Remove -p option from dnssec-keygen/keyfromlabel

The -p (protocol) option for all keys defaults to 3 (DNSSEC).
There is currently no practical reason to use any other value;
we can simplify things by removing the option.

bin/dnssec/dnssec-keyfromlabel.c

@@ -74,7 +74,6 @@ usage(void) {
 	fprintf(stderr, "    -L ttl: default key TTL\n");
 	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
 	fprintf(stderr, "    -y: permit keys that might collide\n");
 	fprintf(stderr, "    -v verbose level\n");
 	fprintf(stderr, "    -V: print version information\n");
@@ -119,7 +118,6 @@ main(int argc, char **argv) {
 	bool oldstyle = false;
 	isc_mem_t *mctx = NULL;
 	int ch;
-	int protocol = -1;
 	isc_result_t ret;
 	isc_textregion_t r;
 	char filename[255];
@@ -220,11 +218,7 @@ main(int argc, char **argv) {
 			fatal("The -n option has been deprecated.");
 			break;
 		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255) {
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			}
+			fatal("The -p option has been deprecated.");
 			break;
 		case 't':
 			fatal("The -t option has been deprecated.");
@@ -541,19 +535,11 @@ main(int argc, char **argv) {
 		flags |= DNS_KEYOWNER_ENTITY; /* KEY: name type HOST */
 	}
 
-	if (protocol == -1) {
-		protocol = DNS_KEYPROTO_DNSSEC;
-	} else if ((options & DST_TYPE_KEY) == 0 &&
-		   protocol != DNS_KEYPROTO_DNSSEC)
-	{
-		fatal("invalid DNSKEY protocol: %d", protocol);
-	}
-
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
 	/* associate the key */
-	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
-				NULL, mctx, &key);
+	ret = dst_key_fromlabel(name, alg, flags, DNS_KEYPROTO_DNSSEC, rdclass,
+				label, NULL, mctx, &key);
 
 	if (ret != ISC_R_SUCCESS) {
 		char namestr[DNS_NAME_FORMATSIZE];

bin/dnssec/dnssec-keyfromlabel.rst

@@ -127,12 +127,6 @@ Options
    values for ``tag_min`` and ``tag_max`` are [0..65535].  The
    default allows all key tag values to be accepted.
 
-.. option:: -p protocol
-
-   This option sets the protocol value for the key. The protocol is a number between
-   0 and 255. The default is 3 (DNSSEC). Other possible values for this
-   argument are listed in :rfc:`2535` and its successors.
-
 .. option:: -S key
 
    This option generates a key as an explicit successor to an existing key. The name,

bin/dnssec/dnssec-keygen.c

@@ -82,7 +82,6 @@ struct keygen_ctx {
 	const char *directory;
 	dns_keystore_t *keystore;
 	char *algname;
-	int protocol;
 	int size;
 	uint16_t tag_min;
 	uint16_t tag_max;
@@ -172,7 +171,6 @@ usage(void) {
 	fprintf(stderr, "    -F: FIPS mode\n");
 	fprintf(stderr, "    -L <ttl>: default key TTL\n");
 	fprintf(stderr, "    -M <min>:<max>: allowed Key ID range\n");
-	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
 	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
 			"records with (default: 0)\n");
 	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
@@ -511,14 +509,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		}
 	}
 
-	if (ctx->protocol == -1) {
-		ctx->protocol = DNS_KEYPROTO_DNSSEC;
-	} else if ((ctx->options & DST_TYPE_KEY) == 0 &&
-		   ctx->protocol != DNS_KEYPROTO_DNSSEC)
-	{
-		fatal("invalid DNSKEY protocol: %d", ctx->protocol);
-	}
-
 	switch (ctx->alg) {
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
@@ -556,12 +546,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				mctx, ctx->alg, ctx->size, flags, &key);
 		} else if (!ctx->quiet && show_progress) {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-					       flags, ctx->protocol,
+					       flags, DNS_KEYPROTO_DNSSEC,
 					       ctx->rdclass, NULL, mctx, &key,
 					       &progress);
 		} else {
 			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
-					       flags, ctx->protocol,
+					       flags, DNS_KEYPROTO_DNSSEC,
 					       ctx->rdclass, NULL, mctx, &key,
 					       NULL);
 		}
@@ -792,7 +782,6 @@ main(int argc, char **argv) {
 	keygen_ctx_t ctx = {
 		.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
 		.prepub = -1,
-		.protocol = -1,
 		.size = -1,
 		.now = isc_stdtime_now(),
 	};
@@ -914,14 +903,7 @@ main(int argc, char **argv) {
 		case 'm':
 			break;
 		case 'p':
-			ctx.protocol = strtol(isc_commandline_argument, &endp,
-					      10);
-			if (*endp != '\0' || ctx.protocol < 0 ||
-			    ctx.protocol > 255)
-			{
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			}
+			fatal("The -p option has been deprecated.");
 			break;
 		case 'q':
 			ctx.quiet = true;

bin/dnssec/dnssec-keygen.rst

@@ -163,13 +163,6 @@ Options
    key tag values to be produced.  This option is ignored when ``-k policy``
    is specified.
 
-.. option:: -p protocol
-
-   This option sets the protocol value for the generated key, for use with
-   :option:`-T KEY <-T>`. The protocol is a number between 0 and 255. The default
-   is 3 (DNSSEC). Other possible values for this argument are listed in
-   :rfc:`2535` and its successors.
-
 .. option:: -q
 
    This option sets quiet mode, which suppresses unnecessary output, including progress