Commit a5dc24b2 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡 Committed by Matthijs Mekking
Browse files

Mark some managed-keys instances deprecated

The 'managed-keys' (and 'trusted-keys') options have been deprecated
by 'dnssec-keys'.  Some documentation references to 'managed-keys'
had not yet been marked or noted as such.
parent 4c0e9d0b
Pipeline #16647 passed with stages
in 17 minutes and 33 seconds
......@@ -156,7 +156,7 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info>
<para>See DNSSEC-KEYS.</para>
<para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
......@@ -652,7 +652,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... };
......
......@@ -772,9 +772,8 @@
<listitem>
<para>
Dump the security roots (i.e., trust anchors
configured via <command>dnssec-keys</command> statements,
or the synonymous <command>managed-keys</command> or
the deprecated <command>trusted-keys</command> statements, or
configured via <command>dnssec-keys</command> statements, or the
managed-keys or trusted-keys statements (both deprecated), or
via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether
......
......@@ -2213,8 +2213,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename>
using a <command>dnssec-keys</command> statement (or the
synonymous <command>managed-keys</command> or the deprecated
<command>trusted-keys</command> statements).
<command>managed-keys</command> and <command>trusted-keys</command>
statements, both deprecated).
</para>
<para>
When <command>dnssec-validation</command> is set to
......@@ -3209,8 +3209,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with
<command>static-key</command>, keys are permanent.
Identical to <command>managed-keys</command>,
but has been added for improved clarity.
</para>
</entry>
</row>
......@@ -3220,8 +3218,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry>
<entry colname="2">
<para>
is identical to <command>dnssec-keys</command>,
and is retained for backward compatibility.
is identical to <command>dnssec-keys</command>;
this option is deprecated in favor
of <command>dnssec-keys</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para>
</entry>
</row>
......@@ -5054,10 +5055,11 @@ options {
as insecure.
</para>
<para>
Configured trust anchors in <command>trusted-keys</command>
or <command>managed-keys</command> that match a disabled
algorithm will be ignored and treated as if they were not
configured at all.
Configured trust anchors in <command>dnssec-keys</command>
(or <command>managed-keys</command> or
<command>trusted-keys</command>, both deprecated)
that match a disabled algorithm will be ignored and treated
as if they were not configured at all.
</para>
</listitem>
</varlistentry>
......@@ -6435,8 +6437,8 @@ options {
If set to <userinput>yes</userinput>, DNSSEC validation is
enabled, but a trust anchor must be manually configured
using a <command>dnssec-keys</command> statement (or
the synonymous <command>managed-keys</command>, or the
deprecated <command>trusted-keys</command> statements).
the <command>managed-keys</command> or the
<command>trusted-keys</command> statements, both deprecated).
If there is no configured trust anchor, validation will
not take place.
</para>
......@@ -11015,9 +11017,9 @@ example.com CNAME rpz-tcp-only.
and Usage</title></info>
 
<para>
The <command>managed-keys</command> statement is
identical to the <command>dnssec-keys</command>, and is
retained for backward compatibility.
The <command>managed-keys</command> statement has been
deprecated in favor of <xref linkend="dnssec_keys"/>
with the <command>initial-key</command> keyword.
</para>
</section>
 
......@@ -11030,7 +11032,7 @@ example.com CNAME rpz-tcp-only.
<para>
The <command>trusted-keys</command> statement has been
deprecated in favor of <xref linkend="dnssec_keys"/>
with the <command>static</command> keyword.
with the <command>static-key</command> keyword.
</para>
</section>
 
......@@ -11417,9 +11419,8 @@ view "external" {
For validation to succeed, a key-signing key
(KSK) for the zone must be configured as a trust
anchor in <filename>named.conf</filename>: that
is, a key for the zone must either be specified
in <command>managed-keys</command> or
<command>trusted-keys</command>. In the case
is, a key for the zone must be specified in
<command>dnssec-keys</command>. In the case
of the root zone, you may also rely on the
built-in root trust anchor, which is enabled
when <xref endterm="dnssec_validation_term"
......
......@@ -46,7 +46,7 @@ been implemented but should still be considered experimental.
When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause
This functionality is enabled by including a "dnssec-keys" clause
in the configuration file, containing the top-level zone key of the
the DNSSEC tree.
......
......@@ -148,7 +148,7 @@ END
if ($1 eq "managed-keys") {
print <<END;
<para>See DNSSEC-KEYS.</para>
<para>Deprecated - see DNSSEC-KEYS.</para>
END
}
......
......@@ -17,7 +17,7 @@
*
* \brief
* The IRS dnsconf module parses an "advanced" configuration file related to
* the DNS library, such as trusted keys for DNSSEC validation, and creates
* the DNS library, such as trust anchors for DNSSEC validation, and creates
* the corresponding configuration objects for the DNS library modules.
*
* Notes:
......
......@@ -43,7 +43,8 @@ static cfg_type_t cfg_type_trustedkeys = {
*/
static cfg_clausedef_t
dnsconf_clauses[] = {
{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
{ "trusted-keys", &cfg_type_trustedkeys,
CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 }
};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment