2799. [cleanup] Changed the "secure-to-insecure" option to

			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

CHANGES

+2799.	[cleanup]	Changed the "secure-to-insecure" option to
+			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
+			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
 2798.	[bug]		Addressed bugs in managed-keys initialization 
 			and rollover. [RT #20683]
 

NSEC3-NOTES

@@ -129,7 +129,7 @@ NSEC chain will be generated before the NSEC3 chain is removed.
 To do this remove all the DNSKEY records.  Any NSEC or NSEC3 chains
 will be removed as well as associated NSEC3PARAM records.  This will
 take place after the update requests completes.  This requires
-secure-to-insecure to be set in named.conf.
+dnssec-secure-to-insecure to be set in named.conf.
 
 		Periodic re-signing.
 

bin/dnssec/dnssec-signzone.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.43 2009/11/03 21:44:46 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -559,7 +559,7 @@
           <para>
             Only sign the DNSKEY RRset with key-signing keys, and omit
             signatures from zone-signing keys.  (This is similar to the
-            <command>dnskey-ksk-only yes;</command> zone option in
+            <command>dnssec-dnskey-kskonly yes;</command> zone option in
             <command>named</command>.)
           </para>
         </listitem>

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.104 2009/10/26 23:14:53 each Exp $ */
+/* $Id: config.c,v 1.105 2009/12/03 23:18:16 each Exp $ */
 
 /*! \file */
 
@@ -189,7 +189,7 @@ options {\n\
 	max-refresh-time 2419200; /* 4 weeks */\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
-	secure-to-insecure no;\n\
+	dnssec-secure-to-insecure no;\n\
 	sig-validity-interval 30; /* days */\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
@@ -204,7 +204,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
-	dnskey-ksk-only no;\n\
+	dnssec-dnskey-kskonly no;\n\
 	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "

bin/named/named.conf.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -302,7 +302,7 @@ options {
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
 	update-check-ksk <replaceable>boolean</replaceable>;
-	dnskey-ksk-only <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;
@@ -353,7 +353,7 @@ options {
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
-	secure-to-insecure <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	deny-answer-addresses {
 		<replaceable>address_match_list</replaceable>
 	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
@@ -476,7 +476,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
 	update-check-ksk <replaceable>boolean</replaceable>;
-	dnskey-ksk-only <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;
@@ -521,7 +521,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	key-directory <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
-	secure-to-insecure <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 
 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	fetch-glue <replaceable>boolean</replaceable>; // obsolete
@@ -556,7 +556,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>boolean</replaceable>;
 	journal <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
-	secure-to-insecure <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
@@ -572,7 +572,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 		<optional>...</optional>
 	}</replaceable>;
 	update-check-ksk <replaceable>boolean</replaceable>;
-	dnskey-ksk-only <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.171 2009/11/24 03:42:32 each Exp $ */
+/* $Id: update.c,v 1.172 2009/12/03 23:18:16 each Exp $ */
 
 #include <config.h>
 
@@ -4122,8 +4122,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   &had_dnskey));
 			if (had_dnskey && !has_dnskey) {
 				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "update rejected: all DNSKEY records "
-					   "removed and 'secure-to-insecure' "
+					   "update rejected: all DNSKEY "
+                                           "records removed and "
+                                           "'dnssec-secure-to-insecure' "
 					   "not set");
 				result = DNS_R_REFUSED;
 				goto failure;

bin/named/zoneconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.159 2009/10/22 03:43:16 each Exp $ */
+/* $Id: zoneconf.c,v 1.160 2009/12/03 23:18:17 each Exp $ */
 
 /*% */
 
@@ -855,7 +855,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
-		result = ns_config_get(maps, "dnskey-ksk-only", &obj);
+		result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj);
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
 				   cfg_obj_asboolean(obj));
@@ -933,7 +933,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
 
 		obj = NULL;
-		result = ns_config_get(maps, "secure-to-insecure", &obj);
+		result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
 		INSIST(obj != NULL);
 		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
 				   cfg_obj_asboolean(obj));

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.447 2009/11/28 15:57:37 vjs Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.448 2009/12/03 23:18:17 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
@@ -4923,8 +4923,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
+    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
     <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
@@ -6556,7 +6556,7 @@ options {
 	    </varlistentry>
 	    <varlistentry>
-	      <term><command>dnskey-ksk-only</command></term>
+	      <term><command>dnssec-dnskey-kskonly</command></term>
 	      <listitem>
 	        <para>
                   When this option and <command>update-check-ksk</command>
@@ -6588,7 +6588,7 @@ options {
 	    </varlistentry>
 	    <varlistentry>
-	      <term><command>secure-to-insecure</command></term>
+	      <term><command>dnssec-secure-to-insecure</command></term>
 	      <listitem>
 	        <para>
 		  Allow a zone to transition from secure to insecure by
@@ -9520,8 +9520,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
                   <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -10034,11 +10034,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 	      <varlistentry>
-	        <term><command>dnskey-ksk-only</command></term>
+	        <term><command>dnssec-dnskey-kskonly</command></term>
                 <listitem>
                   <para>
                     See the description of
-                    <command>dnskey-ksk-only</command> in <xref linkend="boolean_options"/>.
+                    <command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
                   </para>
                 </listitem>
               </varlistentry>
@@ -10479,11 +10479,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      </varlistentry>
               <varlistentry>
-                <term><command>secure-to-insecure</command></term>
+                <term><command>dnssec-secure-to-insecure</command></term>
                 <listitem>
                   <para>
                     See the description of
-                    <command>secure-to-insecure</command> in <xref linkend="boolean_options"/>.
+                    <command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
                   </para>
                 </listitem>
               </varlistentry>

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.112 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: check.c,v 1.113 2009/12/03 23:18:17 each Exp $ */
 
 /*! \file */
 
@@ -1101,7 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "min-retry-time", SLAVEZONE | STUBZONE },
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
-	{ "secure-to-insecure", MASTERZONE },
+	{ "dnssec-secure-to-insecure", MASTERZONE },
 	{ "sig-validity-interval", MASTERZONE },
 	{ "sig-re-signing-interval", MASTERZONE },
 	{ "sig-signing-nodes", MASTERZONE },
@@ -1126,7 +1126,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
-	{ "dnskey-ksk-only", MASTERZONE },
+	{ "dnssec-dnskey-kskonly", MASTERZONE },
 	{ "auto-dnssec", MASTERZONE },
 	{ "try-tcp-refresh", SLAVEZONE },
 	};

lib/dns/include/dns/zone.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.170 2009/10/12 20:48:12 each Exp $ */
+/* $Id: zone.h,v 1.171 2009/12/03 23:18:17 each Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -71,8 +71,8 @@ typedef enum {
 #define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 #define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
 #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
-#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
-#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnskey-ksk-only */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
+#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnssec-dnskey-kskonly */
 
 #ifndef NOMINUM_PUBLIC
 /*

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.111 2009/11/28 15:57:37 vjs Exp $ */
+/* $Id: namedconf.c,v 1.112 2009/12/03 23:18:17 each Exp $ */
 
 /*! \file */
 
@@ -1126,7 +1126,8 @@ zone_clauses[] = {
 	{ "check-srv-cname", &cfg_type_checkmode, 0 },
 	{ "check-wildcard", &cfg_type_boolean, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
-	{ "dnskey-ksk-only", &cfg_type_boolean, 0 },
+	{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
+	{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
 	{ "key-directory", &cfg_type_qstring, 0 },
@@ -1149,7 +1150,6 @@ zone_clauses[] = {
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "notify-to-soa", &cfg_type_boolean, 0 },
 	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
-	{ "secure-to-insecure", &cfg_type_boolean, 0 },
 	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
 	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
 	{ "sig-signing-type", &cfg_type_uint32, 0 },