.conf
bin/tests/system/checkconf/bad-root-mixed-key.conf
+1
-1
bin/tests/system/checkconf/bad-static-initial-1.conf
bin/tests/system/checkconf/bad-static-initial-1.conf
+1
-1
bin/tests/system/checkconf/bad-static-initial-2.conf
bin/tests/system/checkconf/bad-static-initial-2.conf
+1
-1
bin/tests/system/checkconf/bad-static-initial-3.conf
bin/tests/system/checkconf/bad-static-initial-3.conf
+1
-1
bin/tests/system/checkconf/bad-static-initial-4.conf
bin/tests/system/checkconf/bad-static-initial-4.conf
+1
-1
bin/tests/system/checkconf/bad-validation-auto-key.conf
bin/tests/system/checkconf/bad-validation-auto-key.conf
+1
-1
bin/tests/system/checkconf/check-mixed-keys.conf
bin/tests/system/checkconf/check-mixed-keys.conf
+1
-1
bin/tests/system/checkconf/check-root-ksk-2010.conf
bin/tests/system/checkconf/check-root-ksk-2010.conf
+1
-1
bin/tests/system/checkconf/check-root-ksk-2017.conf
bin/tests/system/checkconf/check-root-ksk-2017.conf
+1
-1
bin/tests/system/checkconf/check-root-ksk-both.conf
bin/tests/system/checkconf/check-root-ksk-both.conf
+1
-1
bin/tests/system/checkconf/check-root-static-ds.conf
bin/tests/system/checkconf/check-root-static-ds.conf
+1
-1
bin/tests/system/checkconf/check-root-static-key.conf
bin/tests/system/checkconf/check-root-static-key.conf
+1
-1
bin/tests/system/checkconf/good-dup-managed-key.conf
bin/tests/system/checkconf/good-dup-managed-key.conf
+1
-1
bin/tests/system/checkconf/good-initial-ds.conf
bin/tests/system/checkconf/good-initial-ds.conf
+1
-1
bin/tests/system/checkconf/good-static-ds.conf
bin/tests/system/checkconf/good-static-ds.conf
+1
-1
bin/tests/system/checkconf/tests.sh
bin/tests/system/checkconf/tests.sh
+1
-1
bin/tests/system/conf.sh.common
bin/tests/system/conf.sh.common
+9
-9
bin/tests/system/legacy/ns1/trusted.conf
bin/tests/system/legacy/ns1/trusted.conf
+1
-1
bin/tests/system/mkeys/README
bin/tests/system/mkeys/README
+1
-1
bin/tests/system/mkeys/ns3/named.conf.in
bin/tests/system/mkeys/ns3/named.conf.in
+1
-1
bin/tests/system/rpz/setup.sh
bin/tests/system/rpz/setup.sh
+1
-1
bind.keys
bind.keys
+1
-1
bind.keys.h
bind.keys.h
+2
-2
doc/arm/Bv9ARM-book.xml
doc/arm/Bv9ARM-book.xml
+28
-28
doc/arm/managed-keys.xml
doc/arm/managed-keys.xml
+2
-2
doc/arm/notes-9.15.7.xml
doc/arm/notes-9.15.7.xml
+33
-0
doc/arm/trust-anchors.grammar.xml
doc/arm/trust-anchors.grammar.xml
+1
-1
doc/misc/Makefile.in
doc/misc/Makefile.in
+1
-1
doc/misc/dnssec
doc/misc/dnssec
+1
-1
lib/bind9/check.c
lib/bind9/check.c
+24
-24
lib/dns/zone.c
lib/dns/zone.c
+3
-3
lib/irs/dnsconf.c
lib/irs/dnsconf.c
+1
-1
lib/irs/include/irs/dnsconf.h
lib/irs/include/irs/dnsconf.h
+2
-2
lib/isccfg/namedconf.c
lib/isccfg/namedconf.c
+4
-4
util/bindkeys.pl
util/bindkeys.pl
+1
-1
util/copyrights
util/copyrights
+2
-1
No files found.
CHANGES
View file @
8c37d3d3
5332. [func] Renamed "dnssec-keys" configuration statement
to the more descriptive "trust-anchors".
5331. [func] Use compiler-provided mechanisms for thread local
storage, and make the requirement for such mechanisms
explicit in configure. [GL #1444]
...
...
README.md
View file @
8c37d3d3
...
...
@@ -131,8 +131,8 @@ include:
for zones, enabling automatic key regeneration and rollover.
*
New new network manager based on libuv.
*
Support for the new GeoIP2 geolocation API
*
Improved DNSSEC trust anchor configuration using
`dnssec-keys`
,
permitting configuration of trust anchors in DS as well as
*
Improved DNSSEC trust anchor configuration using
the
`trust-anchors`
statement,
permitting configuration of trust anchors in DS as well as
DNSKEY format.
*
YAML output for
`dig`
,
`mdig`
, and
`delv`
.
...
...
bin/delv/delv.c
View file @
8c37d3d3
...
...
@@ -140,7 +140,7 @@ static dns_fixedname_t afn;
static
dns_name_t
*
anchor_name
=
NULL
;
/* Default bind.keys contents */
static
char
anchortext
[]
=
DNSSEC_KEY
S
;
static
char
anchortext
[]
=
TRUST_ANCHOR
S
;
/*
* Static function prototypes
...
...
@@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
cfg_parser_t
*
parser
=
NULL
;
const
cfg_obj_t
*
trusted_keys
=
NULL
;
const
cfg_obj_t
*
managed_keys
=
NULL
;
const
cfg_obj_t
*
dnssec_key
s
=
NULL
;
const
cfg_obj_t
*
trust_anchor
s
=
NULL
;
cfg_obj_t
*
bindkeys
=
NULL
;
const
char
*
filename
=
anchorfile
;
...
...
@@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
INSIST
(
bindkeys
!=
NULL
);
cfg_map_get
(
bindkeys
,
"trusted-keys"
,
&
trusted_keys
);
cfg_map_get
(
bindkeys
,
"managed-keys"
,
&
managed_keys
);
cfg_map_get
(
bindkeys
,
"
dnssec-keys"
,
&
dnssec_key
s
);
cfg_map_get
(
bindkeys
,
"
trust-anchors"
,
&
trust_anchor
s
);
if
(
trusted_keys
!=
NULL
)
{
CHECK
(
load_keys
(
trusted_keys
,
client
));
...
...
@@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
if
(
managed_keys
!=
NULL
)
{
CHECK
(
load_keys
(
managed_keys
,
client
));
}
if
(
dnssec_key
s
!=
NULL
)
{
CHECK
(
load_keys
(
dnssec_key
s
,
client
));
if
(
trust_anchor
s
!=
NULL
)
{
CHECK
(
load_keys
(
trust_anchor
s
,
client
));
}
result
=
ISC_R_SUCCESS
;
...
...
bin/delv/delv.docbook
View file @
8c37d3d3
...
...
@@ -215,7 +215,7 @@
</para>
<para>
Note: When reading the trust anchor file,
<command>
delv
</command>
treats
<option>
dnssec-key
s
</option>
<command>
delv
</command>
treats
<option>
trust-anchor
s
</option>
<option>
initial-key
</option>
and
<option>
static-key
</option>
entries identically. That is, even if a key is configured
with
<command>
initial-key
</command>
, indicating that it is
...
...
bin/named/config.c
View file @
8c37d3d3
...
...
@@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
# BEGIN DNSSEC KEYS
\n
"
/* Imported from bind.keys.h: */
DNSSEC_KEY
S
TRUST_ANCHOR
S
"# END MANAGED KEYS
\n
\
\n
\
...
...
bin/named/named.conf.docbook
View file @
8c37d3d3
...
...
@@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-KEYS</title></info>
<literallayout class="normal">
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>DYNDB</title></info>
<literallayout class="normal">
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
...
...
@@ -156,7 +147,7 @@ logging {
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see
DNSSEC-KEY
S.</para>
<para>Deprecated - see
TRUST-ANCHOR
S.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key
| initial-key | static-ds |
...
...
@@ -527,8 +518,17 @@ statistics-channels {
</literallayout>
</refsection>
<refsection><info><title>TRUST-ANCHORS</title></info>
<literallayout class="normal">
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds )
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
</literallayout>
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
<para>Deprecated - see
DNSSEC-KEY
S.</para>
<para>Deprecated - see
TRUST-ANCHOR
S.</para>
<literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
...
...
@@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnsrps-options { <replaceable>unspecified-text</replaceable> };
dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-keys { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
...
...
@@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
trust-anchors { <replaceable>string</replaceable> ( static-key |
initial-key | static-ds | initial-ds
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };
trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
...
...
bin/named/server.c
View file @
8c37d3d3
...
...
@@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
}
/*
* Add the key to 'secroots'. Keys from a "
dnssec-key
s" or
* Add the key to 'secroots'. Keys from a "
trust-anchor
s" or
* "managed-keys" statement may be either static or initializing
* keys. If it's not initializing, we don't want to treat it as
* managed, so we use 'initializing' twice here, for both the
...
...
@@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
const cfg_obj_t *view_keys = NULL;
const cfg_obj_t *global_keys = NULL;
const cfg_obj_t *view_managed_keys = NULL;
const cfg_obj_t *view_
dnssec_key
s = NULL;
const cfg_obj_t *view_
trust_anchor
s = NULL;
const cfg_obj_t *global_managed_keys = NULL;
const cfg_obj_t *global_
dnssec_key
s = NULL;
const cfg_obj_t *global_
trust_anchor
s = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *voptions = NULL;
const cfg_obj_t *options = NULL;
...
...
@@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
(void) cfg_map_get(voptions, "trusted-keys",
&view_keys);
/* managed-keys and
dnssec-key
s are synonyms. */
/* managed-keys and
trust-anchor
s are synonyms. */
(void) cfg_map_get(voptions, "managed-keys",
&view_managed_keys);
(void) cfg_map_get(voptions, "
dnssec-key
s",
&view_
dnssec_key
s);
(void) cfg_map_get(voptions, "
trust-anchor
s",
&view_
trust_anchor
s);
maps[i++] = voptions;
}
...
...
@@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (config != NULL) {
(void)cfg_map_get(config, "trusted-keys", &global_keys);
/* managed-keys and
dnssec-key
s are synonyms. */
/* managed-keys and
trust-anchor
s are synonyms. */
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
(void)cfg_map_get(config, "trust-anchors",
&global_trust_anchors);
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
...
...
@@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
/*
* If bind.keys exists and is populated, it overrides
* the
dnssec-key
s clause hard-coded in named_g_config.
* the
trust-anchor
s clause hard-coded in named_g_config.
*/
if (bindkeys != NULL) {
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
...
...
@@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"from '%s'",
view->name, named_g_server->bindkeysfile);
(void)cfg_map_get(bindkeys, "
dnssec-key
s",
(void)cfg_map_get(bindkeys, "
trust-anchor
s",
&builtin_keys);
if (builtin_keys == NULL) {
...
...
@@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
"using built-in root key for view %s",
view->name);
(void)cfg_map_get(named_g_config, "
dnssec-key
s",
(void)cfg_map_get(named_g_config, "
trust-anchor
s",
&builtin_keys);
}
...
...
@@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
if (view->rdclass == dns_rdataclass_in) {
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
CHECK(load_view_keys(view_
dnssec_key
s, view, true, NULL,
CHECK(load_view_keys(view_
trust_anchor
s, view, true, NULL,
mctx));
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
mctx));
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
CHECK(load_view_keys(global_
dnssec_key
s, view, true,
CHECK(load_view_keys(global_
trust_anchor
s, view, true,
NULL, mctx));
CHECK(load_view_keys(global_managed_keys, view, true,
NULL, mctx));
...
...
bin/rndc/rndc.docbook
View file @
8c37d3d3
...
...
@@ -773,7 +773,7 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>
dnssec-key
s</command> statements, or the
configured via <command>
trust-anchor
s</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
...
...
bin/tests/system/checkconf/bad-ds-key-1.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
ds
60724
5
1
"D74CF845955A0DFE604AF215E948E67D2EA94FF3"
;
example
.
initial
-
key
257
3
5
"AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="
;
};
bin/tests/system/checkconf/bad-ds-key-2.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
static
-
ds
60724
5
1
"D74CF845955A0DFE604AF215E948E67D2EA94FF3"
;
example
.
static
-
key
257
3
5
"AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="
;
};
bin/tests/system/checkconf/bad-duplicate-key.conf
View file @
8c37d3d3
...
...
@@ -13,7 +13,7 @@ options {
dnssec
-
validation
yes
;
};
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
key
257
3
8
"
AwEAAawvFp8GlBx8Qt6yaIqXkDe
+
nMkSk2HkTAG7qlVBo
++
AQwZ1j3Xl
25
IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
...
...
@@ -23,7 +23,7 @@ dnssec-keys {
NQyrszHhWUU
=
"
;
};
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
static
-
key
257
3
8
"
AwEAAZtP9
+
RAA
+
W33A97e
+
HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr
/
n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW
/
HQ
+
8
yarfrnGMFhX
...
...
bin/tests/system/checkconf/bad-duplicate-root-key.conf
View file @
8c37d3d3
...
...
@@ -13,7 +13,7 @@ options {
dnssec
-
validation
yes
;
};
dnssec
-
key
s
{
trust
-
anchor
s
{
.
initial
-
key
257
3
8
"
AwEAAawvFp8GlBx8Qt6yaIqXkDe
+
nMkSk2HkTAG7qlVBo
++
AQwZ1j3Xl
25
IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
...
...
bin/tests/system/checkconf/bad-root-mixed-key.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
...
...
bin/tests/system/checkconf/bad-static-initial-1.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
ds
60724
5
1
"D74CF845955A0DFE604AF215E948E67D2EA94FF3"
;
example
.
static
-
ds
60724
5
2
"29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"
;
};
bin/tests/system/checkconf/bad-static-initial-2.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
ds
60724
5
1
"D74CF845955A0DFE604AF215E948E67D2EA94FF3"
;
example
.
static
-
key
257
3
5
"AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="
;
};
bin/tests/system/checkconf/bad-static-initial-3.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
static
-
ds
60724
5
1
"D74CF845955A0DFE604AF215E948E67D2EA94FF3"
;
example
.
initial
-
key
257
3
5
"AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="
;
};
bin/tests/system/checkconf/bad-static-initial-4.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
key
257
3
5
"AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU="
;
example
.
static
-
key
257
3
5
"AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU="
;
};
bin/tests/system/checkconf/bad-validation-auto-key.conf
View file @
8c37d3d3
...
...
@@ -13,7 +13,7 @@ options {
dnssec
-
validation
auto
;
};
dnssec
-
key
s
{
trust
-
anchor
s
{
.
static
-
key
257
3
8
"
AwEAAZtP9
+
RAA
+
W33A97e
+
HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
y0NLx7b3vZ1bzMLxLSRAr
/
n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW
/
HQ
+
8
yarfrnGMFhX
...
...
bin/tests/system/checkconf/check-mixed-keys.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
...
...
bin/tests/system/checkconf/check-root-ksk-2010.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
...
...
bin/tests/system/checkconf/check-root-ksk-2017.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
...
...
bin/tests/system/checkconf/check-root-ksk-both.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
...
...
bin/tests/system/checkconf/check-root-static-ds.conf
View file @
8c37d3d3
...
...
@@ -9,6 +9,6 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
.
static
-
ds
20326
8
2
"E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
;
};
bin/tests/system/checkconf/check-root-static-key.conf
View file @
8c37d3d3
...
...
@@ -9,7 +9,7 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
...
...
bin/tests/system/checkconf/good-dup-managed-key.conf
View file @
8c37d3d3
...
...
@@ -13,7 +13,7 @@ options {
dnssec
-
validation
yes
;
};
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
key
257
3
8
"
AwEAAawvFp8GlBx8Qt6yaIqXkDe
+
nMkSk2HkTAG7qlVBo
++
AQwZ1j3Xl
25
IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
...
...
bin/tests/system/checkconf/good-initial-ds.conf
View file @
8c37d3d3
...
...
@@ -9,6 +9,6 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
initial
-
ds
60724
5
2
"29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"
;
};
bin/tests/system/checkconf/good-static-ds.conf
View file @
8c37d3d3
...
...
@@ -9,6 +9,6 @@
*
information
regarding
copyright
ownership
.
*/
dnssec
-
key
s
{
trust
-
anchor
s
{
example
.
static
-
ds
60724
5
2
"29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6"
;
};
bin/tests/system/checkconf/tests.sh
View file @
8c37d3d3
...
...
@@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status
=
`
expr
$status
+
$ret
`
n
=
`
expr
$n
+ 1
`
echo_i
"check that using
dnssec-key
s and managed-keys generates an error (
$n
)"
echo_i
"check that using
trust-anchor
s and managed-keys generates an error (
$n
)"
ret
=
0
$CHECKCONF
check-mixed-keys.conf
>
checkconf.out
$n
2>/dev/null
&&
ret
=
1
grep
"use of managed-keys is not allowed"
checkconf.out
$n
>
/dev/null
||
ret
=
1
...
...
bin/tests/system/conf.sh.common
View file @
8c37d3d3
...
...
@@ -264,31 +264,31 @@ keyfile_to_dskeys() {
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static-key* "
dnssec-keys" section suitable for including in a
# resolver's configuration file
# provided to a *static-key* "
trust-anchors" section suitable for including in
#
a
resolver's configuration file
keyfile_to_static_keys
()
{
keyfile_to_keys
"
dnssec-key
s"
"static-key"
$*
keyfile_to_keys
"
trust-anchor
s"
"static-key"
$*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
# provided to an *initial-key* "
dnssec-key
s" section suitable for including
# provided to an *initial-key* "
trust-anchor
s" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys
()
{
keyfile_to_keys
"
dnssec-key
s"
"initial-key"
$*
keyfile_to_keys
"
trust-anchor
s"
"initial-key"
$*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
# provided to a *static-ds* "
dnssec-key
s" section suitable for including in a
# provided to a *static-ds* "
trust-anchor
s" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds
()
{
keyfile_to_dskeys
"
dnssec-key
s"
"static-ds"
$*
keyfile_to_dskeys
"
trust-anchor
s"
"static-ds"
$*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
# provided to an *initial-ds* "
dnssec-key
s" section suitable for including
# provided to an *initial-ds* "
trust-anchor
s" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds
()
{
keyfile_to_dskeys
"
dnssec-key
s"
"initial-ds"
$*
keyfile_to_dskeys
"
trust-anchor
s"
"initial-ds"
$*
}
# keyfile_to_key_id: convert a key file name to a key ID
...
...
bin/tests/system/legacy/ns1/trusted.conf
View file @
8c37d3d3
dnssec
-
key
s
{
trust
-
anchor
s
{
"edns512-notcp."
static
-
key
257
3
10
"AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB"
;
};
bin/tests/system/mkeys/README
View file @
8c37d3d3
...
...
@@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
is used so it will attempt do automated updates frequently. "-T tat=1"
is used so it will send TAT queries once per second.
ns3 is a validator with a broken initializing key in
dnssec-key
s.
ns3 is a validator with a broken initializing key in
trust-anchor
s.
ns4 is a validator with a deliberately broken managed-keys.bind and
managed-keys.jnl, causing RFC 5011 initialization to fail.
...
...
bin/tests/system/mkeys/ns3/named.conf.in
View file @
8c37d3d3
...
...
@@ -41,6 +41,6 @@ zone "." {
};
# purposely broken key for testing
dnssec-key
s {
trust-anchor
s {
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
};
bin/tests/system/rpz/setup.sh
View file @
8c37d3d3
...
...
@@ -86,7 +86,7 @@ signzone () {
KEYNAME
=
`
$KEYGEN
-q
-a
rsasha256
-K
$1
$2
`
cat
$1
/
$3
$1
/
$KEYNAME
.key
>
$1
/tmp
$SIGNER
-P
-K
$1
-o
$2
-f
$1
/
$4
$1
/tmp
>
/dev/null
sed
-n
-e
's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/
dnssec-key
s {"\1" static-key \2 "\3";};/p'
$1
/
$KEYNAME
.key
>>
trusted.conf
sed
-n
-e
's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/
trust-anchor
s {"\1" static-key \2 "\3";};/p'
$1
/
$KEYNAME
.key
>>
trusted.conf
DSFILENAME
=
dsset-
${
2
}${
TP
}
rm
$DSFILENAME
$1
/tmp
}
...
...
bind.keys
View file @
8c37d3d3
...
...
@@ -26,7 +26,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
dnssec-key
s {
trust-anchor
s {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
...
...
bind.keys.h
View file @
8c37d3d3
#ifndef BIND_KEYS_H
#define BIND_KEYS_H 1
#define
DNSSEC_KEY
S "\
#define
TRUST_ANCHOR
S "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. The only trust anchors it contains\n\
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
...
...
@@ -29,7 +29,7 @@
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
# anchor information for the root zone.\n\
\n\
dnssec-key
s {\n\
trust-anchor
s {\n\
# This key (20326) was published in the root zone in 2017.\n\
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
...
...
doc/arm/Bv9ARM-book.xml
View file @
8c37d3d3
...
...
@@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
<userinput>yes</userinput>, DNSSEC validation will only occur
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
using a <command>
dnssec-key
s</command> statement (or the
using a <command>
trust-anchor
s</command> statement (or the
<command>managed-keys</command> and <command>trusted-keys</command>
statements, both deprecated).
</para>
...
...
@@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
The keys specified in <command>
dnssec-key
s</command>
The keys specified in <command>
trust-anchor
s</command>
copies of DNSKEY RRs for zones that are used to form the
first link in the cryptographic chain of trust. Keys configured
with the keyword <command>static-key</command> or
...
...
@@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<para>
<command>
dnssec-key
s</command> is described in more detail
<command>
trust-anchor
s</command> is described in more detail
later in this document.
</para>
...
...
@@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
</para>
<programlisting>
dnssec-key
s {
trust-anchor
s {
/* Root Key */
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
...
...
@@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row>
<row rowsep="0">
<entry colname="1">
<para><command>
dnssec-key
s</command></para>
<para><command>
trust-anchor
s</command></para>
</entry>
<entry colname="2">
<para>
...
...
@@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry>
<entry colname="2">
<para>
is identical to <command>
dnssec-key
s</command>;
is identical to <command>
trust-anchor
s</command>;
this option is deprecated in favor
of <command>
dnssec-key
s</command> with
of <command>
trust-anchor
s</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para>
...
...
@@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
defines permanent trusted DNSSEC keys;
this option is deprecated in favor
of <command>
dnssec-key
s</command> with
of <command>
trust-anchor
s</command> with
the <command>static-key</command> keyword,
and may be removed in a future release.
</para>
...
...
@@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
track managed DNSSEC keys (i.e., those configured using
the <command>initial-key</command> or
<command>initial-ds</command> keywords in a
<command>
dnssec-key
s</command> statement). By default,
<command>
trust-anchor
s</command> statement). By default,