"dnssec-keys" is now a synonym for "managed-keys"

- managed-keys is now deprecated as well as trusted-keys, though
  it continues to work as a synonym for dnssec-keys
- references to managed-keys have been updated throughout the code.
- tests have been updated to use dnssec-keys format
- also the trusted-keys entries have been removed from the generated
  bind.keys.h file and are no longer generated by bindkeys.pl.

bin/delv/delv.c

@@ -133,13 +133,13 @@ static bool use_tcp = false;
 static char *anchorfile = NULL;
 static char *trust_anchor = NULL;
 static char *dlv_anchor = NULL;
-static int trusted_keys = 0;
+static int num_keys = 0;
 
 static dns_fixedname_t afn, dfn;
 static dns_name_t *anchor_name = NULL, *dlv_name = NULL;
 
 /* Default bind.keys contents */
-static char anchortext[] = MANAGED_KEYS;
+static char anchortext[] = DNSSEC_KEYS;
 
 /*
  * Static function prototypes
@@ -642,7 +642,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
 
 	CHECK(dns_client_addtrustedkey(client, dns_rdataclass_in,
 				       keyname, &rrdatabuf));
-	trusted_keys++;
+	num_keys++;
 
  cleanup:
 	if (result == DST_R_NOCRYPTO)
@@ -693,13 +693,15 @@ static isc_result_t
 setup_dnsseckeys(dns_client_t *client) {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *trusted_keys = NULL;
 	const cfg_obj_t *managed_keys = NULL;
+	const cfg_obj_t *dnssec_keys = NULL;
 	cfg_obj_t *bindkeys = NULL;
 	const char *filename = anchorfile;
 
-	if (!root_validation && !dlv_validation)
+	if (!root_validation && !dlv_validation) {
 		return (ISC_R_SUCCESS);
+	}
 
 	if (filename == NULL) {
 #ifndef WIN32
@@ -714,27 +716,33 @@ setup_dnsseckeys(dns_client_t *client) {
 
 	if (trust_anchor == NULL) {
 		trust_anchor = isc_mem_strdup(mctx, ".");
-		if (trust_anchor == NULL)
+		if (trust_anchor == NULL) {
 			fatal("out of memory");
+		}
 	}
 
-	if (trust_anchor != NULL)
+	if (trust_anchor != NULL) {
 		CHECK(convert_name(&afn, &anchor_name, trust_anchor));
-	if (dlv_anchor != NULL)
+	}
+	if (dlv_anchor != NULL) {
 		CHECK(convert_name(&dfn, &dlv_name, dlv_anchor));
+	}
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 
 	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL)
+		if (anchorfile != NULL) {
 			fatal("Unable to read key file '%s'", anchorfile);
+		}
 	} else {
 		result = cfg_parse_file(parser, filename,
 					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS)
-			if (anchorfile != NULL)
+		if (result != ISC_R_SUCCESS) {
+			if (anchorfile != NULL) {
 				fatal("Unable to load keys from '%s'",
 				      anchorfile);
+			}
+		}
 	}
 
 	if (bindkeys == NULL) {
@@ -744,25 +752,34 @@ setup_dnsseckeys(dns_client_t *client) {
 		isc_buffer_add(&b, sizeof(anchortext) - 1);
 		result = cfg_parse_buffer(parser, &b, NULL, 0,
 					  &cfg_type_bindkeys, 0, &bindkeys);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			fatal("Unable to parse built-in keys");
+		}
 	}
 
 	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &keys);
+	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
 	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
+	cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
 
-	if (keys != NULL)
-		CHECK(load_keys(keys, client));
-	if (managed_keys != NULL)
+	if (trusted_keys != NULL) {
+		CHECK(load_keys(trusted_keys, client));
+	}
+	if (managed_keys != NULL) {
 		CHECK(load_keys(managed_keys, client));
+	}
+	if (dnssec_keys != NULL) {
+		CHECK(load_keys(dnssec_keys, client));
+	}
 	result = ISC_R_SUCCESS;
 
-	if (trusted_keys == 0)
+	if (num_keys == 0) {
 		fatal("No trusted keys were loaded");
+	}
 
-	if (dlv_validation)
+	if (dlv_validation) {
 		dns_client_setdlv(client, dns_rdataclass_in, dlv_anchor);
+	}
 
 
  cleanup:
@@ -772,9 +789,10 @@ setup_dnsseckeys(dns_client_t *client) {
 	if (parser != NULL) {
 		cfg_parser_destroy(&parser);
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		delv_log(ISC_LOG_ERROR, "setup_dnsseckeys: %s",
 			  isc_result_totext(result));
+	}
 	return (result);
 }
 

bin/named/config.c

@@ -290,10 +290,10 @@ view \"_bind\" chaos {\n\
 # \"dnssec-validation auto;\" is set and\n\
 #  sysconfdir/bind.keys doesn't exist).\n\
 #\n\
-# BEGIN MANAGED KEYS\n"
+# BEGIN DNSSEC KEYS\n"
 
 /* Imported from bind.keys.h: */
-MANAGED_KEYS
+DNSSEC_KEYS
 
 "# END MANAGED KEYS\n\
 \n\

bin/named/server.c

@@ -901,7 +901,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 
 	/*
 	 * Add the key to 'secroots'.  Keys from a "dnssec-keys" or
-	 * "managed-keys" * statement may be either static or initializing
+	 * "managed-keys" statement may be either static or initializing
 	 * keys. If it's not initializing, we don't want to treat it as
 	 * managed, so we use 'initializing' twice here, for both the
 	 * 'managed' and 'initializing' arguments to dns_keytable_add().
@@ -1002,7 +1002,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
+	const cfg_obj_t *view_dnssec_keys = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
+	const cfg_obj_t *global_dnssec_keys = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
@@ -1022,15 +1024,24 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		if (voptions != NULL) {
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);
+
+			/* managed-keys and dnssec-keys are synonyms. */
 			(void) cfg_map_get(voptions, "managed-keys",
 					   &view_managed_keys);
+			(void) cfg_map_get(voptions, "dnssec-keys",
+					   &view_dnssec_keys);
+
 			maps[i++] = voptions;
 		}
 	}
 
 	if (config != NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &global_keys);
+
+		/* managed-keys and dnssec-keys are synonyms. */
 		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
+		(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
+
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
 			maps[i++] = options;
@@ -1061,7 +1072,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 		/*
 		 * If bind.keys exists and is populated, it overrides
-		 * the managed-keys clause hard-coded in named_g_config.
+		 * the dnssec-keys clause hard-coded in named_g_config.
 		 */
 		if (bindkeys != NULL) {
 			isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -1070,7 +1081,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "from '%s'",
 				      view->name, named_g_server->bindkeysfile);
 
-			(void)cfg_map_get(bindkeys, "managed-keys",
+			(void)cfg_map_get(bindkeys, "dnssec-keys",
 					  &builtin_keys);
 
 			if (builtin_keys == NULL) {
@@ -1090,7 +1101,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 				      "using built-in root key for view %s",
 				      view->name);
 
-			(void)cfg_map_get(named_g_config, "managed-keys",
+			(void)cfg_map_get(named_g_config, "dnssec-keys",
 					  &builtin_keys);
 		}
 
@@ -1110,11 +1121,14 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 
 	CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
 	CHECK(load_view_keys(view_managed_keys, view, true, NULL, mctx));
+	CHECK(load_view_keys(view_dnssec_keys, view, true, NULL, mctx));
 
 	if (view->rdclass == dns_rdataclass_in) {
 		CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
 		CHECK(load_view_keys(global_managed_keys, view, true,
 				     NULL, mctx));
+		CHECK(load_view_keys(global_dnssec_keys, view, true,
+				     NULL, mctx));
 	}
 
 	/*

bin/tests/system/checkconf/bad-duplicate-root-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-managed-keys {
+dnssec-keys {
 	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/check-dlv-ksk-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
 		n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
 		+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ

bin/tests/system/checkconf/check-root-ksk-2010.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-ksk-2017.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/check-root-ksk-both.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-mixed-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	# This key (19036) is to be phased out starting in 2017. It will
 	# remain in the root zone for some time after its successor key
 	# has been added. It will remain this file until it is removed from

bin/tests/system/checkconf/check-root-static-key.conf

@@ -9,7 +9,7 @@
  * information regarding copyright ownership.
  */
 
-managed-keys {
+dnssec-keys {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/good-dup-managed-key.conf

@@ -13,7 +13,7 @@ options {
 	dnssec-validation yes;
 };
 
-managed-keys {
+dnssec-keys {
 	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
 		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
 		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY

bin/tests/system/checkconf/tests.sh

@@ -427,7 +427,7 @@ echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
 ret=0
 $CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
 [ -s checkconf.out$n ] || ret=1
-grep "entry for dlv.isc.org still present" checkconf.out$n > /dev/null || ret=1
+grep "trust anchor for dlv.isc.org is present" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 

bin/tests/system/conf.sh.common

@@ -216,7 +216,7 @@ keyfile_to_keys_section() {
     for keyname in $*; do
 	awk '!/^; /{
 	    printf "\t\""$1"\" "
-	    printf "'"$key_prefix"'"
+	    printf "'"$key_prefix "'"
 	    printf $4 " " $5 " " $6 " \""
 	    for (i=7; i<=NF; i++) printf $i
 	    printf "\";\n"
@@ -226,17 +226,17 @@ keyfile_to_keys_section() {
 }
 
 # keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
-# provided to a *static* "managed-keys" section suitable for including in a
+# provided to a *static* "dnssec-keys" section suitable for including in a
 # resolver's configuration file
 keyfile_to_trusted_keys() {
-    keyfile_to_keys_section "managed-keys" "static-key" $*
+    keyfile_to_keys_section "dnssec-keys" "static-key" $*
 }
 
 # keyfile_to_managed_keys: convert key data contained in the keyfile(s)
-# provided to a "managed-keys" section suitable for including in a
+# provided to a "dnssec-keys" section suitable for including in a
 # resolver's configuration file
 keyfile_to_managed_keys() {
-    keyfile_to_keys_section "managed-keys" "initial-key" $*
+    keyfile_to_keys_section "dnssec-keys" "initial-key" $*
 }
 
 # nextpart*() - functions for reading files incrementally

bin/tests/system/genzone.sh

@@ -487,7 +487,7 @@ dlv			DLV	30795 1 1 (
 
 ; type 65280-65534 (private use)
 
-; keydata (internal type used for managed-keys)
+; keydata (internal type used for managed keys)
 keydata			TYPE65533	\# 0
 keydata			TYPE65533	\# 6 010203040506 
 keydata			TYPE65533	\# 18 010203040506010203040506010203040506

bin/tests/system/legacy/ns1/trusted.conf

@@ -1,3 +1,3 @@
-managed-keys {
+dnssec-keys {
     "edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
 };

bin/tests/system/mkeys/README

@@ -2,17 +2,16 @@ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-This is for testing managed-keys, in particular with problems
-with RFC 5011 Automated Updates of DNSSEC Trust Anchors.
+This is for testing RFC 5011 Automated Updates of DNSSEC Trust Anchors.
 
 ns1 is the root server that offers new KSKs and hosts one record for
 testing. The TTL for the zone's records is 2 seconds.
 
-ns2 is a validator that uses managed-keys.  "-T mkeytimers=2/20/40"
+ns2 is a validator that uses managed keys.  "-T mkeytimers=2/20/40"
 is used so it will attempt do automated updates frequently. "-T tat=1"
 is used so it will send TAT queries once per second.
 
-ns3 is a validator with a broken key in managed-keys.
+ns3 is a validator with a broken initializing key in dnssec-keys.
 
 ns4 is a validator with a deliberately broken managed-keys.bind and
 managed-keys.jnl, causing RFC 5011 initialization to fail.

bin/tests/system/mkeys/ns3/named.conf.in

@@ -41,6 +41,6 @@ zone "." {
 };
 
 # purposely broken key for testing
-managed-keys {
+dnssec-keys {
     "." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
 };

bin/tests/system/rpz/setup.sh

@@ -81,7 +81,7 @@ signzone () {
     KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
     cat $1/$3 $1/$KEYNAME.key > $1/tmp
     $SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
-    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/managed-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
+    sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
     DSFILENAME=dsset-${2}${TP}
     rm $DSFILENAME $1/tmp
 }

bind.keys

@@ -26,7 +26,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust
 # anchor information for the root zone.
 
-managed-keys {
+dnssec-keys {
         # This key (20326) was published in the root zone in 2017.
         . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

bind.keys.h

@@ -1,6 +1,6 @@
 #ifndef BIND_KEYS_H
 #define BIND_KEYS_H 1
-#define TRUSTED_KEYS "\
+#define DNSSEC_KEYS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
 # which are included as part of BIND 9.  The only trust anchors it contains\n\
 # are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
@@ -29,48 +29,7 @@
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
 # anchor information for the root zone.\n\
 \n\
-trusted-keys {\n\
-        # This key (20326) was published in the root zone in 2017.\n\
-        . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
-                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
-                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
-                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
-                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
-                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
-                R1AkUTV74bU=\";\n\
-};\n\
-"
-
-#define MANAGED_KEYS "\
-# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9.  The only trust anchors it contains\n\
-# are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
-# be configured elsewhere; if they are configured here, they will not be\n\
-# recognized or used by named.\n\
-#\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in the\n\
-# named.conf options, or else leave \"dnssec-validation\" unset.  If\n\
-# \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\
-# ignored; keys will need to be explicitly configured in named.conf for\n\
-# validation to work.  \"auto\" is the default setting, unless named is\n\
-# built with \"configure --disable-auto-validation\", in which case the\n\
-# default is \"yes\".\n\
-#\n\
-# This file is NOT expected to be user-configured.\n\
-#\n\
-# Servers being set up for the first time can use the contents of this file\n\
-# as initializing keys; thereafter, the keys in the managed key database\n\
-# will be trusted and maintained automatically.\n\
-#\n\
-# These keys are current as of Mar 2019.  If any key fails to initialize\n\
-# correctly, it may have expired.  In that event you should replace this\n\
-# file with a current version.  The latest version of bind.keys can always\n\
-# be obtained from ISC at https://www.isc.org/bind-keys.\n\
-#\n\
-# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
-# anchor information for the root zone.\n\
-\n\
-managed-keys {\n\
+dnssec-keys {\n\
         # This key (20326) was published in the root zone in 2017.\n\
         . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\

lib/bind9/check.c

@@ -3514,7 +3514,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	const cfg_obj_t *opts = NULL;
 	const cfg_obj_t *plugin_list = NULL;
 	bool autovalidation = false;
-	unsigned int tflags, mflags;
+	bool enablednssec, enablevalidation;
+	const char *valstr = "no";
+	unsigned int tflags = 0, dflags = 0, mflags = 0;
 
 	/*
 	 * Get global options block
@@ -3665,7 +3667,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_symtab_destroy(&symtab);
 
 	/*
-	 * Check trusted-keys and managed-keys.
+	 * Check trusted-keys and dnssec-keys/managed-keys.
 	 */
 	tkeys = NULL;
 	if (voptions != NULL) {
@@ -3675,7 +3677,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		(void)cfg_map_get(config, "trusted-keys", &tkeys);
 	}
 
-	tflags = 0;
 	for (element = cfg_list_first(tkeys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -3695,27 +3696,88 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	}
 
 	if ((tflags & ROOT_KSK_STATIC) != 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
 			    "trusted-keys entry for the root zone "
 			    "WILL FAIL after key rollover - use "
-			    "managed-keys with initial-key instead.");
+			    "dnssec-keys with initial-key instead.");
 	}
 
 	if ((tflags & DLV_KSK_KEY) != 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "trusted-keys entry for dlv.isc.org is still "
-			    "present: dlv.isc.org has been shut down");
+		cfg_obj_log(tkeys, logctx, ISC_LOG_WARNING,
+			    "trust anchor for dlv.isc.org is present; "
+			    "dlv.isc.org has been shut down");
 	}
 
+	keys = NULL;
+	if (voptions != NULL) {
+		(void)cfg_map_get(voptions, "dnssec-keys", &keys);
+	}
+	if (keys == NULL) {
+		(void)cfg_map_get(config, "dnssec-keys", &keys);
+	}
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, true, &dflags,
+						    logctx);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			}
+		}
+	}
+
+	if ((dflags & ROOT_KSK_STATIC) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "static-key entry for the root zone "
+			    "WILL FAIL after key rollover - use "
+			    "dnssec-keys with initial-key instead.");
+	}
+
+	if ((dflags & ROOT_KSK_2010) != 0 && (dflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "initial-key entry for the root zone "
+			    "uses the 2010 key without the updated "
+			    "2017 key");
+	}
+
+	if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and dnssec-keys "
+			    "for the root zone are present");
+	}
+
+	if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both initial-key and static-key entries for the "
+			    "root zone are present");
+	}
+
+	if ((dflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trust anchor for dlv.isc.org is present; "
+			    "dlv.isc.org has been shut down");
+	}
+
+	/*
+	 * "managed-keys" is a backward-compatible synonym for
+	 * "dnssec-keys"; perform the same checks.
+	 */
 	mkeys = NULL;
 	if (voptions != NULL) {
 		(void)cfg_map_get(voptions, "managed-keys", &mkeys);
 	}
-	if (keys == NULL) {
+	if (mkeys == NULL) {
 		(void)cfg_map_get(config, "managed-keys", &mkeys);
 	}
 
-	mflags = 0;
 	for (element = cfg_list_first(mkeys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -3735,34 +3797,34 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	}
 
 	if ((mflags & ROOT_KSK_STATIC) != 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "managed-keys static-key entry for the root zone "
+		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+			    "static-key entry for the root zone "
 			    "WILL FAIL after key rollover - use "
-			    "managed-keys with initial-key instead.");
+			    "dnssec-keys with initial-key instead.");
 	}
 
 	if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "managed-keys initial-key entry for the root zone "
+		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+			    "initial-key entry for the root zone "
 			    "uses the 2010 key without the updated "
 			    "2017 key");
 	}
 
 	if ((tflags & ROOT_KSK_ANY) != 0 && (mflags & ROOT_KSK_ANY) != 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "both trusted-keys and managed-keys for the "
-			    "root zone are present");
+		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and managed-keys "
+			    "for the root zone are present");
 	}
 
 	if ((mflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
 			    "both initial-key and static-key entries for the "
 			    "root zone are present");
 	}
 
 	if ((mflags & DLV_KSK_KEY) != 0) {
-		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
-			    "managed-keys entry for dlv.isc.org still present; "
+		cfg_obj_log(mkeys, logctx, ISC_LOG_WARNING,
+			    "trust anchor for dlv.isc.org is present; "
 			    "dlv.isc.org has been shut down");
 	}
 

lib/irs/dnsconf.c

@@ -164,19 +164,13 @@ configure_key(isc_mem_t *mctx, const cfg_obj_t *key, irs_dnsconf_t *conf,
 }
 
 static isc_result_t
-configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
-		     dns_rdataclass_t rdclass)
+configure_keygroup(irs_dnsconf_t *conf, const cfg_obj_t *keys,
+		   dns_rdataclass_t rdclass)
 {
 	isc_result_t result;
-	isc_mem_t *mctx = conf->mctx;
-	const cfg_obj_t *keys = NULL;
 	const cfg_obj_t *key, *keylist;
 	const cfg_listelt_t *element, *element2;
-
-	cfg_map_get(cfgobj, "trusted-keys", &keys);
-	if (keys == NULL) {
-		return (ISC_R_SUCCESS);
-	}
+	isc_mem_t *mctx = conf->mctx;
 
 	for (element = cfg_list_first(keys);
 	     element != NULL;
@@ -195,27 +189,46 @@ configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
 		}
 	}
 
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+		     dns_rdataclass_t rdclass)
+{
+	isc_result_t result;
+	const cfg_obj_t *keys = NULL;
+
+	cfg_map_get(cfgobj, "trusted-keys", &keys);
+	if (keys == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	keys = NULL;
+	cfg_map_get(cfgobj, "dnssec-keys", &keys);
+	if (keys == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
 	keys = NULL;
 	cfg_map_get(cfgobj, "managed-keys", &keys);
 	if (keys == NULL) {
 		return (ISC_R_SUCCESS);
 	}
 
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			key = cfg_listelt_value(element2);
-			result = configure_key(mctx, key, conf, rdclass);
-			if (result != ISC_R_SUCCESS) {
-				return (result);
-			}
-		}
+	result = configure_keygroup(conf, keys, rdclass);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
 	}
 
 	return (ISC_R_SUCCESS);

lib/irs/include/irs/dnsconf.h

@@ -23,11 +23,11 @@
  * Notes:
  * This module is very experimental and the configuration syntax or library
  * interfaces may change in future versions.  Currently, only static
- * key configuration is supported; "trusted-keys" and "managed-keys"
- * statements will be parsed exactly as they are in named.conf, except
- * that all "managed-keys" entries will be treated as if they were
- * configured with "static-key", even if they were actually configured
- * with "initial-key".
+ * key configuration is supported; "trusted-keys" and "dnssec-keys"/
+ * "managed-keys" statements will be parsed exactly as they are in
+ * named.conf, except that "dnssec-keys" and "managed-keys" entries will
+ * be treated as if they were configured with "static-key", even if they
+ * were actually configured with "initial-key".
  */
 
 #include <irs/types.h>

lib/isccfg/namedconf.c

@@ -446,8 +446,8 @@ static cfg_type_t cfg_type_dnsseckey = {
 };
 
 /*%
- * A managed key initialization specifier, as used in the
- * "managed-keys" statement.
+ * A key initialization specifier, as used in the
+ * "dnssec-keys" (or synonymous "managed-keys") statement.
  */
 static const char *init_enums[] = { "static-key", "initial-key", NULL };
 static cfg_type_t cfg_type_keyinit = {
@@ -625,8 +625,8 @@ static cfg_type_t cfg_type_keylist = {
 };
 
 /*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
-static cfg_type_t cfg_type_dnsseckeys = {
-	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+static cfg_type_t cfg_type_trustedkeys = {
+	"trustedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
 };
 
@@ -636,8 +636,8 @@ static cfg_type_t cfg_type_dnsseckeys = {
  * "initial-key" or "static-key". If "initial-key", then the key is
  * RFC 5011 managed; if "static-key", then the key never changes.
  */
-static cfg_type_t cfg_type_managedkeys = {
-	"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+static cfg_type_t cfg_type_dnsseckeys = {
+	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
 };
 
@@ -986,10 +986,12 @@ namedconf_or_view_clauses[] = {
 	{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
 	{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
 	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_dnsseckeys,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
 	{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_dnsseckeys,
+	{ "trusted-keys", &cfg_type_trustedkeys,
 	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
 	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
@@ -1000,8 +1002,11 @@ namedconf_or_view_clauses[] = {
  */
 static cfg_clausedef_t
 bindkeys_clauses[] = {
-	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_dnsseckeys,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
+	{ "trusted-keys", &cfg_type_trustedkeys,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
 	{ NULL, NULL, 0 }
 };
 
@@ -2290,7 +2295,7 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
 	&cfg_rep_map, namedconf_clausesets
 };
 
-/*% The bind.keys syntax (trusted-keys/managed-keys only). */
+/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */
 static cfg_clausedef_t *
 bindkeys_clausesets[] = {
 	bindkeys_clauses,

util/bindkeys.pl

@@ -23,15 +23,9 @@ while (<>) {
     $lines .= $_ . "\n";
 }
 
-my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
-
-$lines =~ s/managed-keys/trusted-keys/;
-$lines =~ s/\s+initial-key//g;
-my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
+my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n";
 
 print "#ifndef BIND_KEYS_H\n";
 print "#define BIND_KEYS_H 1\n";
-print $tkey;
-print "\n";
 print $mkey;
 print "#endif /* BIND_KEYS_H */\n";