Merge branch 'each-remove-bindkeys' into 'main'

remove /etc/bind.keys

Closes #3850

See merge request isc-projects/bind9!7484

CHANGES

@@ -1,3 +1,8 @@
+6088.	[cleanup]	/etc/bind.keys is no longer needed and has been
+			removed from the distribution. named and delv can
+			still load keys from a file for testing purposes,
+			but they no longer do so by default. [GL #3850]
+
 6087.	[cleanup]	Remove support for the `DNS_NAME_DOWNCASE` option to
 			the various dns_*_fromwire() functions. It has long
 			been unused and is unsupported since change 6022.

Makefile.am

@@ -12,11 +12,10 @@ CLEANFILES = bind.keys.h
 bind.keys.h: bind.keys Makefile
 	${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@
 
-dist_sysconf_DATA = bind.keys
-
 .PHONY: doc
 
 EXTRA_DIST =			\
+	bind.keys		\
 	util/bindkeys.pl	\
 	contrib			\
 	CHANGES			\

Makefile.docs

@@ -14,7 +14,6 @@ LF = \n
 RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf``
 RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key``
 NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf``
-BIND_KEYS = .. |bind_keys| replace:: ``$(sysconfdir)/bind.keys``
 NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid``
 SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key``
 

bin/check/named-checkconf.rst

@@ -32,10 +32,11 @@ errors. If no file is specified,
 |named_conf| is read by default.
 
 Note: files that :iscman:`named` reads in separate parser contexts, such as
-``rndc.key`` and ``bind.keys``, are not automatically read by
-:program:`named-checkconf`. Configuration errors in these files may cause
-:iscman:`named` to fail to run, even if :program:`named-checkconf` was successful.
-However, :program:`named-checkconf` can be run on these files explicitly.
+``rndc.conf`` or ``rndc.key``, are not automatically read by
+:program:`named-checkconf`.  Configuration errors in these files may cause
+:iscman:`named` to fail to run, even if :program:`named-checkconf` was
+successful.  However, :program:`named-checkconf` can be run on these files
+explicitly.
 
 Options
 ~~~~~~~

bin/delv/delv.c

@@ -125,7 +125,7 @@ static dns_name_t *anchor_name = NULL;
 static dns_master_style_t *style = NULL;
 static dns_fixedname_t qfn;
 
-/* Default bind.keys contents */
+/* Default trust anchors */
 static char anchortext[] = TRUST_ANCHORS;
 
 /*
@@ -812,16 +812,11 @@ setup_dnsseckeys(dns_client_t *client) {
 	const cfg_obj_t *managed_keys = NULL;
 	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
-	const char *filename = anchorfile;
 
 	if (!root_validation) {
 		return (ISC_R_SUCCESS);
 	}
 
-	if (filename == NULL) {
-		filename = SYSCONFDIR "/bind.keys";
-	}
-
 	if (trust_anchor == NULL) {
 		trust_anchor = isc_mem_strdup(mctx, ".");
 	}
@@ -832,22 +827,17 @@ setup_dnsseckeys(dns_client_t *client) {
 
 	CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
 
-	if (access(filename, R_OK) != 0) {
-		if (anchorfile != NULL) {
+	if (anchorfile != NULL) {
+		if (access(anchorfile, R_OK) != 0) {
 			fatal("Unable to read key file '%s'", anchorfile);
 		}
-	} else {
-		result = cfg_parse_file(parser, filename, &cfg_type_bindkeys,
+
+		result = cfg_parse_file(parser, anchorfile, &cfg_type_bindkeys,
 					&bindkeys);
 		if (result != ISC_R_SUCCESS) {
-			if (anchorfile != NULL) {
-				fatal("Unable to load keys from '%s'",
-				      anchorfile);
-			}
+			fatal("Unable to load keys from '%s'", anchorfile);
 		}
-	}
-
-	if (bindkeys == NULL) {
+	} else {
 		isc_buffer_t b;
 
 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);

bin/delv/delv.rst

@@ -102,20 +102,21 @@ Options
 
 .. option:: -a anchor-file
 
-   This option specifies a file from which to read DNSSEC trust anchors. The default
-   is |bind_keys|, which is included with BIND 9 and contains one
-   or more trust anchors for the root zone (".").
+   This option specifies a file from which to read an alternate
+   DNSSEC root zone trust anchor.
 
-   Keys that do not match the root zone name are ignored. An alternate
-   key name can be specified using the :option:`+root` option.
+   By default, keys that do not match the root zone name (`.`) are
+   ignored. If an alternate key name is desired, it can be
+   specified using the :option:`+root` option.
 
-   Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``,
-   ``initial-key``, and ``static-key`` identically. That is, for a managed key,
-   it is the *initial* key that is trusted; :rfc:`5011` key management is not
-   supported. :program:`delv` does not consult the managed-keys database maintained by
-   :iscman:`named`, which means that if either of the keys in |bind_keys| is
-   revoked and rolled over, |bind_keys| must be updated to
-   use DNSSEC validation in :program:`delv`.
+   Note: When reading trust anchors, :program:`delv` treats
+   ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That
+   is, for a managed key, it is the *initial* key that is trusted;
+   :rfc:`5011` key management is not supported. :program:`delv` does not
+   consult the managed-keys database maintained by :iscman:`named`. This
+   means that if the default key built in to :program:`delv` is revoked,
+   :program:`delv` must be updated to a newer version in order to continue
+   validating.
 
 .. option:: -b address
 
@@ -354,8 +355,6 @@ assign values to options like the timeout interval. They have the form
 Files
 ~~~~~
 
-|bind_keys|
-
 ``/etc/resolv.conf``
 
 See Also

bin/named/config.c

@@ -49,7 +49,6 @@ static char defaultconf[] = "\
 options {\n\
 	answer-cookie true;\n\
 	automatic-interface-scan yes;\n\
-	bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
 #	blackhole {none;};\n\
 	cookie-algorithm siphash24;\n\
 #	directory <none>\n\

bin/named/include/named/globals.h

@@ -97,7 +97,7 @@ EXTERN unsigned int named_g_debuglevel	     INIT(0);
 EXTERN cfg_obj_t *named_g_config	   INIT(NULL);
 EXTERN const cfg_obj_t *named_g_defaults   INIT(NULL);
 EXTERN const char *named_g_conffile	   INIT(NAMED_SYSCONFDIR "/named.conf");
-EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys");
+EXTERN const char *named_g_defaultbindkeys INIT(NULL);
 EXTERN const char *named_g_keyfile	   INIT(NAMED_SYSCONFDIR "/rndc.key");
 
 EXTERN dns_tsigkey_t *named_g_sessionkey    INIT(NULL);

bin/named/main.c

@@ -667,7 +667,6 @@ printversion(bool verbose) {
 	printf("default paths:\n");
 	printf("  named configuration:  %s\n", named_g_conffile);
 	printf("  rndc configuration:   %s\n", rndcconf);
-	printf("  DNSSEC root key:      %s\n", named_g_defaultbindkeys);
 	printf("  nsupdate session key: %s\n", named_g_defaultsessionkeyfile);
 	printf("  named PID file:       %s\n", named_g_defaultpidfile);
 	printf("  named lock file:      %s\n", named_g_defaultlockfile);

bin/named/server.c

@@ -8510,45 +8510,45 @@ load_configuration(const char *filename, named_server_t *server,
 #endif
 
 	/*
-	 * If bind.keys exists, load it.  If "dnssec-validation auto"
-	 * is turned on, the root key found there will be used as a
-	 * default trust anchor.
+	 * If "dnssec-validation auto" is turned on, the root key
+	 * will be used as a default trust anchor. The root key
+	 * is built in, but if bindkeys-file is set, then it will
+	 * be overridden with the key in that file.
 	 */
 	obj = NULL;
-	result = named_config_get(maps, "bindkeys-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
-	INSIST(server->bindkeysfile != NULL);
-
-	if (access(server->bindkeysfile, R_OK) == 0) {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "reading built-in trust anchors "
-			      "from file '%s'",
-			      server->bindkeysfile);
-
-		result = cfg_parser_create(named_g_mctx, named_g_lctx,
-					   &bindkeys_parser);
-		if (result != ISC_R_SUCCESS) {
-			goto cleanup_config;
-		}
-
-		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
-					&cfg_type_bindkeys, &bindkeys);
-		if (result != ISC_R_SUCCESS) {
+	(void)named_config_get(maps, "bindkeys-file", &obj);
+	if (obj != NULL) {
+		setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj));
+		INSIST(server->bindkeysfile != NULL);
+		if (access(server->bindkeysfile, R_OK) != 0) {
 			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "unable to parse '%s' error '%s'; using "
-				      "built-in keys instead",
-				      server->bindkeysfile,
-				      isc_result_totext(result));
+				      "unable to open '%s'; using built-in "
+				      "keys instead",
+				      server->bindkeysfile);
+		} else {
+			result = cfg_parser_create(named_g_mctx, named_g_lctx,
+						   &bindkeys_parser);
+			if (result != ISC_R_SUCCESS) {
+				goto cleanup_config;
+			}
+
+			result = cfg_parse_file(bindkeys_parser,
+						server->bindkeysfile,
+						&cfg_type_bindkeys, &bindkeys);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(
+					named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+					NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
+					"unable to parse '%s' "
+					"error '%s'; using "
+					"built-in keys instead",
+					server->bindkeysfile,
+					isc_result_totext(result));
+			}
 		}
 	} else {
-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-			      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "unable to open '%s'; using built-in keys "
-			      "instead",
-			      server->bindkeysfile);
+		setstring(server, &server->bindkeysfile, NULL);
 	}
 
 	/*
@@ -10270,7 +10270,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
 	*server = (named_server_t){
 		.mctx = mctx,
 		.statsfile = isc_mem_strdup(mctx, "named.stats"),
-		.bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
 		.dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
 		.secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
 		.recfile = isc_mem_strdup(mctx, "named.recursing"),
@@ -10382,11 +10381,14 @@ named_server_destroy(named_server_t **serverp) {
 	}
 
 	isc_mem_free(server->mctx, server->statsfile);
-	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
 	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 
+	if (server->bindkeysfile != NULL) {
+		isc_mem_free(server->mctx, server->bindkeysfile);
+	}
+
 	if (server->version != NULL) {
 		isc_mem_free(server->mctx, server->version);
 	}

doc/arm/conf.py

@@ -184,7 +184,6 @@ rst_epilog = """
 .. |rndc_conf| replace:: ``/etc/rndc.conf``
 .. |rndc_key| replace:: ``/etc/rndc.key``
 .. |named_conf| replace:: ``/etc/named.conf``
-.. |bind_keys| replace:: ``/etc/bind.keys``
 .. |named_pid| replace:: ``/run/named.pid``
 .. |session_key| replace:: ``/run/session.key``
 """

doc/arm/reference.rst

@@ -1323,7 +1323,7 @@ default is used.
    found when performing a dynamic update of secure zones, if different
    than the current working directory. (Note that this option has no
    effect on the paths for files containing non-DNSSEC keys such as
-   ``bind.keys``, ``rndc.key``, or ``session.key``.)
+   ``rndc.key``, or ``session.key``.)
 
 .. namedconf:statement:: lmdb-mapsize
    :tags: server
@@ -1515,7 +1515,7 @@ default is used.
 
    This is the pathname of a file to override the built-in trusted keys provided
    by :iscman:`named`. See the discussion of :any:`dnssec-validation` for
-   details. If not specified, the default is |bind_keys|.
+   details. This is intended for server testing.
 
 .. namedconf:statement:: secroots-file
    :tags: dnssec
@@ -2609,32 +2609,19 @@ Boolean Options
    :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
    there is no configured trust anchor, validation does not take place.
 
-   If set to ``no``, DNSSEC validation is disabled.
+   If set to ``no``, DNSSEC validation is disabled. (Note: the resolver
+   will still set the DO bit in outgoing queries indicating that it can
+   accept DNSSEC responses, even if :any:`dnssec-validation` is disabled.)
 
    The default is ``auto``, unless BIND is built with
    ``configure --disable-auto-validation``, in which case the default is
    ``yes``.
 
-   The default root trust anchor is stored in the file ``bind.keys``.
-   :iscman:`named` loads that key at startup if :any:`dnssec-validation` is
-   set to ``auto``. A copy of the file is installed along with BIND 9,
-   and is current as of the release date. If the root key expires, a new
-   copy of ``bind.keys`` can be downloaded from
-   https://www.isc.org/bind-keys.
-
-   (To prevent problems if ``bind.keys`` is not found, the current trust
-   anchor is also compiled in :iscman:`named`. Relying on this is not
-   recommended, however, as it requires :iscman:`named` to be recompiled with
-   a new key when the root key expires.)
-
-   .. note:: :iscman:`named` loads *only* the root key from ``bind.keys``. The file
-         cannot be used to store keys for other zones. The root key in
-         ``bind.keys`` is ignored if ``dnssec-validation auto`` is not in
-         use.
-
-         Whenever the resolver sends out queries to an EDNS-compliant
-         server, it always sets the DO bit indicating it can support DNSSEC
-         responses, even if :any:`dnssec-validation` is off.
+   The default root trust anchor is compiled into :iscman:`named` 
+   and is current as of the release date. If the root key changes, a
+   running BIND server will detect this and roll smoothly to the new
+   key, but newly-installed servers will be unable to start validation,
+   so BIND must be upgraded to a newer version.
 
 .. namedconf:statement:: validate-except
    :tags: dnssec
@@ -6164,10 +6151,11 @@ simply moves on. The key specified in the :any:`trust-anchors` statement is
 not used to validate answers; it is superseded by the key or keys stored
 in the managed-keys database.
 
-The next time :iscman:`named` runs after an ``initial-key`` or ``initial-ds`` has been *removed*
-from the :any:`trust-anchors` statement (or changed to a ``static-key`` or ``static-ds``), the
-corresponding zone is removed from the managed-keys database, and
-:rfc:`5011` key maintenance is no longer used for that domain.
+The next time :iscman:`named` runs after an ``initial-key`` or
+``initial-ds`` has been *removed* from the :any:`trust-anchors` statement
+(or changed to a ``static-key`` or ``static-ds``), the corresponding zone
+is removed from the managed-keys database, and :rfc:`5011` key maintenance
+is no longer used for that domain.
 
 In the current implementation, the managed-keys database is stored as a
 master-format zone file.
@@ -6189,12 +6177,12 @@ others, the working directory should be always be writable by
 :iscman:`named`.)
 
 If the :any:`dnssec-validation` option is set to ``auto``, :iscman:`named`
-automatically initializes an ``initial-key`` for the root zone. The key
-that is used to initialize the key-maintenance process is stored in
-``bind.keys``; the location of this file can be overridden with the
-:any:`bindkeys-file` option. As a fallback in the event no ``bind.keys``
-can be found, the initializing key is also compiled directly into
-:iscman:`named`.
+automatically sets up an ``initial-key`` for the root zone. This
+initializing key is built in to :iscman:`named`, and is current as of the
+release date.  When the root zone key changes, a running server will detect
+the change and roll to the new key, but newly-installed servers being run
+for the first time will need to be from a recent enough version of BIND to
+have been built with the current key.
 
 :any:`dnssec-policy` Block Grammar
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/dnssec-guide/troubleshooting.rst

@@ -422,7 +422,6 @@ reload`` with the key files missing from the key directory:
 
    named[32516]: received control channel command 'reload'
    named[32516]: loading configuration from '/etc/bind/named.conf'
-   named[32516]: reading built-in trusted keys from file '/etc/bind/bind.keys'
    named[32516]: using default UDP/IPv4 port range: [1024, 65535]
    named[32516]: using default UDP/IPv6 port range: [1024, 65535]
    named[32516]: sizing zone task pool based on 6 zones

doc/dnssec-guide/validation.rst

@@ -562,12 +562,6 @@ validated and the authenticated data (``ad``) bit is set, and the response
 is sent to the client; if it does not verify, a SERVFAIL is returned to
 the client.
 
-.. [#]
-   BIND technically includes two copies of the root key: one is in
-   ``bind.keys.h`` and is built into the executable, and one is in
-   ``bind.keys`` as a :any:`trust-anchors` statement. The two copies of the
-   key are identical.
-
 .. _trust_anchors_description:
 
 Trust Anchors
@@ -650,9 +644,8 @@ anchor) configured. How did it get here, and how do we maintain it?
 If you followed the recommendation in
 :ref:`easy_start_guide_for_recursive_servers`, by setting
 :any:`dnssec-validation` to *auto*, there is nothing left to do.
-BIND already includes a copy of the root key (in the file
-``bind.keys``), and automatically updates it when the root key
-changes. [#]_ It looks something like this:
+BIND already includes a copy of the root key, and automatically updates it
+when the root key changes. [#]_ It looks something like this:
 
 ::
 
@@ -677,10 +670,8 @@ to *yes* rather than *auto*:
        dnssec-validation yes;
    };
 
-Then, download the root key manually from a trustworthy source, such as
-`<https://www.isc.org/bind-keys>`__. Finally, take the root key you
-manually downloaded and put it into a :any:`trust-anchors` statement as
-shown below:
+Then, download the root key manually from a trustworthy source,
+and put it into a :any:`trust-anchors` statement as shown below:
 
 ::
 
@@ -695,16 +686,15 @@ shown below:
                    R1AkUTV74bU=";
    };
 
-While this :any:`trust-anchors` statement and the one in the ``bind.keys``
-file appear similar, the definition of the key in ``bind.keys`` has the
-``initial-key`` modifier, whereas in the statement in the configuration
-file, that is replaced by ``static-key``. There is an important
-difference between the two: a key defined with ``static-key`` is always
-trusted until it is deleted from the configuration file. With the
-``initial-key`` modified, keys are only trusted once: for as long as it
-takes to load the managed key database and start the key maintenance
-process. Thereafter, BIND uses the managed keys database
-(``managed-keys.bind.jnl``) as the source of key information.
+While this :any:`trust-anchors` statement looks similar to the built-in
+version above, the built-in key has the ``initial-key`` modifier, whereas
+in the statement in the configuration file, that is replaced by
+``static-key``. There is an important difference between the two: a key
+defined with ``static-key`` is always trusted until it is deleted from the
+configuration file. With the ``initial-key`` modifier, keys are only
+trusted once: for as long as it takes to load the managed key database and
+start the key maintenance process. Thereafter, BIND uses the managed keys
+database (``managed-keys.bind.jnl``) as the source of key information.
 
 .. warning::
 

doc/man/conf.py

@@ -201,7 +201,6 @@ rst_epilog = """
 .. |rndc_conf| replace:: ``@sysconfdir@/rndc.conf``
 .. |rndc_key| replace:: ``@sysconfdir@/rndc.key``
 .. |named_conf| replace:: ``@sysconfdir@/named.conf``
-.. |bind_keys| replace:: ``@sysconfdir@/bind.keys``
 .. |named_pid| replace:: ``@runstatedir@/named.pid``
 .. |session_key| replace:: ``@runstatedir@/session.key``
 """

doc/man/delv.1in

@@ -116,20 +116,21 @@ supplied, \fBdelv\fP performs a lookup for an A record.
 .INDENT 0.0
 .TP
 .B \-a anchor\-file
-This option specifies a file from which to read DNSSEC trust anchors. The default
-is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one
-or more trust anchors for the root zone (".").
+This option specifies a file from which to read an alternate
+DNSSEC root zone trust anchor.
 .sp
-Keys that do not match the root zone name are ignored. An alternate
-key name can be specified using the \fI\%+root\fP option.
+By default, keys that do not match the root zone name (\fI\&.\fP) are
+ignored. If an alternate key name is desired, it can be
+specified using the \fI\%+root\fP option.
 .sp
-Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
-\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
-it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
-supported. \fBdelv\fP does not consult the managed\-keys database maintained by
-\fI\%named\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
-revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to
-use DNSSEC validation in \fBdelv\fP\&.
+Note: When reading trust anchors, \fBdelv\fP treats
+\fBtrust\-anchors\fP, \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That
+is, for a managed key, it is the \fIinitial\fP key that is trusted;
+\fI\%RFC 5011\fP key management is not supported. \fBdelv\fP does not
+consult the managed\-keys database maintained by \fI\%named\fP\&. This
+means that if the default key built in to \fBdelv\fP is revoked,
+\fBdelv\fP must be updated to a newer version in order to continue
+validating.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -397,8 +398,6 @@ This option prints response data in YAML format.
 .UNINDENT
 .SH FILES
 .sp
-\fB@sysconfdir@/bind.keys\fP
-.sp
 \fB/etc/resolv.conf\fP
 .SH SEE ALSO
 .sp

doc/man/named-checkconf.1in

@@ -41,10 +41,11 @@ errors. If no file is specified,
 \fB@sysconfdir@/named.conf\fP is read by default.
 .sp
 Note: files that \fI\%named\fP reads in separate parser contexts, such as
-\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
-\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
-\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
-However, \fBnamed\-checkconf\fP can be run on these files explicitly.
+\fBrndc.conf\fP or \fBrndc.key\fP, are not automatically read by
+\fBnamed\-checkconf\fP\&.  Configuration errors in these files may cause
+\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was
+successful.  However, \fBnamed\-checkconf\fP can be run on these files
+explicitly.
 .SH OPTIONS
 .INDENT 0.0
 .TP

doc/man/named.conf.5in

@@ -134,7 +134,7 @@ options {
 	automatic\-interface\-scan <boolean>;
 	avoid\-v4\-udp\-ports { <portrange>; ... }; // deprecated
 	avoid\-v6\-udp\-ports { <portrange>; ... }; // deprecated
-	bindkeys\-file <quoted_string>;
+	bindkeys\-file <quoted_string>; // test only
 	blackhole { <address_match_element>; ... };
 	catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source\-v6 ( <ipv6_address> | * ) ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
 	check\-dup\-records ( fail | warn | ignore );

doc/misc/options

@@ -77,7 +77,7 @@ options {
 	automatic-interface-scan <boolean>;
 	avoid-v4-udp-ports { <portrange>; ... }; // deprecated
 	avoid-v6-udp-ports { <portrange>; ... }; // deprecated
-	bindkeys-file <quoted_string>;
+	bindkeys-file <quoted_string>; // test only
 	blackhole { <address_match_element>; ... };
 	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
 	check-dup-records ( fail | warn | ignore );

lib/isccfg/namedconf.c

@@ -1212,7 +1212,7 @@ static cfg_clausedef_t options_clauses[] = {
 	  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist,
 	  CFG_CLAUSEFLAG_DEPRECATED },
-	{ "bindkeys-file", &cfg_type_qstring, 0 },
+	{ "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY },
 	{ "blackhole", &cfg_type_bracketed_aml, 0 },
 	{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
 	{ "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },

util/check-make-install.in

@@ -47,7 +47,7 @@ if [ ! -f "${named_man_page_path}" ]; then
 fi
 
 if [ -n "${DESTDIR}" ]; then
-	for expected_subdir in bin etc include lib sbin share; do
+	for expected_subdir in bin include lib sbin share; do
 		echo "${install_dir}/${expected_subdir}" >> "${abs_builddir}/expected_dirs"
 	done
 	find "${install_dir}" -maxdepth 1 -mindepth 1 -type d | sort > "${abs_builddir}/existing_dirs"