1659. [cleanup] Cleanup some messages that were referring to KEY vs

DNSKEY, NXT vs NSEC and SIG vs RRSIG. 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 and DH. Tighten which options apply to KEY and DNSKEY records.
2025-09-01 06:55:30 +00:00 · 2004-06-11 01:12:40 +00:00
parent 3386e92795
commit cc3aafe737
6 changed files with 137 additions and 116 deletions
--- a/7
+++ b/7
@@ -1,3 +1,10 @@
 1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
 			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
 1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
 			and DH.  Tighten which options apply to KEY and
 			DNSKEY records.
 1657.	[doc]		ARM: document query log output.
 1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -16,7 +16,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: dnssec-keygen.c,v 1.66 2004/03/10 02:19:51 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.67 2004/06/11 01:12:39 marka Exp $ */
 #include <config.h>
@@ -68,7 +68,7 @@ usage(void) {
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER\n");
+	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
@@ -101,7 +101,7 @@ main(int argc, char **argv) {
 	dst_key_t	*key = NULL, *oldkey;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	isc_uint16_t	flags = 0;
+	isc_uint16_t	flags = 0, ksk = 0;
 	dns_secalg_t	alg;
 	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
@@ -143,7 +143,7 @@ main(int argc, char **argv) {
 			break;
 		case 'f':
 			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
-				flags |= DNS_KEYFLAG_KSK;
+				ksk = DNS_KEYFLAG_KSK;
 			else
 				fatal("unknown flag '%s'",
 				      isc_commandline_argument);
@@ -211,17 +211,20 @@ main(int argc, char **argv) {
 	if (algname == NULL)
 		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "HMAC-MD5") == 0)
+	if (strcasecmp(algname, "HMAC-MD5") == 0) {
 		options |= DST_TYPE_KEY;
 		alg = DST_ALG_HMACMD5;
-	else {
+	} else {
 		r.base = algname;
 		r.length = strlen(algname);
 		ret = dns_secalg_fromtext(&alg, &r);
 		if (ret != ISC_R_SUCCESS)
 			fatal("unknown algorithm %s", algname);
 		if (alg == DST_ALG_DH)
 			options |= DST_TYPE_KEY;
 	}
-	if (type != NULL) {
+	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
 		if (strcasecmp(type, "NOAUTH") == 0)
 			flags |= DNS_KEYTYPE_NOAUTH;
 		else if (strcasecmp(type, "NOCONF") == 0)
@@ -271,20 +274,29 @@ main(int argc, char **argv) {
 		fatal("no nametype specified");
 	if (strcasecmp(nametype, "zone") == 0)
 		flags |= DNS_KEYOWNER_ZONE;
-	else if (strcasecmp(nametype, "host") == 0 ||
+	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
-		 strcasecmp(nametype, "entity") == 0)
+		if (strcasecmp(nametype, "host") == 0 ||
-		flags |= DNS_KEYOWNER_ENTITY;
+			 strcasecmp(nametype, "entity") == 0)
-	else if (strcasecmp(nametype, "user") == 0)
+			flags |= DNS_KEYOWNER_ENTITY;
-		flags |= DNS_KEYOWNER_USER;
+		else if (strcasecmp(nametype, "user") == 0)
-	else
+			flags |= DNS_KEYOWNER_USER;
-		fatal("invalid nametype %s", nametype);
+		else
 			fatal("invalid KEY nametype %s", nametype);
 	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
 		fatal("invalid DNSKEY nametype %s", nametype);
 	rdclass = strtoclass(classname);
-	flags |= signatory;
+	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
 		flags |= signatory;
 	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
 		flags |= ksk;
 	if (protocol == -1)
 		protocol = DNS_KEYPROTO_DNSSEC;
 	else if ((options & DST_TYPE_KEY) == 0 &&
 		 protocol != DNS_KEYPROTO_DNSSEC)
 		fatal("invalid DNSKEY protocol: %d", protocol);
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		if (size > 0)
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -16,7 +16,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.docbook,v 1.8 2004/06/03 02:22:31 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.9 2004/06/11 01:12:40 marka Exp $ -->
 <refentry>
  <refentryinfo>
@@ -45,6 +45,7 @@
      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
      <arg><option>-h</option></arg>
      <arg><option>-k</option></arg>
      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
@@ -58,7 +59,7 @@
    <title>DESCRIPTION</title>
    <para>
        <command>dnssec-keygen</command> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535.  It can also generate
+	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
 	keys for use with TSIG (Transaction Signatures), as
 	defined in RFC 2845.
    </para>
@@ -73,13 +74,16 @@
 	<listitem>
 	  <para>
 	      Selects the cryptographic algorithm.  The value of
-	      <option>algorithm</option> must be one of RSAMD5 or RSA,
+	      <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
 	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
 	      are case insensitive.
 	  </para>
 	  <para>
-	      Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and RSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
 	  </para>
 	  <para>
 	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -89,7 +93,7 @@
 	<listitem>
 	  <para>
 	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSA keys must be between
+	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
 	       512 and 2048 bits.  Diffie Hellman keys must be between
 	       128 and 4096 bits.  DSA keys must be between 512 and 1024
 	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
@@ -104,8 +108,8 @@
 	  <para>
 	       Specifies the owner type of the key.  The value of
 	       <option>nametype</option> must either be ZONE (for a DNSSEC
-	       zone key), HOST or ENTITY (for a key associated with a host),
+	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       or USER (for a key associated with a user).  These values are
+	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
 	       case insensitive.
 	  </para>
 	</listitem>
@@ -125,7 +129,7 @@
        <term>-e</term>
 	<listitem>
 	  <para>
-	       If generating an RSA key, use a large exponent.
+	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -134,8 +138,8 @@
        <term>-f <replaceable class="parameter">flag</replaceable></term>
 	<listitem>
 	  <para>
-		Set the specified flag in the flag field of the key record.
+		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key).
+		The only recognized flag is KSK (Key Signing Key) DNSKEY.
 	  </para>
 	</listitem>
      </varlistentry>
@@ -162,6 +166,15 @@
 	</listitem>
      </varlistentry>
      <varlistentry>
        <term>-k</term>
 	<listitem>
 	  <para>
 	       Generate KEY records rather than DNSKEY records.
 	  </para>
 	</listitem>
      </varlistentry>
      <varlistentry>
        <term>-p <replaceable class="parameter">protocol</replaceable></term>
 	<listitem>
@@ -302,14 +315,6 @@
  <refsect1>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>dnssec-makekeyset</refentrytitle>
 	<manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>dnssec-signkey</refentrytitle>
 	<manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>dnssec-signzone</refentrytitle>
 	<manvolnum>8</manvolnum>
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: dnssec-signzone.c,v 1.178 2004/04/15 01:58:22 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.179 2004/06/11 01:12:40 marka Exp $ */
 #include <config.h>
@@ -222,7 +222,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	if (result != ISC_R_SUCCESS) {
 		char keystr[KEY_FORMATSIZE];
 		key_format(key, keystr, sizeof(keystr));
-		fatal("key '%s' failed to sign data: %s",
+		fatal("dnskey '%s' failed to sign data: %s",
 		      keystr, isc_result_totext(result));
 	}
 	INCSTAT(nsigned);
@@ -252,30 +252,32 @@ iszonekey(signer_key_t *key) {
 }
 /*
- * Finds the key that generated a SIG, if possible.  First look at the keys
+ * Finds the key that generated a RRSIG, if possible.  First look at the keys
 * that we've loaded already, and then see if there's a key on disk.
 */
 static signer_key_t *
-keythatsigned(dns_rdata_rrsig_t *sig) {
+keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *privkey = NULL;
 	signer_key_t *key;
 	key = ISC_LIST_HEAD(keylist);
 	while (key != NULL) {
-		if (sig->keyid == dst_key_id(key->key) &&
+		if (rrsig->keyid == dst_key_id(key->key) &&
-		    sig->algorithm == dst_key_alg(key->key) &&
+		    rrsig->algorithm == dst_key_alg(key->key) &&
-		    dns_name_equal(&sig->signer, dst_key_name(key->key)))
+		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
 			return key;
 		key = ISC_LIST_NEXT(key, link);
 	}
-	result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
+	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
-				  DST_TYPE_PUBLIC, NULL, mctx, &pubkey);
+				  rrsig->algorithm, DST_TYPE_PUBLIC,
 				  NULL, mctx, &pubkey);
 	if (result != ISC_R_SUCCESS)
 		return (NULL);
-	result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
+	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
 				  rrsig->algorithm,
 				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
 				  NULL, mctx, &privkey);
 	if (result == ISC_R_SUCCESS) {
@@ -288,8 +290,8 @@ keythatsigned(dns_rdata_rrsig_t *sig) {
 }
 /*
- * Check to see if we expect to find a key at this name.  If we see a SIG
+ * Check to see if we expect to find a key at this name.  If we see a RRSIG
- * and can't find the signing key that we expect to find, we drop the sig.
+ * and can't find the signing key that we expect to find, we drop the rrsig.
 * I'm not sure if this is completely correct, but it seems to work.
 */
 static isc_boolean_t
@@ -313,17 +315,17 @@ expecttofindkey(dns_name_t *name) {
 		return (ISC_FALSE);
 	}
 	dns_name_format(name, namestr, sizeof(namestr));
-	fatal("failure looking for '%s KEY' in database: %s",
+	fatal("failure looking for '%s DNSKEY' in database: %s",
 	      namestr, isc_result_totext(result));
 	return (ISC_FALSE); /* removes a warning */
 }
 static inline isc_boolean_t
 setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
-	    dns_rdata_t *sig)
+	    dns_rdata_t *rrsig)
 {
 	isc_result_t result;
-	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
+	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
 	if (result == ISC_R_SUCCESS) {
 		INCSTAT(nverified);
 		return (ISC_TRUE);
@@ -334,7 +336,7 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 }
 /*
- * Signs a set.  Goes through contortions to decide if each SIG should
+ * Signs a set.  Goes through contortions to decide if each RRSIG should
 * be dropped or retained, and then determines if any new SIGs need to
 * be generated.
 */
@@ -344,7 +346,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 {
 	dns_rdataset_t sigset;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t sig;
+	dns_rdata_rrsig_t rrsig;
 	signer_key_t *key;
 	isc_result_t result;
 	isc_boolean_t nosigs = ISC_FALSE;
@@ -370,7 +372,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 		nosigs = ISC_TRUE;
 	}
 	if (result != ISC_R_SUCCESS)
-		fatal("failed while looking for '%s SIG %s': %s",
+		fatal("failed while looking for '%s RRSIG %s': %s",
 		      namestr, typestr, isc_result_totext(result));
 	vbprintf(1, "%s/%s:\n", namestr, typestr);
@@ -397,44 +399,44 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 		dns_rdataset_current(&sigset, &sigrdata);
-		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		future = isc_serial_lt(now, sig.timesigned);
+		future = isc_serial_lt(now, rrsig.timesigned);
-		key = keythatsigned(&sig);
+		key = keythatsigned(&rrsig);
-		sig_format(&sig, sigstr, sizeof(sigstr));
+		sig_format(&rrsig, sigstr, sizeof(sigstr));
 		if (key != NULL && issigningkey(key))
-			expired = isc_serial_gt(now + cycle, sig.timeexpire);
+			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
 		else
-			expired = isc_serial_gt(now, sig.timeexpire);
+			expired = isc_serial_gt(now, rrsig.timeexpire);
-		if (isc_serial_gt(sig.timesigned, sig.timeexpire)) {
+		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
-			/* sig is dropped and not replaced */
+			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\tsig by %s dropped - "
+			vbprintf(2, "\trrsig by %s dropped - "
 				 "invalid validity period\n",
 				 sigstr);
 		} else if (key == NULL && !future &&
-			 expecttofindkey(&sig.signer))
+			 expecttofindkey(&rrsig.signer))
 		{
-			/* sig is dropped and not replaced */
+			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\tsig by %s dropped - "
+			vbprintf(2, "\trrsig by %s dropped - "
-				 "private key not found\n",
+				 "private dnskey not found\n",
 				 sigstr);
 		} else if (key == NULL || future) {
-			vbprintf(2, "\tsig by %s %s - key not found\n",
+			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
 				 expired ? "retained" : "dropped", sigstr);
 			if (!expired)
 				keep = ISC_TRUE;
 		} else if (issigningkey(key)) {
 			if (!expired && setverifies(name, set, key, &sigrdata))
 			{
-				vbprintf(2, "\tsig by %s retained\n", sigstr);
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
 			} else {
-				vbprintf(2, "\tsig by %s dropped - %s\n",
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr,
 					 expired ? "expired" :
 						   "failed to verify");
@@ -444,22 +446,22 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 		} else if (iszonekey(key)) {
 			if (!expired && setverifies(name, set, key, &sigrdata))
 			{
-				vbprintf(2, "\tsig by %s retained\n", sigstr);
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
 			} else {
-				vbprintf(2, "\tsig by %s dropped - %s\n",
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr,
 					 expired ? "expired" :
 						   "failed to verify");
 				wassignedby[key->position] = ISC_TRUE;
 			}
 		} else if (!expired) {
-			vbprintf(2, "\tsig by %s retained\n", sigstr);
+			vbprintf(2, "\trrsig by %s retained\n", sigstr);
 			keep = ISC_TRUE;
 		} else {
-			vbprintf(2, "\tsig by %s expired\n", sigstr);
+			vbprintf(2, "\trrsig by %s expired\n", sigstr);
 		}
 		if (keep) {
@@ -482,7 +484,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 			char keystr[KEY_FORMATSIZE];
 			key_format(key->key, keystr, sizeof(keystr));
-			vbprintf(1, "\tresigning with key %s\n", keystr);
+			vbprintf(1, "\tresigning with dnskey %s\n", keystr);
 			isc_buffer_init(&b, array, sizeof(array));
 			signwithkey(name, set, &trdata, key->key, &b);
 			nowsignedby[key->position] = ISC_TRUE;
@@ -495,7 +497,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 		}
 		dns_rdata_reset(&sigrdata);
-		dns_rdata_freestruct(&sig);
+		dns_rdata_freestruct(&rrsig);
 		result = dns_rdataset_next(&sigset);
 	}
 	if (result == ISC_R_NOMORE)
@@ -526,7 +528,7 @@ signset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
 			continue;
 		key_format(key->key, keystr, sizeof(keystr));
-		vbprintf(1, "\tsigning with key %s\n", keystr);
+		vbprintf(1, "\tsigning with dnskey %s\n", keystr);
 		dns_rdata_init(&trdata);
 		isc_buffer_init(&b, array, sizeof(array));
 		signwithkey(name, set, &trdata, key->key, &b);
@@ -607,7 +609,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 		return (result);
 	}
-	vbprintf(2, "found KEY records\n");
+	vbprintf(2, "found DNSKEY records\n");
 	result = dns_db_newversion(db, &ver);
 	check_result(result, "dns_db_newversion");
@@ -753,7 +755,7 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
 /*
 * Signs all records at a name.  This mostly just signs each set individually,
- * but also adds the SIG bit to any NSECs generated earlier, deals with
+ * but also adds the RRSIG bit to any NSECs generated earlier, deals with
 * parent/child KEY signatures, and handles other exceptional cases.
 */
 static void
@@ -815,9 +817,9 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 					dns_rdataset_disassociate(&sigdsset);
 			} else if (dns_rdataset_isassociated(&sigdsset)) {
 				result = dns_db_deleterdataset(gdb, node,
-							       gversion,
+							    gversion,
-							       dns_rdatatype_rrsig,
+							    dns_rdatatype_rrsig,
-							       dns_rdatatype_ds);
+							    dns_rdatatype_ds);
 				check_result(result, "dns_db_deleterdataset");
 				dns_rdataset_disassociate(&sigdsset);
 			}
@@ -858,7 +860,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		/* If this is a SIG set, skip it. */
+		/* If this is a RRSIG set, skip it. */
 		if (rdataset.type == dns_rdatatype_rrsig)
 			goto skip;
@@ -871,18 +873,11 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 			if (rdataset.type != dns_rdatatype_nsec &&
 			    rdataset.type != dns_rdatatype_ds)
 				goto skip;
 #if 0
 		/*
 	 	 * The current draft allows DS not at a zone cut.
 		 * This is a bad idea.  Update once the RFC is published.
 		 * XXXMPA.
 		 */
 		} else if (rdataset.type == dns_rdatatype_ds) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			fatal("'%s': found DS RRset without NS RRset\n",
 			      namebuf);
 #endif
 		}
 		signset(&diff, node, name, &rdataset);
@@ -979,7 +974,7 @@ soattl(void) {
 }
 /*
- * Delete any SIG records at a node.
+ * Delete any RRSIG records at a node.
 */
 static void
 cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
@@ -1411,8 +1406,8 @@ warnifallksk(dns_db_t *db) {
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &currentversion, ISC_FALSE);
 	if (!have_non_ksk && !ignoreksk)
-		fprintf(stderr,
+		fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
-	 "%s: warning: No non-KSK key found. Supply non-KSK key or use '-z'.\n",
+			"Supply non-KSK dnskey or use '-z'.\n",
 			program);
 }
@@ -1568,9 +1563,9 @@ usage(void) {
 	fprintf(stderr, "\t-g:\t");
 	fprintf(stderr, "generate DS records from keyset files\n");
 	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n");
+	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
 	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now "
+	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
 				"(now + 30 days)\n");
 	fprintf(stderr, "\t-i interval:\n");
 	fprintf(stderr, "\t\tcycle interval - resign "
@@ -1592,6 +1587,8 @@ usage(void) {
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
 	fprintf(stderr, "\t-z:\t");
 	fprintf(stderr, "ignore KSK flag in DNSKEYs");
 	fprintf(stderr, "\n");
@@ -1850,7 +1847,7 @@ main(int argc, char *argv[]) {
 						       DST_TYPE_PRIVATE,
 						       mctx, &newkey);
 			if (result != ISC_R_SUCCESS)
-				fatal("cannot load key %s: %s", argv[i], 
+				fatal("cannot load dnskey %s: %s", argv[i], 
 				      isc_result_totext(result)); 
 			key = ISC_LIST_HEAD(keylist);
@@ -1863,7 +1860,7 @@ main(int argc, char *argv[]) {
 				{
 					if (!dst_key_isprivate(dkey))
 						fatal("cannot sign zone with "
-						      "non-private key %s",
+						      "non-private dnskey %s",
 						      argv[i]);
 					break;
 				}
@@ -1887,7 +1884,7 @@ main(int argc, char *argv[]) {
 					       DST_TYPE_PRIVATE,
 					       mctx, &newkey);
 		if (result != ISC_R_SUCCESS)
-			fatal("cannot load key %s: %s", dskeyfile[i],
+			fatal("cannot load dnskey %s: %s", dskeyfile[i],
 			      isc_result_totext(result)); 
 		key = ISC_LIST_HEAD(keylist);
@@ -1909,7 +1906,7 @@ main(int argc, char *argv[]) {
 			key = ISC_LIST_NEXT(key, link);
 		}
 		if (key == NULL) {
-			/* Override key flags. */
+			/* Override dnskey flags. */
 			key = newkeystruct(newkey, ISC_TRUE);
 			key->isksk = ISC_TRUE;
 			key->isdsk = ISC_FALSE;
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -16,7 +16,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.docbook,v 1.11 2004/06/03 02:22:32 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.12 2004/06/11 01:12:40 marka Exp $ -->
 <refentry>
  <refentryinfo>
@@ -63,14 +63,12 @@
  <refsect1>
    <title>DESCRIPTION</title>
    <para>
-        <command>dnssec-signzone</command> signs a zone.  It generates NSEC
+        <command>dnssec-signzone</command> signs a zone.  It generates
-	and RRSIG records and produces a signed version of the zone.  If there
+	NSEC and RRSIG records and produces a signed version of the
-	is a <filename>signedkey</filename> file from the zone's parent,
+	zone. The security status of delegations from the signed zone
-	the parent's signatures will be incorporated into the generated
+	(that is, whether the child zones are secure or not) is
-	signed zone file.  The security status of delegations from the
+	determined by the presence or absence of a
-        signed zone (that is, whether the child zones are secure or not) is
+	<filename>keyset</filename> file for each child zone.
        determined by the presence or absence of a
 	<filename>signedkey</filename> file for each child zone.
    </para>
  </refsect1>
@@ -120,7 +118,7 @@
        <term>-d <replaceable class="parameter">directory</replaceable></term>
 	<listitem>
 	  <para>
-	       Look for <filename>signedkey</filename> files in
+	       Look for <filename>keyset</filename> files in
 	       <option>directory</option> as the directory 
 	  </para>
 	</listitem>
@@ -317,8 +315,8 @@
        The following command signs the <userinput>example.com</userinput>
 	zone with the DSA key generated in the <command>dnssec-keygen</command>
 	man page.  The zone's keys must be in the zone.  If there are
-	<filename>signedkey</filename> files associated with this zone
+	<filename>keyset</filename> files associated with child zones,
-	or any child zones, they must be in the current directory.
+	they must be in the current directory.
 	<userinput>example.com</userinput>, the following command would be
 	issued:
    </para>
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: validator.c,v 1.122 2004/05/14 04:45:57 marka Exp $ */
+/* $Id: validator.c,v 1.123 2004/06/11 01:12:38 marka Exp $ */
 #include <config.h>
@@ -1593,7 +1593,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 		}
 		if (result != ISC_R_SUCCESS) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no KEY matching DLV");
+				      "no DNSKEY matching DLV");
 			continue;
 		}
@@ -1628,7 +1628,8 @@ dlv_validatezonekey(dns_validator_t *val) {
 		dns_rdataset_disassociate(&trdataset);
 		if (result == ISC_R_SUCCESS)
 			break;
-		validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DLV key");
+		validator_log(val, ISC_LOG_DEBUG(3),
 			      "no RRSIG matching DLV key");
 	}
 	if (result == ISC_R_SUCCESS) {
 		val->event->rdataset->trust = dns_trust_secure;
@@ -1877,7 +1878,7 @@ validatezonekey(dns_validator_t *val) {
 		}
 		if (result != ISC_R_SUCCESS) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no KEY matching DS");
+				      "no DNSKEY matching DS");
 			continue;
 		}
@@ -1912,7 +1913,8 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_disassociate(&trdataset);
 		if (result == ISC_R_SUCCESS)
 			break;
-		validator_log(val, ISC_LOG_DEBUG(3), "no SIG matching DS key");
+		validator_log(val, ISC_LOG_DEBUG(3),
 			      "no RRSIG matching DS key");
 	}
 	if (result == ISC_R_SUCCESS) {
 		event->rdataset->trust = dns_trust_secure;
@@ -2092,8 +2094,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			 * would lead to a query for the zone key, which
 			 * would return a negative answer, which would contain
 			 * an SOA and an NSEC signed by the missing key, which
-			 * would trigger another query for the KEY (since the
+			 * would trigger another query for the DNSKEY (since
-			 * first one is still in progress), and go into an
+			 * the first one is still in progress), and go into an
 			 * infinite loop.  Avoid that.
 			 */
 			if (val->event->type == dns_rdatatype_dnskey &&