mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Mark some managed-keys instances deprecated

Browse Source 
The 'managed-keys' (and 'trusted-keys') options have been deprecated
by 'dnssec-keys'.  Some documentation references to 'managed-keys'
had not yet been marked or noted as such.
This commit is contained in:
Matthijs Mekking 2019-06-28 12:19:13 +02:00 committed by Matthijs Mekking
parent 4c0e9d0bdf
commit a5dc24b25a
7 changed files with 29 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bin/named/named.conf.docbook
View File

@ -156,7 +156,7 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info> <refsection><info><title>MANAGED-KEYS</title></info>
<para>See DNSSEC-KEYS.</para> <para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key | managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
@ -652,7 +652,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
lmdb-mapsize <replaceable>sizeval</replaceable>; lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> ( static-key | managed-keys { <replaceable>string</replaceable> ( static-key |
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated
masterfile-format ( map | raw | text ); masterfile-format ( map | raw | text );
masterfile-style ( full | relative ); masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... }; match-clients { <replaceable>address_match_element</replaceable>; ... };

5
bin/rndc/rndc.docbook
View File

@ -772,9 +772,8 @@
<listitem> <listitem>
<para> <para>
Dump the security roots (i.e., trust anchors Dump the security roots (i.e., trust anchors
configured via <command>dnssec-keys</command> statements, configured via <command>dnssec-keys</command> statements, or the
or the synonymous <command>managed-keys</command> or managed-keys or trusted-keys statements (both deprecated), or
the deprecated <command>trusted-keys</command> statements, or
via <command>dnssec-validation auto</command>) and negative trust via <command>dnssec-validation auto</command>) and negative trust
anchors for the specified views. If no view is specified, all anchors for the specified views. If no view is specified, all
views are dumped. Security roots will indicate whether views are dumped. Security roots will indicate whether

39
doc/arm/Bv9ARM-book.xml
View File

@ -2213,8 +2213,8 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
if at least one trust anchor has been explicitly configured if at least one trust anchor has been explicitly configured
in <filename>named.conf</filename> in <filename>named.conf</filename>
using a <command>dnssec-keys</command> statement (or the using a <command>dnssec-keys</command> statement (or the
synonymous <command>managed-keys</command> or the deprecated <command>managed-keys</command> and <command>trusted-keys</command>
<command>trusted-keys</command> statements). statements, both deprecated).
</para> </para>
<para> <para>
When <command>dnssec-validation</command> is set to When <command>dnssec-validation</command> is set to
@ -3209,8 +3209,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
keys are kept up to date using RFC 5011 keys are kept up to date using RFC 5011
trust anchor maintenance, and if used with trust anchor maintenance, and if used with
<command>static-key</command>, keys are permanent. <command>static-key</command>, keys are permanent.
Identical to <command>managed-keys</command>,
but has been added for improved clarity.
</para> </para>
</entry> </entry>
</row> </row>
@ -3220,8 +3218,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</entry> </entry>
<entry colname="2"> <entry colname="2">
<para> <para>
is identical to <command>dnssec-keys</command>, is identical to <command>dnssec-keys</command>;
and is retained for backward compatibility. this option is deprecated in favor
of <command>dnssec-keys</command> with
the <command>initial-key</command> keyword,
and may be removed in a future release.
</para> </para>
</entry> </entry>
</row> </row>
@ -5054,10 +5055,11 @@ options {
as insecure. as insecure.
</para> </para>
<para> <para>
Configured trust anchors in <command>trusted-keys</command> Configured trust anchors in <command>dnssec-keys</command>
or <command>managed-keys</command> that match a disabled (or <command>managed-keys</command> or
algorithm will be ignored and treated as if they were not <command>trusted-keys</command>, both deprecated)
configured at all. that match a disabled algorithm will be ignored and treated
as if they were not configured at all.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -6435,8 +6437,8 @@ options {
If set to <userinput>yes</userinput>, DNSSEC validation is If set to <userinput>yes</userinput>, DNSSEC validation is
enabled, but a trust anchor must be manually configured enabled, but a trust anchor must be manually configured
using a <command>dnssec-keys</command> statement (or using a <command>dnssec-keys</command> statement (or
the synonymous <command>managed-keys</command>, or the the <command>managed-keys</command> or the
deprecated <command>trusted-keys</command> statements). <command>trusted-keys</command> statements, both deprecated).
If there is no configured trust anchor, validation will If there is no configured trust anchor, validation will
not take place. not take place.
</para> </para>
@ -11015,9 +11017,9 @@ example.com CNAME rpz-tcp-only.
and Usage</title></info> and Usage</title></info>
<para> <para>
The <command>managed-keys</command> statement is The <command>managed-keys</command> statement has been
identical to the <command>dnssec-keys</command>, and is deprecated in favor of <xref linkend="dnssec_keys"/>
retained for backward compatibility. with the <command>initial-key</command> keyword.
</para> </para>
</section> </section>
@ -11030,7 +11032,7 @@ example.com CNAME rpz-tcp-only.
<para> <para>
The <command>trusted-keys</command> statement has been The <command>trusted-keys</command> statement has been
deprecated in favor of <xref linkend="dnssec_keys"/> deprecated in favor of <xref linkend="dnssec_keys"/>
with the <command>static</command> keyword. with the <command>static-key</command> keyword.
</para> </para>
</section> </section>
@ -11417,9 +11419,8 @@ view "external" {
For validation to succeed, a key-signing key For validation to succeed, a key-signing key
(KSK) for the zone must be configured as a trust (KSK) for the zone must be configured as a trust
anchor in <filename>named.conf</filename>: that anchor in <filename>named.conf</filename>: that
is, a key for the zone must either be specified is, a key for the zone must be specified in
in <command>managed-keys</command> or <command>dnssec-keys</command>. In the case
<command>trusted-keys</command>. In the case
of the root zone, you may also rely on the of the root zone, you may also rely on the
built-in root trust anchor, which is enabled built-in root trust anchor, which is enabled
when <xref endterm="dnssec_validation_term" when <xref endterm="dnssec_validation_term"

2
doc/misc/dnssec
View File

@ -46,7 +46,7 @@ been implemented but should still be considered experimental.
When acting as a caching name server, BIND9 is capable of performing When acting as a caching name server, BIND9 is capable of performing
basic DNSSEC validation of positive as well as nonexistence responses. basic DNSSEC validation of positive as well as nonexistence responses.
This functionality is enabled by including a "trusted-keys" clause This functionality is enabled by including a "dnssec-keys" clause
in the configuration file, containing the top-level zone key of the in the configuration file, containing the top-level zone key of the
the DNSSEC tree. the DNSSEC tree.

2
doc/misc/docbook-options.pl
View File

@ -148,7 +148,7 @@ END
if ($1 eq "managed-keys") { if ($1 eq "managed-keys") {
print <<END; print <<END;
<para>See DNSSEC-KEYS.</para> <para>Deprecated - see DNSSEC-KEYS.</para>
END END
} }

2
lib/irs/include/irs/dnsconf.h
View File

@ -17,7 +17,7 @@
* *
* \brief * \brief
* The IRS dnsconf module parses an "advanced" configuration file related to * The IRS dnsconf module parses an "advanced" configuration file related to
* the DNS library, such as trusted keys for DNSSEC validation, and creates * the DNS library, such as trust anchors for DNSSEC validation, and creates
* the corresponding configuration objects for the DNS library modules. * the corresponding configuration objects for the DNS library modules.
* *
* Notes: * Notes:

3
lib/isccfg/dnsconf.c
View File

@ -43,7 +43,8 @@ static cfg_type_t cfg_type_trustedkeys = {
*/ */
static cfg_clausedef_t static cfg_clausedef_t
dnsconf_clauses[] = { dnsconf_clauses[] = {
{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI }, { "trusted-keys", &cfg_type_trustedkeys,
CFG_CLAUSEFLAG_MULTI },
{ NULL, NULL, 0 } { NULL, NULL, 0 }
}; };