diff --git a/CHANGES b/CHANGES index 0c599bcc88..58c6cb730b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +6088. [cleanup] /etc/bind.keys is no longer needed and has been + removed from the distribution. named and delv can + still load keys from a file for testing purposes, + but they no longer do so by default. [GL #3850] + 6087. [cleanup] Remove support for the `DNS_NAME_DOWNCASE` option to the various dns_*_fromwire() functions. It has long been unused and is unsupported since change 6022. diff --git a/Makefile.am b/Makefile.am index 2f09561659..89e50d0f56 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,11 +12,10 @@ CLEANFILES = bind.keys.h bind.keys.h: bind.keys Makefile ${PERL} ${top_srcdir}/util/bindkeys.pl ${top_srcdir}/bind.keys > $@ -dist_sysconf_DATA = bind.keys - .PHONY: doc EXTRA_DIST = \ + bind.keys \ util/bindkeys.pl \ contrib \ CHANGES \ diff --git a/Makefile.docs b/Makefile.docs index 13692895cd..674f51d2fc 100644 --- a/Makefile.docs +++ b/Makefile.docs @@ -14,7 +14,6 @@ LF = \n RNDC_CONF = .. |rndc_conf| replace:: ``$(sysconfdir)/rndc.conf`` RNDC_KEY = .. |rndc_key| replace:: ``$(sysconfdir)/rndc.key`` NAMED_CONF = .. |named_conf| replace:: ``$(sysconfdir)/named.conf`` -BIND_KEYS = .. |bind_keys| replace:: ``$(sysconfdir)/bind.keys`` NAMED_PID = .. |named_pid| replace:: ``$(runstatedir)/named.pid`` SESSION_KEY = .. |session_key| replace:: ``$(runstatedir)/session.key`` diff --git a/bin/check/named-checkconf.rst b/bin/check/named-checkconf.rst index b3065a512a..a15a4c64ea 100644 --- a/bin/check/named-checkconf.rst +++ b/bin/check/named-checkconf.rst @@ -32,10 +32,11 @@ errors. If no file is specified, |named_conf| is read by default. Note: files that :iscman:`named` reads in separate parser contexts, such as -``rndc.key`` and ``bind.keys``, are not automatically read by -:program:`named-checkconf`. Configuration errors in these files may cause -:iscman:`named` to fail to run, even if :program:`named-checkconf` was successful. -However, :program:`named-checkconf` can be run on these files explicitly. +``rndc.conf`` or ``rndc.key``, are not automatically read by +:program:`named-checkconf`. Configuration errors in these files may cause +:iscman:`named` to fail to run, even if :program:`named-checkconf` was +successful. However, :program:`named-checkconf` can be run on these files +explicitly. Options ~~~~~~~ diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 13c85b240a..4f7ff13c83 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -125,7 +125,7 @@ static dns_name_t *anchor_name = NULL; static dns_master_style_t *style = NULL; static dns_fixedname_t qfn; -/* Default bind.keys contents */ +/* Default trust anchors */ static char anchortext[] = TRUST_ANCHORS; /* @@ -812,16 +812,11 @@ setup_dnsseckeys(dns_client_t *client) { const cfg_obj_t *managed_keys = NULL; const cfg_obj_t *trust_anchors = NULL; cfg_obj_t *bindkeys = NULL; - const char *filename = anchorfile; if (!root_validation) { return (ISC_R_SUCCESS); } - if (filename == NULL) { - filename = SYSCONFDIR "/bind.keys"; - } - if (trust_anchor == NULL) { trust_anchor = isc_mem_strdup(mctx, "."); } @@ -832,22 +827,17 @@ setup_dnsseckeys(dns_client_t *client) { CHECK(cfg_parser_create(mctx, dns_lctx, &parser)); - if (access(filename, R_OK) != 0) { - if (anchorfile != NULL) { + if (anchorfile != NULL) { + if (access(anchorfile, R_OK) != 0) { fatal("Unable to read key file '%s'", anchorfile); } - } else { - result = cfg_parse_file(parser, filename, &cfg_type_bindkeys, + + result = cfg_parse_file(parser, anchorfile, &cfg_type_bindkeys, &bindkeys); if (result != ISC_R_SUCCESS) { - if (anchorfile != NULL) { - fatal("Unable to load keys from '%s'", - anchorfile); - } + fatal("Unable to load keys from '%s'", anchorfile); } - } - - if (bindkeys == NULL) { + } else { isc_buffer_t b; isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1); diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst index bf6cce1e8f..827e3377ba 100644 --- a/bin/delv/delv.rst +++ b/bin/delv/delv.rst @@ -102,20 +102,21 @@ Options .. option:: -a anchor-file - This option specifies a file from which to read DNSSEC trust anchors. The default - is |bind_keys|, which is included with BIND 9 and contains one - or more trust anchors for the root zone ("."). + This option specifies a file from which to read an alternate + DNSSEC root zone trust anchor. - Keys that do not match the root zone name are ignored. An alternate - key name can be specified using the :option:`+root` option. + By default, keys that do not match the root zone name (`.`) are + ignored. If an alternate key name is desired, it can be + specified using the :option:`+root` option. - Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``, - ``initial-key``, and ``static-key`` identically. That is, for a managed key, - it is the *initial* key that is trusted; :rfc:`5011` key management is not - supported. :program:`delv` does not consult the managed-keys database maintained by - :iscman:`named`, which means that if either of the keys in |bind_keys| is - revoked and rolled over, |bind_keys| must be updated to - use DNSSEC validation in :program:`delv`. + Note: When reading trust anchors, :program:`delv` treats + ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That + is, for a managed key, it is the *initial* key that is trusted; + :rfc:`5011` key management is not supported. :program:`delv` does not + consult the managed-keys database maintained by :iscman:`named`. This + means that if the default key built in to :program:`delv` is revoked, + :program:`delv` must be updated to a newer version in order to continue + validating. .. option:: -b address @@ -354,8 +355,6 @@ assign values to options like the timeout interval. They have the form Files ~~~~~ -|bind_keys| - ``/etc/resolv.conf`` See Also diff --git a/bin/named/config.c b/bin/named/config.c index 5051f3c1ac..378582d2ed 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -49,7 +49,6 @@ static char defaultconf[] = "\ options {\n\ answer-cookie true;\n\ automatic-interface-scan yes;\n\ - bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\ # blackhole {none;};\n\ cookie-algorithm siphash24;\n\ # directory \n\ diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 1af0568e4d..ddcd81179a 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -97,7 +97,7 @@ EXTERN unsigned int named_g_debuglevel INIT(0); EXTERN cfg_obj_t *named_g_config INIT(NULL); EXTERN const cfg_obj_t *named_g_defaults INIT(NULL); EXTERN const char *named_g_conffile INIT(NAMED_SYSCONFDIR "/named.conf"); -EXTERN const char *named_g_defaultbindkeys INIT(NAMED_SYSCONFDIR "/bind.keys"); +EXTERN const char *named_g_defaultbindkeys INIT(NULL); EXTERN const char *named_g_keyfile INIT(NAMED_SYSCONFDIR "/rndc.key"); EXTERN dns_tsigkey_t *named_g_sessionkey INIT(NULL); diff --git a/bin/named/main.c b/bin/named/main.c index 353932e79d..ab8d6d82a7 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -667,7 +667,6 @@ printversion(bool verbose) { printf("default paths:\n"); printf(" named configuration: %s\n", named_g_conffile); printf(" rndc configuration: %s\n", rndcconf); - printf(" DNSSEC root key: %s\n", named_g_defaultbindkeys); printf(" nsupdate session key: %s\n", named_g_defaultsessionkeyfile); printf(" named PID file: %s\n", named_g_defaultpidfile); printf(" named lock file: %s\n", named_g_defaultlockfile); diff --git a/bin/named/server.c b/bin/named/server.c index 12d05faaac..f2f27d4832 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8510,45 +8510,45 @@ load_configuration(const char *filename, named_server_t *server, #endif /* - * If bind.keys exists, load it. If "dnssec-validation auto" - * is turned on, the root key found there will be used as a - * default trust anchor. + * If "dnssec-validation auto" is turned on, the root key + * will be used as a default trust anchor. The root key + * is built in, but if bindkeys-file is set, then it will + * be overridden with the key in that file. */ obj = NULL; - result = named_config_get(maps, "bindkeys-file", &obj); - INSIST(result == ISC_R_SUCCESS); - setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)); - INSIST(server->bindkeysfile != NULL); - - if (access(server->bindkeysfile, R_OK) == 0) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "reading built-in trust anchors " - "from file '%s'", - server->bindkeysfile); - - result = cfg_parser_create(named_g_mctx, named_g_lctx, - &bindkeys_parser); - if (result != ISC_R_SUCCESS) { - goto cleanup_config; - } - - result = cfg_parse_file(bindkeys_parser, server->bindkeysfile, - &cfg_type_bindkeys, &bindkeys); - if (result != ISC_R_SUCCESS) { + (void)named_config_get(maps, "bindkeys-file", &obj); + if (obj != NULL) { + setstring(server, &server->bindkeysfile, cfg_obj_asstring(obj)); + INSIST(server->bindkeysfile != NULL); + if (access(server->bindkeysfile, R_OK) != 0) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to parse '%s' error '%s'; using " - "built-in keys instead", - server->bindkeysfile, - isc_result_totext(result)); + "unable to open '%s'; using built-in " + "keys instead", + server->bindkeysfile); + } else { + result = cfg_parser_create(named_g_mctx, named_g_lctx, + &bindkeys_parser); + if (result != ISC_R_SUCCESS) { + goto cleanup_config; + } + + result = cfg_parse_file(bindkeys_parser, + server->bindkeysfile, + &cfg_type_bindkeys, &bindkeys); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + "unable to parse '%s' " + "error '%s'; using " + "built-in keys instead", + server->bindkeysfile, + isc_result_totext(result)); + } } } else { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "unable to open '%s'; using built-in keys " - "instead", - server->bindkeysfile); + setstring(server, &server->bindkeysfile, NULL); } /* @@ -10270,7 +10270,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { *server = (named_server_t){ .mctx = mctx, .statsfile = isc_mem_strdup(mctx, "named.stats"), - .bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys), .dumpfile = isc_mem_strdup(mctx, "named_dump.db"), .secrootsfile = isc_mem_strdup(mctx, "named.secroots"), .recfile = isc_mem_strdup(mctx, "named.recursing"), @@ -10382,11 +10381,14 @@ named_server_destroy(named_server_t **serverp) { } isc_mem_free(server->mctx, server->statsfile); - isc_mem_free(server->mctx, server->bindkeysfile); isc_mem_free(server->mctx, server->dumpfile); isc_mem_free(server->mctx, server->secrootsfile); isc_mem_free(server->mctx, server->recfile); + if (server->bindkeysfile != NULL) { + isc_mem_free(server->mctx, server->bindkeysfile); + } + if (server->version != NULL) { isc_mem_free(server->mctx, server->version); } diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 6224f0fbb3..be3b0cc901 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -184,7 +184,6 @@ rst_epilog = """ .. |rndc_conf| replace:: ``/etc/rndc.conf`` .. |rndc_key| replace:: ``/etc/rndc.key`` .. |named_conf| replace:: ``/etc/named.conf`` -.. |bind_keys| replace:: ``/etc/bind.keys`` .. |named_pid| replace:: ``/run/named.pid`` .. |session_key| replace:: ``/run/session.key`` """ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 304f188453..db1a6fcaa7 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1323,7 +1323,7 @@ default is used. found when performing a dynamic update of secure zones, if different than the current working directory. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as - ``bind.keys``, ``rndc.key``, or ``session.key``.) + ``rndc.key``, or ``session.key``.) .. namedconf:statement:: lmdb-mapsize :tags: server @@ -1515,7 +1515,7 @@ default is used. This is the pathname of a file to override the built-in trusted keys provided by :iscman:`named`. See the discussion of :any:`dnssec-validation` for - details. If not specified, the default is |bind_keys|. + details. This is intended for server testing. .. namedconf:statement:: secroots-file :tags: dnssec @@ -2609,32 +2609,19 @@ Boolean Options :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If there is no configured trust anchor, validation does not take place. - If set to ``no``, DNSSEC validation is disabled. + If set to ``no``, DNSSEC validation is disabled. (Note: the resolver + will still set the DO bit in outgoing queries indicating that it can + accept DNSSEC responses, even if :any:`dnssec-validation` is disabled.) The default is ``auto``, unless BIND is built with ``configure --disable-auto-validation``, in which case the default is ``yes``. - The default root trust anchor is stored in the file ``bind.keys``. - :iscman:`named` loads that key at startup if :any:`dnssec-validation` is - set to ``auto``. A copy of the file is installed along with BIND 9, - and is current as of the release date. If the root key expires, a new - copy of ``bind.keys`` can be downloaded from - https://www.isc.org/bind-keys. - - (To prevent problems if ``bind.keys`` is not found, the current trust - anchor is also compiled in :iscman:`named`. Relying on this is not - recommended, however, as it requires :iscman:`named` to be recompiled with - a new key when the root key expires.) - - .. note:: :iscman:`named` loads *only* the root key from ``bind.keys``. The file - cannot be used to store keys for other zones. The root key in - ``bind.keys`` is ignored if ``dnssec-validation auto`` is not in - use. - - Whenever the resolver sends out queries to an EDNS-compliant - server, it always sets the DO bit indicating it can support DNSSEC - responses, even if :any:`dnssec-validation` is off. + The default root trust anchor is compiled into :iscman:`named` + and is current as of the release date. If the root key changes, a + running BIND server will detect this and roll smoothly to the new + key, but newly-installed servers will be unable to start validation, + so BIND must be upgraded to a newer version. .. namedconf:statement:: validate-except :tags: dnssec @@ -6164,10 +6151,11 @@ simply moves on. The key specified in the :any:`trust-anchors` statement is not used to validate answers; it is superseded by the key or keys stored in the managed-keys database. -The next time :iscman:`named` runs after an ``initial-key`` or ``initial-ds`` has been *removed* -from the :any:`trust-anchors` statement (or changed to a ``static-key`` or ``static-ds``), the -corresponding zone is removed from the managed-keys database, and -:rfc:`5011` key maintenance is no longer used for that domain. +The next time :iscman:`named` runs after an ``initial-key`` or +``initial-ds`` has been *removed* from the :any:`trust-anchors` statement +(or changed to a ``static-key`` or ``static-ds``), the corresponding zone +is removed from the managed-keys database, and :rfc:`5011` key maintenance +is no longer used for that domain. In the current implementation, the managed-keys database is stored as a master-format zone file. @@ -6189,12 +6177,12 @@ others, the working directory should be always be writable by :iscman:`named`.) If the :any:`dnssec-validation` option is set to ``auto``, :iscman:`named` -automatically initializes an ``initial-key`` for the root zone. The key -that is used to initialize the key-maintenance process is stored in -``bind.keys``; the location of this file can be overridden with the -:any:`bindkeys-file` option. As a fallback in the event no ``bind.keys`` -can be found, the initializing key is also compiled directly into -:iscman:`named`. +automatically sets up an ``initial-key`` for the root zone. This +initializing key is built in to :iscman:`named`, and is current as of the +release date. When the root zone key changes, a running server will detect +the change and roll to the new key, but newly-installed servers being run +for the first time will need to be from a recent enough version of BIND to +have been built with the current key. :any:`dnssec-policy` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/dnssec-guide/troubleshooting.rst b/doc/dnssec-guide/troubleshooting.rst index b785f28b80..551800294d 100644 --- a/doc/dnssec-guide/troubleshooting.rst +++ b/doc/dnssec-guide/troubleshooting.rst @@ -422,7 +422,6 @@ reload`` with the key files missing from the key directory: named[32516]: received control channel command 'reload' named[32516]: loading configuration from '/etc/bind/named.conf' - named[32516]: reading built-in trusted keys from file '/etc/bind/bind.keys' named[32516]: using default UDP/IPv4 port range: [1024, 65535] named[32516]: using default UDP/IPv6 port range: [1024, 65535] named[32516]: sizing zone task pool based on 6 zones diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 0600d7707c..19b4762225 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -562,12 +562,6 @@ validated and the authenticated data (``ad``) bit is set, and the response is sent to the client; if it does not verify, a SERVFAIL is returned to the client. -.. [#] - BIND technically includes two copies of the root key: one is in - ``bind.keys.h`` and is built into the executable, and one is in - ``bind.keys`` as a :any:`trust-anchors` statement. The two copies of the - key are identical. - .. _trust_anchors_description: Trust Anchors @@ -650,9 +644,8 @@ anchor) configured. How did it get here, and how do we maintain it? If you followed the recommendation in :ref:`easy_start_guide_for_recursive_servers`, by setting :any:`dnssec-validation` to *auto*, there is nothing left to do. -BIND already includes a copy of the root key (in the file -``bind.keys``), and automatically updates it when the root key -changes. [#]_ It looks something like this: +BIND already includes a copy of the root key, and automatically updates it +when the root key changes. [#]_ It looks something like this: :: @@ -677,10 +670,8 @@ to *yes* rather than *auto*: dnssec-validation yes; }; -Then, download the root key manually from a trustworthy source, such as -``__. Finally, take the root key you -manually downloaded and put it into a :any:`trust-anchors` statement as -shown below: +Then, download the root key manually from a trustworthy source, +and put it into a :any:`trust-anchors` statement as shown below: :: @@ -695,16 +686,15 @@ shown below: R1AkUTV74bU="; }; -While this :any:`trust-anchors` statement and the one in the ``bind.keys`` -file appear similar, the definition of the key in ``bind.keys`` has the -``initial-key`` modifier, whereas in the statement in the configuration -file, that is replaced by ``static-key``. There is an important -difference between the two: a key defined with ``static-key`` is always -trusted until it is deleted from the configuration file. With the -``initial-key`` modified, keys are only trusted once: for as long as it -takes to load the managed key database and start the key maintenance -process. Thereafter, BIND uses the managed keys database -(``managed-keys.bind.jnl``) as the source of key information. +While this :any:`trust-anchors` statement looks similar to the built-in +version above, the built-in key has the ``initial-key`` modifier, whereas +in the statement in the configuration file, that is replaced by +``static-key``. There is an important difference between the two: a key +defined with ``static-key`` is always trusted until it is deleted from the +configuration file. With the ``initial-key`` modifier, keys are only +trusted once: for as long as it takes to load the managed key database and +start the key maintenance process. Thereafter, BIND uses the managed keys +database (``managed-keys.bind.jnl``) as the source of key information. .. warning:: diff --git a/doc/man/conf.py b/doc/man/conf.py index 0f4ba58948..bad518c1a5 100644 --- a/doc/man/conf.py +++ b/doc/man/conf.py @@ -201,7 +201,6 @@ rst_epilog = """ .. |rndc_conf| replace:: ``@sysconfdir@/rndc.conf`` .. |rndc_key| replace:: ``@sysconfdir@/rndc.key`` .. |named_conf| replace:: ``@sysconfdir@/named.conf`` -.. |bind_keys| replace:: ``@sysconfdir@/bind.keys`` .. |named_pid| replace:: ``@runstatedir@/named.pid`` .. |session_key| replace:: ``@runstatedir@/session.key`` """ diff --git a/doc/man/delv.1in b/doc/man/delv.1in index 91da0966a4..2c49ba1c35 100644 --- a/doc/man/delv.1in +++ b/doc/man/delv.1in @@ -116,20 +116,21 @@ supplied, \fBdelv\fP performs a lookup for an A record. .INDENT 0.0 .TP .B \-a anchor\-file -This option specifies a file from which to read DNSSEC trust anchors. The default -is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one -or more trust anchors for the root zone ("."). +This option specifies a file from which to read an alternate +DNSSEC root zone trust anchor. .sp -Keys that do not match the root zone name are ignored. An alternate -key name can be specified using the \fI\%+root\fP option. +By default, keys that do not match the root zone name (\fI\&.\fP) are +ignored. If an alternate key name is desired, it can be +specified using the \fI\%+root\fP option. .sp -Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP, -\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key, -it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not -supported. \fBdelv\fP does not consult the managed\-keys database maintained by -\fI\%named\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is -revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to -use DNSSEC validation in \fBdelv\fP\&. +Note: When reading trust anchors, \fBdelv\fP treats +\fBtrust\-anchors\fP, \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That +is, for a managed key, it is the \fIinitial\fP key that is trusted; +\fI\%RFC 5011\fP key management is not supported. \fBdelv\fP does not +consult the managed\-keys database maintained by \fI\%named\fP\&. This +means that if the default key built in to \fBdelv\fP is revoked, +\fBdelv\fP must be updated to a newer version in order to continue +validating. .UNINDENT .INDENT 0.0 .TP @@ -397,8 +398,6 @@ This option prints response data in YAML format. .UNINDENT .SH FILES .sp -\fB@sysconfdir@/bind.keys\fP -.sp \fB/etc/resolv.conf\fP .SH SEE ALSO .sp diff --git a/doc/man/named-checkconf.1in b/doc/man/named-checkconf.1in index 4fe625756c..8dc6f95eb2 100644 --- a/doc/man/named-checkconf.1in +++ b/doc/man/named-checkconf.1in @@ -41,10 +41,11 @@ errors. If no file is specified, \fB@sysconfdir@/named.conf\fP is read by default. .sp Note: files that \fI\%named\fP reads in separate parser contexts, such as -\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by -\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause -\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was successful. -However, \fBnamed\-checkconf\fP can be run on these files explicitly. +\fBrndc.conf\fP or \fBrndc.key\fP, are not automatically read by +\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause +\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was +successful. However, \fBnamed\-checkconf\fP can be run on these files +explicitly. .SH OPTIONS .INDENT 0.0 .TP diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 2ed67975ae..7451b53bfb 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -134,7 +134,7 @@ options { automatic\-interface\-scan ; avoid\-v4\-udp\-ports { ; ... }; // deprecated avoid\-v6\-udp\-ports { ; ... }; // deprecated - bindkeys\-file ; + bindkeys\-file ; // test only blackhole { ; ... }; catalog\-zones { zone [ default\-primaries [ port ] [ source ( | * ) ] [ source\-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone\-directory ] [ in\-memory ] [ min\-update\-interval ]; ... }; check\-dup\-records ( fail | warn | ignore ); diff --git a/doc/misc/options b/doc/misc/options index 355b596189..2d373bcf13 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -77,7 +77,7 @@ options { automatic-interface-scan ; avoid-v4-udp-ports { ; ... }; // deprecated avoid-v6-udp-ports { ; ... }; // deprecated - bindkeys-file ; + bindkeys-file ; // test only blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 96183ec065..35e2310371 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1212,7 +1212,7 @@ static cfg_clausedef_t options_clauses[] = { CFG_CLAUSEFLAG_DEPRECATED }, { "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, CFG_CLAUSEFLAG_DEPRECATED }, - { "bindkeys-file", &cfg_type_qstring, 0 }, + { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY }, { "blackhole", &cfg_type_bracketed_aml, 0 }, { "cookie-algorithm", &cfg_type_cookiealg, 0 }, { "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI }, diff --git a/util/check-make-install.in b/util/check-make-install.in index a39118521f..2905d2f68d 100644 --- a/util/check-make-install.in +++ b/util/check-make-install.in @@ -47,7 +47,7 @@ if [ ! -f "${named_man_page_path}" ]; then fi if [ -n "${DESTDIR}" ]; then - for expected_subdir in bin etc include lib sbin share; do + for expected_subdir in bin include lib sbin share; do echo "${install_dir}/${expected_subdir}" >> "${abs_builddir}/expected_dirs" done find "${install_dir}" -maxdepth 1 -mindepth 1 -type d | sort > "${abs_builddir}/existing_dirs"