2677. [func] Changes to key metadata behavior:

- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
			[rt20247]

CHANGES

@@ -1,3 +1,16 @@
+2677.	[func]		Changes to key metadata behavior:
+			- Keys without "publish" or "active" dates set will
+			  no longer be used for smart signing.  However,
+			  those dates will be set to "now" by default when
+			  a key is created; to generate a key but not use
+			  it yet, use dnssec-keygen -G.
+			- New "inactive" date (dnssec-keygen/settime -I)
+			  sets the time when a key is no longer used for
+			  signing but is still published.
+			- The "unpublished" date (-U) is deprecated in
+			  favor of "deleted" (-D).
+			[rt20247]
+
 2676.	[bug]		--with-export-installdir should have been
 			--with-export-includedir. [RT #20252]
 

bin/dnssec/dnssec-keyfromlabel.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -78,10 +78,11 @@ usage(void) {
 	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
 	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
 	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
-			" dates\n");
+			" all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
@@ -114,14 +115,15 @@ main(int argc, char **argv) {
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	char		*label = NULL, *engine = NULL;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	unpublish = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -135,7 +137,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
+				"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -182,6 +184,9 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
 		case 'P':
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
@@ -218,16 +223,16 @@ main(int argc, char **argv) {
 				unsetrev = ISC_TRUE;
 			}
 			break;
-		case 'U':
+		case 'I':
-			if (setunpub || unsetunpub)
+			if (setinact || unsetinact)
-				fatal("-U specified more than once");
+				fatal("-I specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
-				setunpub = ISC_TRUE;
+				setinact = ISC_TRUE;
-				unpublish = strtotime(isc_commandline_argument,
+				inactive = strtotime(isc_commandline_argument,
 						     now, now);
 			} else {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			}
 			break;
 		case 'D':
@@ -381,26 +386,40 @@ main(int argc, char **argv) {
 
 	/*
 	 * Set key timing metadata (unless using -C)
+	 *
+	 * Publish and activation dates are set to "now" by default, but
+	 * can be overridden.  Creation date is always set to "now".
 	 */
 	if (!oldstyle) {
 		dst_key_settime(key, DST_TIME_CREATED, now);
 
+		if (genonly && (setpub || setact))
+			fatal("cannot use -G together with -P or -A options");
+
 		if (setpub)
 			dst_key_settime(key, DST_TIME_PUBLISH, publish);
+		else if (!genonly)
+			dst_key_settime(key, DST_TIME_PUBLISH, now);
+
 		if (setact)
 			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+		else if (!genonly)
+			dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
 		if (setrev)
 			dst_key_settime(key, DST_TIME_REVOKE, revoke);
-		if (setunpub)
+
-			dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
+		if (setinact)
+			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+
 		if (setdel)
 			dst_key_settime(key, DST_TIME_DELETE, delete);
 	} else {
-		if (setpub || setact || setrev || setunpub ||
+		if (setpub || setact || setrev || setinact ||
 		    setdel || unsetpub || unsetact ||
-		    unsetrev || unsetunpub || unsetdel)
+		    unsetrev || unsetinact || unsetdel || genonly)
 			fatal("cannot use -C together with "
-			      "-P, -A, -R, -U, or -D options");
+			      "-P, -A, -R, -I, -D, or -G options");
 		/*
 		 * Compatibility mode: Private-key-format
 		 * should be set to 1.2.

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.9 2009/09/07 12:54:59 fdupont Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
     <date>February 8, 2008</date>
@@ -51,6 +51,8 @@
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-G</option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-k</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
@@ -58,7 +60,6 @@
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
       <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req">name</arg>
     </cmdsynopsis>
@@ -160,6 +161,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-G</term>
+        <listitem>
+          <para>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-h</term>
         <listitem>
@@ -245,7 +256,8 @@
           <para>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           </para>
         </listitem>
       </varlistentry>
@@ -256,7 +268,8 @@
           <para>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           </para>
         </listitem>
       </varlistentry>
@@ -276,9 +289,9 @@
         <term>-U <replaceable class="parameter">date/offset</replaceable></term>
         <listitem>
           <para>
-            Sets the date on which the key is to be unpublished.  After that
+            Sets the date on which the key is to be retired.  After that
-            date, the key will no longer be included in the zone, but it
+            date, the key will still be included in the zone, but it
-            may remain in the key repository.
+            will not be used to sign it.
           </para>
         </listitem>
       </varlistentry>
@@ -288,10 +301,8 @@
         <listitem>
           <para>
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
+            date, the key will no longer be included in the zone.  (It
-            NOTE: Keys are not currently deleted automatically; this field
+            may remain in the key repository, however.)
-            is included for informational purposes and for future
-            development.
           </para>
         </listitem>
       </varlistentry>

bin/dnssec/dnssec-keygen.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -131,13 +131,16 @@ usage(void) {
 	fprintf(stderr, "	usage | trace | record | size | mctx\n");
 	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
 	fprintf(stderr, "Date options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
+	fprintf(stderr, "    -P date/[+-]offset: set key publication date "
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
+						"(default: now)\n");
+	fprintf(stderr, "    -A date/[+-]offset: set key activation date "
+						"(default: now)\n");
 	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
-			"dates\n");
+			"all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
@@ -172,14 +175,15 @@ main(int argc, char **argv) {
 	int		dbits = 0;
 	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	unpublish = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -191,7 +195,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hP:A:R:U:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -310,6 +314,9 @@ main(int argc, char **argv) {
 		case 'z':
 			/* already the default */
 			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
 		case 'P':
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
@@ -346,16 +353,16 @@ main(int argc, char **argv) {
 				unsetrev = ISC_TRUE;
 			}
 			break;
-		case 'U':
+		case 'I':
-			if (setunpub || unsetunpub)
+			if (setinact || unsetinact)
-				fatal("-U specified more than once");
+				fatal("-I specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
-				setunpub = ISC_TRUE;
+				setinact = ISC_TRUE;
-				unpublish = strtotime(isc_commandline_argument,
+				inactive = strtotime(isc_commandline_argument,
 						     now, now);
 			} else {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			}
 			break;
 		case 'D':
@@ -665,31 +672,44 @@ main(int argc, char **argv) {
 
 		/*
 		 * Set key timing metadata (unless using -C)
+		 *
+		 * Publish and activation dates are set to "now" by default,
+		 * but can be overridden.  Creation date is always set to
+		 * "now".
 		 */
 		if (!oldstyle) {
 			dst_key_settime(key, DST_TIME_CREATED, now);
 
+			if (genonly && (setpub || setact))
+				fatal("cannot use -G together with "
+				      "-P or -A options");
+
 			if (setpub)
-				dst_key_settime(key, DST_TIME_PUBLISH,
+				dst_key_settime(key, DST_TIME_PUBLISH, publish);
-						publish);
+			else if (!genonly)
+				dst_key_settime(key, DST_TIME_PUBLISH, now);
+
 			if (setact)
 				dst_key_settime(key, DST_TIME_ACTIVATE,
 						activate);
+			else if (!genonly)
+				dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
 			if (setrev)
-				dst_key_settime(key, DST_TIME_REVOKE,
+				dst_key_settime(key, DST_TIME_REVOKE, revoke);
-						revoke);
+
-			if (setunpub)
+			if (setinact)
-				dst_key_settime(key, DST_TIME_UNPUBLISH,
+				dst_key_settime(key, DST_TIME_INACTIVE,
-						unpublish);
+						inactive);
+
 			if (setdel)
-				dst_key_settime(key, DST_TIME_DELETE,
+				dst_key_settime(key, DST_TIME_DELETE, delete);
-						delete);
 		} else {
-			if (setpub || setact || setrev || setunpub ||
+			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
-			    unsetrev || unsetunpub || unsetdel)
+			    unsetrev || unsetinact || unsetdel || genonly)
 				fatal("cannot use -C together with "
-				      "-P, -A, -R, -U, or -D options");
+				      "-P, -A, -R, -I, -D, or -G options");
 			/*
 			 * Compatibility mode: Private-key-format
 			 * should be set to 1.2.

bin/dnssec/dnssec-keygen.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -66,8 +66,10 @@
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-e</option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-G</option></arg>
       <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
       <arg><option>-h</option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-k</option></arg>
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -76,7 +78,6 @@
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg><option>-z</option></arg>
       <arg choice="req">name</arg>
@@ -224,6 +225,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-G</term>
+        <listitem>
+          <para>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-g <replaceable class="parameter">generator</replaceable></term>
         <listitem>
@@ -365,7 +376,8 @@
           <para>
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           </para>
         </listitem>
       </varlistentry>
@@ -376,7 +388,8 @@
           <para>
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           </para>
         </listitem>
       </varlistentry>
@@ -393,12 +406,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-U <replaceable class="parameter">date/offset</replaceable></term>
+        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
         <listitem>
           <para>
-            Sets the date on which the key is to be unpublished.  After that
+            Sets the date on which the key is to be retired.  After that
-            date, the key will no longer be included in the zone, but it
+            date, the key will still be included in the zone, but it
-            may remain in the key repository.
+            will not be used to sign it.
           </para>
         </listitem>
       </varlistentry>
@@ -408,10 +421,8 @@
         <listitem>
           <para>
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
+            date, the key will no longer be included in the zone.  (It
-            NOTE: Keys are not currently deleted automatically; this field
+            may remain in the key repository, however.)
-            is included for informational purposes and for future
-            development.
           </para>
         </listitem>
       </varlistentry>

bin/dnssec/dnssec-settime.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -66,8 +66,8 @@ usage(void) {
 						     "activation date\n");
 	fprintf(stderr, "    -R date/[+-]offset/none: set key "
 						     "revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset/none: set key "
+	fprintf(stderr, "    -I date/[+-]offset/none: set key "
-						     "unpublication date\n");
+						     "inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set key "
 						     "deletion date\n");
 	fprintf(stderr, "Printing options:\n");
@@ -119,16 +119,16 @@ main(int argc, char **argv) {
 	isc_buffer_t buf;
 	int major, minor;
 	isc_stdtime_t	now;
-	isc_stdtime_t	pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
+	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
 	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
-	isc_boolean_t	printunpub = ISC_FALSE, printdel = ISC_FALSE;
+	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
 	isc_boolean_t	forceupdate = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
@@ -147,7 +147,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "fK:uhp:v:P:A:R:U:D:")) != -1) {
+					   "fK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
 		case 'f':
 			forceupdate = ISC_TRUE;
@@ -159,7 +159,7 @@ main(int argc, char **argv) {
 				printpub = ISC_TRUE;
 				printact = ISC_TRUE;
 				printrev = ISC_TRUE;
-				printunpub = ISC_TRUE;
+				printinact = ISC_TRUE;
 				printdel = ISC_TRUE;
 				break;
 			}
@@ -178,8 +178,8 @@ main(int argc, char **argv) {
 				case 'R':
 					printrev = ISC_TRUE;
 					break;
-				case 'U':
+				case 'I':
-					printunpub = ISC_TRUE;
+					printinact = ISC_TRUE;
 					break;
 				case 'D':
 					printdel = ISC_TRUE;
@@ -251,16 +251,16 @@ main(int argc, char **argv) {
 						now, now);
 			}
 			break;
-		case 'U':
+		case 'I':
-			if (setunpub || unsetunpub)
+			if (setinact || unsetinact)
-				fatal("-U specified more than once");
+				fatal("-I specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			} else {
-				setunpub = ISC_TRUE;
+				setinact = ISC_TRUE;
-				unpub = strtotime(isc_commandline_argument,
+				inact = strtotime(isc_commandline_argument,
 						now, now);
 			}
 			break;
@@ -360,7 +360,7 @@ main(int argc, char **argv) {
 		dst_key_unsettime(key, DST_TIME_ACTIVATE);
 
 	if (setrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
 			fprintf(stderr, "%s: warning: Key %s is already "
 					"revoked; changing the revocation date "
 					"will not affect this.\n",
@@ -375,10 +375,10 @@ main(int argc, char **argv) {
 		dst_key_unsettime(key, DST_TIME_REVOKE);
 	}
 
-	if (setunpub)
+	if (setinact)
-		dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
+		dst_key_settime(key, DST_TIME_INACTIVE, inact);
-	else if (unsetunpub)
+	else if (unsetinact)
-		dst_key_unsettime(key, DST_TIME_UNPUBLISH);
+		dst_key_unsettime(key, DST_TIME_INACTIVE);
 
 	if (setdel)
 		dst_key_settime(key, DST_TIME_DELETE, del);
@@ -400,8 +400,8 @@ main(int argc, char **argv) {
 	if (printrev)
 		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
 
-	if (printunpub)
+	if (printinact)
-		printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
+		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
 
 	if (printdel)
 		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);

bin/dnssec/dnssec-settime.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
 <refentry id="man.dnssec-settime">
   <refentryinfo>
     <date>July 15, 2009</date>
@@ -44,12 +44,12 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-settime</command>
-      <arg><option>-fr</option></arg>
+      <arg><option>-f</option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-h</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@@ -62,7 +62,7 @@
     <para><command>dnssec-settime</command>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <option>-P</option>, <option>-A</option>,
-      <option>-R</option>, <option>-U</option>, and <option>-D</option>
+      <option>-R</option>, <option>-I</option>, and <option>-D</option>
       options.  The metadata can then be used by
       <command>dnssec-signzone</command> or other signing software to
       determine when a key is to be published, whether it should be
@@ -178,12 +178,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-U <replaceable class="parameter">date/offset</replaceable></term>
+        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
         <listitem>
           <para>
-            Sets the date on which the key is to be unpublished.  After that
+            Sets the date on which the key is to be retired.  After that
-            date, the key will no longer be included in the zone, but it
+            date, the key will still be included in the zone, but it
-            may remain in the key repository.
+            will not be used to sign it.
           </para>
         </listitem>
       </varlistentry>
@@ -193,10 +193,8 @@
         <listitem>
           <para>
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
+            date, the key will no longer be included in the zone.  (It
-            NOTE: Keys are not currently deleted automatically; this field
+            may remain in the key repository, however.)
-            is included for informational purposes and for future
-            development.
           </para>
         </listitem>
       </varlistentry>

lib/dns/dnssec.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.101 2009/09/10 05:09:31 each Exp $
+ * $Id: dnssec.c,v 1.102 2009/09/14 18:45:45 each Exp $
  */
 
 /*! \file */
@@ -1004,9 +1004,9 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
 static void
 get_hints(dns_dnsseckey_t *key) {
 	isc_result_t result;
-	isc_stdtime_t now, publish, active, revoke, unpublish, delete;
+	isc_stdtime_t now, publish, active, revoke, inactive, delete;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
-	isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
+	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
 	isc_boolean_t delset = ISC_FALSE;
 
 	REQUIRE(key != NULL && key->key != NULL);
@@ -1025,26 +1025,20 @@ get_hints(dns_dnsseckey_t *key) {
 	if (result == ISC_R_SUCCESS)
 		revset = ISC_TRUE;
 
-	result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
 	if (result == ISC_R_SUCCESS)
-		remset = ISC_TRUE;
+		inactset = ISC_TRUE;
 
 	result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
 	if (result == ISC_R_SUCCESS)
 		delset = ISC_TRUE;
 
-	/* No metadata set: Publish and sign.  */
-	if (!pubset && !actset && !revset && !remset && !delset) {
-		key->hint_sign = ISC_TRUE;
-		key->hint_publish = ISC_TRUE;
-	}
-
 	/* Metadata says publish (but possibly not activate) */
-	if (pubset && publish < now)
+	if (pubset && publish <= now)
 		key->hint_publish = ISC_TRUE;
 
 	/* Metadata says activate (so we must also publish) */
-	if (actset && active < now) {
+	if (actset && active <= now) {
 		key->hint_sign = ISC_TRUE;
 		key->hint_publish = ISC_TRUE;
 	}
@@ -1064,6 +1058,14 @@ get_hints(dns_dnsseckey_t *key) {
 		key->prepublish = active - now;
 	}
 
+	/*
+	 * Key has been marked inactive: we can continue publishing,
+	 * but don't sign.
+	 */
+	if (key->hint_publish && inactset && inactive <= now) {
+		key->hint_sign = ISC_FALSE;
+	}
+
 	/*
 	 * Metadata says revoke.  If the key is published,
 	 * we *have to* sign with it per RFC5011--even if it was
@@ -1082,11 +1084,9 @@ get_hints(dns_dnsseckey_t *key) {
 	}
 
 	/*
-	 * Metadata says unpublish or delete, so don't publish
+	 * Metadata says delete, so don't publish this key or sign with it.
-	 * this key or sign with it.
 	 */
-	if ((remset && unpublish < now) ||
+	if (delset && delete <= now) {
-	    (delset && delete < now)) {
 		key->hint_publish = ISC_FALSE;
 		key->hint_sign = ISC_FALSE;
 		key->hint_remove = ISC_TRUE;

lib/dns/dst_api.c

@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.29 2009/09/03 04:09:58 marka Exp $
+ * $Id: dst_api.c,v 1.30 2009/09/14 18:45:45 each Exp $
  */
 
 /*! \file */
@@ -1274,7 +1274,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
 		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
 		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
-		printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
+		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
 		printtime(key, DST_TIME_DELETE, "; Delete", fp);
 	}
 

lib/dns/include/dst/dst.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dst.h,v 1.18 2009/09/14 18:45:45 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -84,7 +84,7 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TIME_PUBLISH	1
 #define DST_TIME_ACTIVATE	2
 #define DST_TIME_REVOKE 	3
-#define DST_TIME_UNPUBLISH	4
+#define DST_TIME_INACTIVE	4
 #define DST_TIME_DELETE 	5
 #define DST_MAX_TIMES		5