Follow-up from "Remove TKEY Mode 2 (Diffie-Hellman)"
The following discussion from !7626 (merged) should be addressed:
-
@each started a discussion: (+5 comments) I was wondering if, with
DH
gone, we could also deprecate some options todnssec-keygen
and-keyfromlabel
, such as-n
and-t
and-T
.It looks like
-T
(which lets you chooseDNSKEY
vsKEY
as the rdata type) is still used for SIG(0), so there areKEY
records that aren'tDH
, so this option can't go away.Since we still need to be able to set the type to
KEY
, we also still need to be able to set theKEY
rdata flags field, so-t
also needs to stay. We don't make any real use of it, none of our tests currently set it, but it seems wrong to make it impossible to set. (Its purpose is to set the flags that indicate whether a key can be used for confidentiality or authentication or both or neither, the default being both.)-n
is used forZONE
keys orENTITY
(akaHOST
) keys. The function of that is to prevent certain keys from being found when searching for signing keys for a zone. I wonder if it we could just use the rrtype to do that (DNSKEY
is always zone,KEY
is always entity)? In any case it's also used forUSER
keys which are never used anywhere in BIND and could definitely go away.(This should spin off to a separate issue, I'm just writing about it here because I was thinking about it while reviewing this MR.)