upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove -t option from dnssec-keygen/keyfromlabel

Browse source 
The key type flag (indicating whether a key is valid for
authentication, confidentiality, or both) is essentially
unused. By default, all DNSKEY and KEY records are valid
for both uses. Non-authenticating DNSKEY records are undefined
and meaningless, and validity checks for flags in KEY records
are sporadic at best.

We can simplify the parameters to dnssec-keygen by removing
the -t option completely.
This commit is contained in:
Evan Hunt 2025-03-13 12:20:55 -07:00
parent 079c3aecf5
commit 5b667fed06
4 changed files with 6 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -77,9 +77,6 @@ usage(void) {
"OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -y: permit keys that might collide\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, " -V: print version information\n");
@ -111,7 +108,7 @@ usage(void) {
int
main(int argc, char **argv) {
char *algname = NULL, *freeit = NULL;
char *nametype = NULL, *type = NULL;
char *nametype = NULL;
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
@ -233,7 +230,7 @@ main(int argc, char **argv) {
}
break;
case 't':
type = isc_commandline_argument;
fatal("The -t option has been deprecated.");
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
@ -416,21 +413,6 @@ main(int argc, char **argv) {
}
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0) {
flags |= DNS_KEYTYPE_NOAUTH;
} else if (strcasecmp(type, "NOCONF") == 0) {
flags |= DNS_KEYTYPE_NOCONF;
} else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH |
DNS_KEYTYPE_NOCONF);
} else if (strcasecmp(type, "AUTHCONF") == 0) {
/* nothing */
} else {
fatal("invalid type %s", type);
}
}
if (!oldstyle && prepub > 0) {
if (setpub && setact && (activate - prepub) < publish) {
fatal("Activation and publication dates "
@ -470,9 +452,6 @@ main(int argc, char **argv) {
if (nametype != NULL) {
fatal("-S and -n cannot be used together");
}
if (type != NULL) {
fatal("-S and -t cannot be used together");
}
if (setpub || unsetpub) {
fatal("-S and -P cannot be used together");
}

9
bin/dnssec/dnssec-keyfromlabel.rst
View file

@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
@ -150,13 +150,6 @@ Options
set to the activation date minus the prepublication interval, which
defaults to 30 days.
.. option:: -t type
This option indicates the type of the key. ``type`` must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
to the ability to authenticate data, and CONF to the ability to encrypt
data.
.. option:: -v level
This option sets the debugging level.

36
bin/dnssec/dnssec-keygen.c
View file

@ -83,7 +83,6 @@ struct keygen_ctx {
dns_keystore_t *keystore;
char *algname;
char *nametype;
char *type;
int protocol;
int size;
uint16_t tag_min;
@ -182,9 +181,6 @@ usage(void) {
"records with (default: 0)\n");
fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
"use KEY for SIG(0))\n");
fprintf(stderr, " -t <type>: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -h: print usage and exit\n");
fprintf(stderr, " -m <memory debugging mode>:\n");
fprintf(stderr, " usage | trace | record\n");
@ -314,24 +310,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
}
}
if (ctx->type != NULL && (ctx->options & DST_TYPE_KEY) != 0) {
if (strcasecmp(ctx->type, "NOAUTH") == 0) {
flags |= DNS_KEYTYPE_NOAUTH;
} else if (strcasecmp(ctx->type, "NOCONF") == 0) {
flags |= DNS_KEYTYPE_NOCONF;
} else if (strcasecmp(ctx->type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH |
DNS_KEYTYPE_NOCONF);
if (ctx->size < 0) {
ctx->size = 0;
}
} else if (strcasecmp(ctx->type, "AUTHCONF") == 0) {
/* nothing */
} else {
fatal("invalid type %s", ctx->type);
}
}
if (ctx->size < 0) {
switch (ctx->alg) {
case DST_ALG_RSASHA1:
@ -406,9 +384,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
if (ctx->nametype != NULL) {
fatal("-S and -n cannot be used together");
}
if (ctx->type != NULL) {
fatal("-S and -t cannot be used together");
}
if (ctx->setpub || ctx->unsetpub) {
fatal("-S and -P cannot be used together");
}
@ -566,12 +541,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
fatal("invalid DNSKEY protocol: %d", ctx->protocol);
}
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if (ctx->size > 0) {
fatal("specified null key with non-zero size");
}
}
switch (ctx->alg) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
@ -997,8 +966,7 @@ main(int argc, char **argv) {
if (strcasecmp(isc_commandline_argument, "KEY") == 0) {
ctx.options |= DST_TYPE_KEY;
} else if (strcasecmp(isc_commandline_argument,
"DNSKE"
"Y") == 0)
"DNSKEY") == 0)
{
/* default behavior */
} else {
@ -1007,7 +975,7 @@ main(int argc, char **argv) {
}
break;
case 't':
ctx.type = isc_commandline_argument;
fatal("The -t option has been deprecated.");
break;
case 'v':
endp = NULL;

9
bin/dnssec/dnssec-keygen.rst
View file

@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
@ -210,13 +210,6 @@ Options
DNSSEC algorithm, but it can be overridden to KEY for use with
SIG(0).
.. option:: -t type
This option indicates the type of the key for use with :option:`-T KEY <-T>`. ``type``
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate data, and
CONF to the ability to encrypt data.
.. option:: -V
This option prints version information.