diff --git a/CHANGES b/CHANGES index ce4c4a5b29..b2a0608cb1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +1659. [cleanup] Cleanup some messages that were referring to KEY vs + DNSKEY, NXT vs NSEC and SIG vs RRSIG. + +1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 + and DH. Tighten which options apply to KEY and + DNSKEY records. + 1657. [doc] ARM: document query log output. 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index bc097a9dd2..15cb2a99c5 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */ +/* $Id: dnssec-keygen.c,v 1.67 2004/06/11 01:12:39 marka Exp $ */ #include @@ -68,7 +68,7 @@ usage(void) { fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " HMAC-MD5:\t[1..512]\n"); - fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER\n"); + fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); fprintf(stderr, " -c (default: IN)\n"); @@ -101,7 +101,7 @@ main(int argc, char **argv) { dst_key_t *key = NULL, *oldkey; dns_fixedname_t fname; dns_name_t *name; - isc_uint16_t flags = 0; + isc_uint16_t flags = 0, ksk = 0; dns_secalg_t alg; isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE; isc_mem_t *mctx = NULL; @@ -143,7 +143,7 @@ main(int argc, char **argv) { break; case 'f': if (strcasecmp(isc_commandline_argument, "KSK") == 0) - flags |= DNS_KEYFLAG_KSK; + ksk = DNS_KEYFLAG_KSK; else fatal("unknown flag '%s'", isc_commandline_argument); @@ -211,17 +211,20 @@ main(int argc, char **argv) { if (algname == NULL) fatal("no algorithm was specified"); - if (strcasecmp(algname, "HMAC-MD5") == 0) + if (strcasecmp(algname, "HMAC-MD5") == 0) { + options |= DST_TYPE_KEY; alg = DST_ALG_HMACMD5; - else { + } else { r.base = algname; r.length = strlen(algname); ret = dns_secalg_fromtext(&alg, &r); if (ret != ISC_R_SUCCESS) fatal("unknown algorithm %s", algname); + if (alg == DST_ALG_DH) + options |= DST_TYPE_KEY; } - if (type != NULL) { + if (type != NULL && (options & DST_TYPE_KEY) != 0) { if (strcasecmp(type, "NOAUTH") == 0) flags |= DNS_KEYTYPE_NOAUTH; else if (strcasecmp(type, "NOCONF") == 0) @@ -271,20 +274,29 @@ main(int argc, char **argv) { fatal("no nametype specified"); if (strcasecmp(nametype, "zone") == 0) flags |= DNS_KEYOWNER_ZONE; - else if (strcasecmp(nametype, "host") == 0 || - strcasecmp(nametype, "entity") == 0) - flags |= DNS_KEYOWNER_ENTITY; - else if (strcasecmp(nametype, "user") == 0) - flags |= DNS_KEYOWNER_USER; - else - fatal("invalid nametype %s", nametype); + else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ + if (strcasecmp(nametype, "host") == 0 || + strcasecmp(nametype, "entity") == 0) + flags |= DNS_KEYOWNER_ENTITY; + else if (strcasecmp(nametype, "user") == 0) + flags |= DNS_KEYOWNER_USER; + else + fatal("invalid KEY nametype %s", nametype); + } else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */ + fatal("invalid DNSKEY nametype %s", nametype); rdclass = strtoclass(classname); - flags |= signatory; + if ((options & DST_TYPE_KEY) != 0) /* KEY */ + flags |= signatory; + else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */ + flags |= ksk; if (protocol == -1) protocol = DNS_KEYPROTO_DNSSEC; + else if ((options & DST_TYPE_KEY) == 0 && + protocol != DNS_KEYPROTO_DNSSEC) + fatal("invalid DNSKEY protocol: %d", protocol); if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { if (size > 0) diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index 1c85567119..bad297cb32 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -45,6 +45,7 @@ + @@ -58,7 +59,7 @@ DESCRIPTION dnssec-keygen generates keys for DNSSEC - (Secure DNS), as defined in RFC 2535. It can also generate + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. @@ -73,13 +74,16 @@ Selects the cryptographic algorithm. The value of - must be one of RSAMD5 or RSA, + must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. - Note that for DNSSEC, DSA is a mandatory to implement algorithm, - and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + + + Note 2: HMAC-MD5 and DH automatically set the -k flag. @@ -89,7 +93,7 @@ Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSA keys must be between + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC-MD5 keys must be @@ -104,8 +108,8 @@ Specifies the owner type of the key. The value of must either be ZONE (for a DNSSEC - zone key), HOST or ENTITY (for a key associated with a host), - or USER (for a key associated with a user). These values are + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. @@ -125,7 +129,7 @@ -e - If generating an RSA key, use a large exponent. + If generating an RSAMD5/RSASHA1 key, use a large exponent. @@ -134,8 +138,8 @@ -f flag - Set the specified flag in the flag field of the key record. - The only recognized flag is KSK (Key Signing Key). + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. @@ -162,6 +166,15 @@ + + -k + + + Generate KEY records rather than DNSKEY records. + + + + -p protocol @@ -302,14 +315,6 @@ SEE ALSO - - dnssec-makekeyset - 8 - , - - dnssec-signkey - 8 - , dnssec-signzone 8 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 4abbf56847..9c3940650d 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.178 2004/04/15 01:58:22 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.179 2004/06/11 01:12:40 marka Exp $ */ #include @@ -222,7 +222,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; key_format(key, keystr, sizeof(keystr)); - fatal("key '%s' failed to sign data: %s", + fatal("dnskey '%s' failed to sign data: %s", keystr, isc_result_totext(result)); } INCSTAT(nsigned); @@ -252,30 +252,32 @@ iszonekey(signer_key_t *key) { } /* - * Finds the key that generated a SIG, if possible. First look at the keys + * Finds the key that generated a RRSIG, if possible. First look at the keys * that we've loaded already, and then see if there's a key on disk. */ static signer_key_t * -keythatsigned(dns_rdata_rrsig_t *sig) { +keythatsigned(dns_rdata_rrsig_t *rrsig) { isc_result_t result; dst_key_t *pubkey = NULL, *privkey = NULL; signer_key_t *key; key = ISC_LIST_HEAD(keylist); while (key != NULL) { - if (sig->keyid == dst_key_id(key->key) && - sig->algorithm == dst_key_alg(key->key) && - dns_name_equal(&sig->signer, dst_key_name(key->key))) + if (rrsig->keyid == dst_key_id(key->key) && + rrsig->algorithm == dst_key_alg(key->key) && + dns_name_equal(&rrsig->signer, dst_key_name(key->key))) return key; key = ISC_LIST_NEXT(key, link); } - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, - DST_TYPE_PUBLIC, NULL, mctx, &pubkey); + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC, + NULL, mctx, &pubkey); if (result != ISC_R_SUCCESS) return (NULL); - result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm, + result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, + rrsig->algorithm, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, NULL, mctx, &privkey); if (result == ISC_R_SUCCESS) { @@ -288,8 +290,8 @@ keythatsigned(dns_rdata_rrsig_t *sig) { } /* - * Check to see if we expect to find a key at this name. If we see a SIG - * and can't find the signing key that we expect to find, we drop the sig. + * Check to see if we expect to find a key at this name. If we see a RRSIG + * and can't find the signing key that we expect to find, we drop the rrsig. * I'm not sure if this is completely correct, but it seems to work. */ static isc_boolean_t @@ -313,17 +315,17 @@ expecttofindkey(dns_name_t *name) { return (ISC_FALSE); } dns_name_format(name, namestr, sizeof(namestr)); - fatal("failure looking for '%s KEY' in database: %s", + fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); return (ISC_FALSE); /* removes a warning */ } static inline isc_boolean_t setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, - dns_rdata_t *sig) + dns_rdata_t *rrsig) { isc_result_t result; - result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig); + result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig); if (result == ISC_R_SUCCESS) { INCSTAT(nverified); return (ISC_TRUE); @@ -334,7 +336,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key, } /* - * Signs a set. Goes through contortions to decide if each SIG should + * Signs a set. Goes through contortions to decide if each RRSIG should * be dropped or retained, and then determines if any new SIGs need to * be generated. */ @@ -344,7 +346,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, { dns_rdataset_t sigset; dns_rdata_t sigrdata = DNS_RDATA_INIT; - dns_rdata_rrsig_t sig; + dns_rdata_rrsig_t rrsig; signer_key_t *key; isc_result_t result; isc_boolean_t nosigs = ISC_FALSE; @@ -370,7 +372,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, nosigs = ISC_TRUE; } if (result != ISC_R_SUCCESS) - fatal("failed while looking for '%s SIG %s': %s", + fatal("failed while looking for '%s RRSIG %s': %s", namestr, typestr, isc_result_totext(result)); vbprintf(1, "%s/%s:\n", namestr, typestr); @@ -397,44 +399,44 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, dns_rdataset_current(&sigset, &sigrdata); - result = dns_rdata_tostruct(&sigrdata, &sig, NULL); + result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL); check_result(result, "dns_rdata_tostruct"); - future = isc_serial_lt(now, sig.timesigned); + future = isc_serial_lt(now, rrsig.timesigned); - key = keythatsigned(&sig); - sig_format(&sig, sigstr, sizeof(sigstr)); + key = keythatsigned(&rrsig); + sig_format(&rrsig, sigstr, sizeof(sigstr)); if (key != NULL && issigningkey(key)) - expired = isc_serial_gt(now + cycle, sig.timeexpire); + expired = isc_serial_gt(now + cycle, rrsig.timeexpire); else - expired = isc_serial_gt(now, sig.timeexpire); + expired = isc_serial_gt(now, rrsig.timeexpire); - if (isc_serial_gt(sig.timesigned, sig.timeexpire)) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " + if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) { + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " "invalid validity period\n", sigstr); } else if (key == NULL && !future && - expecttofindkey(&sig.signer)) + expecttofindkey(&rrsig.signer)) { - /* sig is dropped and not replaced */ - vbprintf(2, "\tsig by %s dropped - " - "private key not found\n", + /* rrsig is dropped and not replaced */ + vbprintf(2, "\trrsig by %s dropped - " + "private dnskey not found\n", sigstr); } else if (key == NULL || future) { - vbprintf(2, "\tsig by %s %s - key not found\n", + vbprintf(2, "\trrsig by %s %s - dnskey not found\n", expired ? "retained" : "dropped", sigstr); if (!expired) keep = ISC_TRUE; } else if (issigningkey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); @@ -444,22 +446,22 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, } else if (iszonekey(key)) { if (!expired && setverifies(name, set, key, &sigrdata)) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s dropped - %s\n", + vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, expired ? "expired" : "failed to verify"); wassignedby[key->position] = ISC_TRUE; } } else if (!expired) { - vbprintf(2, "\tsig by %s retained\n", sigstr); + vbprintf(2, "\trrsig by %s retained\n", sigstr); keep = ISC_TRUE; } else { - vbprintf(2, "\tsig by %s expired\n", sigstr); + vbprintf(2, "\trrsig by %s expired\n", sigstr); } if (keep) { @@ -482,7 +484,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, char keystr[KEY_FORMATSIZE]; key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tresigning with key %s\n", keystr); + vbprintf(1, "\tresigning with dnskey %s\n", keystr); isc_buffer_init(&b, array, sizeof(array)); signwithkey(name, set, &trdata, key->key, &b); nowsignedby[key->position] = ISC_TRUE; @@ -495,7 +497,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, } dns_rdata_reset(&sigrdata); - dns_rdata_freestruct(&sig); + dns_rdata_freestruct(&rrsig); result = dns_rdataset_next(&sigset); } if (result == ISC_R_NOMORE) @@ -526,7 +528,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name, continue; key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tsigning with key %s\n", keystr); + vbprintf(1, "\tsigning with dnskey %s\n", keystr); dns_rdata_init(&trdata); isc_buffer_init(&b, array, sizeof(array)); signwithkey(name, set, &trdata, key->key, &b); @@ -607,7 +609,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { return (result); } - vbprintf(2, "found KEY records\n"); + vbprintf(2, "found DNSKEY records\n"); result = dns_db_newversion(db, &ver); check_result(result, "dns_db_newversion"); @@ -753,7 +755,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) { /* * Signs all records at a name. This mostly just signs each set individually, - * but also adds the SIG bit to any NSECs generated earlier, deals with + * but also adds the RRSIG bit to any NSECs generated earlier, deals with * parent/child KEY signatures, and handles other exceptional cases. */ static void @@ -815,9 +817,9 @@ signname(dns_dbnode_t *node, dns_name_t *name) { dns_rdataset_disassociate(&sigdsset); } else if (dns_rdataset_isassociated(&sigdsset)) { result = dns_db_deleterdataset(gdb, node, - gversion, - dns_rdatatype_rrsig, - dns_rdatatype_ds); + gversion, + dns_rdatatype_rrsig, + dns_rdatatype_ds); check_result(result, "dns_db_deleterdataset"); dns_rdataset_disassociate(&sigdsset); } @@ -858,7 +860,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) { while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); - /* If this is a SIG set, skip it. */ + /* If this is a RRSIG set, skip it. */ if (rdataset.type == dns_rdatatype_rrsig) goto skip; @@ -871,18 +873,11 @@ signname(dns_dbnode_t *node, dns_name_t *name) { if (rdataset.type != dns_rdatatype_nsec && rdataset.type != dns_rdatatype_ds) goto skip; -#if 0 - /* - * The current draft allows DS not at a zone cut. - * This is a bad idea. Update once the RFC is published. - * XXXMPA. - */ } else if (rdataset.type == dns_rdatatype_ds) { char namebuf[DNS_NAME_FORMATSIZE]; dns_name_format(name, namebuf, sizeof(namebuf)); fatal("'%s': found DS RRset without NS RRset\n", namebuf); -#endif } signset(&diff, node, name, &rdataset); @@ -979,7 +974,7 @@ soattl(void) { } /* - * Delete any SIG records at a node. + * Delete any RRSIG records at a node. */ static void cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { @@ -1411,8 +1406,8 @@ warnifallksk(dns_db_t *db) { dns_db_detachnode(db, &node); dns_db_closeversion(db, ¤tversion, ISC_FALSE); if (!have_non_ksk && !ignoreksk) - fprintf(stderr, - "%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n", + fprintf(stderr, "%s: warning: No non-KSK dnskey found. " + "Supply non-KSK dnskey or use '-z'.\n", program); } @@ -1568,9 +1563,9 @@ usage(void) { fprintf(stderr, "\t-g:\t"); fprintf(stderr, "generate DS records from keyset files\n"); fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n"); - fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n"); + fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); - fprintf(stderr, "\t\tSIG end time - absolute|from start|from now " + fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); fprintf(stderr, "\t-i interval:\n"); fprintf(stderr, "\t\tcycle interval - resign " @@ -1592,6 +1587,8 @@ usage(void) { fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); fprintf(stderr, "\t-l lookasidezone\n"); + fprintf(stderr, "\t-z:\t"); + fprintf(stderr, "ignore KSK flag in DNSKEYs"); fprintf(stderr, "\n"); @@ -1850,7 +1847,7 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load key %s: %s", argv[i], + fatal("cannot load dnskey %s: %s", argv[i], isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); @@ -1863,7 +1860,7 @@ main(int argc, char *argv[]) { { if (!dst_key_isprivate(dkey)) fatal("cannot sign zone with " - "non-private key %s", + "non-private dnskey %s", argv[i]); break; } @@ -1887,7 +1884,7 @@ main(int argc, char *argv[]) { DST_TYPE_PRIVATE, mctx, &newkey); if (result != ISC_R_SUCCESS) - fatal("cannot load key %s: %s", dskeyfile[i], + fatal("cannot load dnskey %s: %s", dskeyfile[i], isc_result_totext(result)); key = ISC_LIST_HEAD(keylist); @@ -1909,7 +1906,7 @@ main(int argc, char *argv[]) { key = ISC_LIST_NEXT(key, link); } if (key == NULL) { - /* Override key flags. */ + /* Override dnskey flags. */ key = newkeystruct(newkey, ISC_TRUE); key->isksk = ISC_TRUE; key->isdsk = ISC_FALSE; diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index cf3722eaf0..d1af63080a 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -16,7 +16,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -63,14 +63,12 @@ DESCRIPTION - dnssec-signzone signs a zone. It generates NSEC - and RRSIG records and produces a signed version of the zone. If there - is a signedkey file from the zone's parent, - the parent's signatures will be incorporated into the generated - signed zone file. The security status of delegations from the - signed zone (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - signedkey file for each child zone. + dnssec-signzone signs a zone. It generates + NSEC and RRSIG records and produces a signed version of the + zone. The security status of delegations from the signed zone + (that is, whether the child zones are secure or not) is + determined by the presence or absence of a + keyset file for each child zone. @@ -120,7 +118,7 @@ -d directory - Look for signedkey files in + Look for keyset files in as the directory @@ -317,8 +315,8 @@ The following command signs the example.com zone with the DSA key generated in the dnssec-keygen man page. The zone's keys must be in the zone. If there are - signedkey files associated with this zone - or any child zones, they must be in the current directory. + keyset files associated with child zones, + they must be in the current directory. example.com, the following command would be issued: diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 078f9dbd35..59d365c194 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.122 2004/05/14 04:45:57 marka Exp $ */ +/* $Id: validator.c,v 1.123 2004/06/11 01:12:38 marka Exp $ */ #include @@ -1593,7 +1593,7 @@ dlv_validatezonekey(dns_validator_t *val) { } if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "no KEY matching DLV"); + "no DNSKEY matching DLV"); continue; } @@ -1628,7 +1628,8 @@ dlv_validatezonekey(dns_validator_t *val) { dns_rdataset_disassociate(&trdataset); if (result == ISC_R_SUCCESS) break; - validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DLV key"); + validator_log(val, ISC_LOG_DEBUG(3), + "no RRSIG matching DLV key"); } if (result == ISC_R_SUCCESS) { val->event->rdataset->trust = dns_trust_secure; @@ -1877,7 +1878,7 @@ validatezonekey(dns_validator_t *val) { } if (result != ISC_R_SUCCESS) { validator_log(val, ISC_LOG_DEBUG(3), - "no KEY matching DS"); + "no DNSKEY matching DS"); continue; } @@ -1912,7 +1913,8 @@ validatezonekey(dns_validator_t *val) { dns_rdataset_disassociate(&trdataset); if (result == ISC_R_SUCCESS) break; - validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DS key"); + validator_log(val, ISC_LOG_DEBUG(3), + "no RRSIG matching DS key"); } if (result == ISC_R_SUCCESS) { event->rdataset->trust = dns_trust_secure; @@ -2092,8 +2094,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { * would lead to a query for the zone key, which * would return a negative answer, which would contain * an SOA and an NSEC signed by the missing key, which - * would trigger another query for the KEY (since the - * first one is still in progress), and go into an + * would trigger another query for the DNSKEY (since + * the first one is still in progress), and go into an * infinite loop. Avoid that. */ if (val->event->type == dns_rdatatype_dnskey &&