mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Merge branch 'dnssec-keys-rename-to-trust-anchors' into 'master'
Rename 'dnssec-keys' to 'trust-anchors' See merge request isc-projects/bind9!2702
This commit is contained in:
Matthijs Mekking
commit
ec80d61ab0
48 changed files with 182 additions and 144 deletions
3
CHANGES
3
CHANGES
|
|
@ -1,3 +1,6 @@
|
|||
5332. [func] Renamed "dnssec-keys" configuration statement
|
||||
to the more descriptive "trust-anchors".
|
||||
|
||||
5331. [func] Use compiler-provided mechanisms for thread local
|
||||
storage, and make the requirement for such mechanisms
|
||||
explicit in configure. [GL #1444]
|
||||
|
|
|
|||
|
|
@ -131,8 +131,8 @@ include:
|
|||
for zones, enabling automatic key regeneration and rollover.
|
||||
* New new network manager based on libuv.
|
||||
* Support for the new GeoIP2 geolocation API
|
||||
* Improved DNSSEC trust anchor configuration using `dnssec-keys`,
|
||||
permitting configuration of trust anchors in DS as well as
|
||||
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
|
||||
statement, permitting configuration of trust anchors in DS as well as
|
||||
DNSKEY format.
|
||||
* YAML output for `dig`, `mdig`, and `delv`.
|
||||
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ static dns_fixedname_t afn;
|
|||
static dns_name_t *anchor_name = NULL;
|
||||
|
||||
/* Default bind.keys contents */
|
||||
static char anchortext[] = DNSSEC_KEYS;
|
||||
static char anchortext[] = TRUST_ANCHORS;
|
||||
|
||||
/*
|
||||
* Static function prototypes
|
||||
|
|
@ -819,7 +819,7 @@ setup_dnsseckeys(dns_client_t *client) {
|
|||
cfg_parser_t *parser = NULL;
|
||||
const cfg_obj_t *trusted_keys = NULL;
|
||||
const cfg_obj_t *managed_keys = NULL;
|
||||
const cfg_obj_t *dnssec_keys = NULL;
|
||||
const cfg_obj_t *trust_anchors = NULL;
|
||||
cfg_obj_t *bindkeys = NULL;
|
||||
const char *filename = anchorfile;
|
||||
|
||||
|
|
@ -878,7 +878,7 @@ setup_dnsseckeys(dns_client_t *client) {
|
|||
INSIST(bindkeys != NULL);
|
||||
cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
|
||||
cfg_map_get(bindkeys, "managed-keys", &managed_keys);
|
||||
cfg_map_get(bindkeys, "dnssec-keys", &dnssec_keys);
|
||||
cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
|
||||
|
||||
if (trusted_keys != NULL) {
|
||||
CHECK(load_keys(trusted_keys, client));
|
||||
|
|
@ -886,8 +886,8 @@ setup_dnsseckeys(dns_client_t *client) {
|
|||
if (managed_keys != NULL) {
|
||||
CHECK(load_keys(managed_keys, client));
|
||||
}
|
||||
if (dnssec_keys != NULL) {
|
||||
CHECK(load_keys(dnssec_keys, client));
|
||||
if (trust_anchors != NULL) {
|
||||
CHECK(load_keys(trust_anchors, client));
|
||||
}
|
||||
result = ISC_R_SUCCESS;
|
||||
|
||||
|
|
|
|||
|
|
@ -215,7 +215,7 @@
|
|||
</para>
|
||||
<para>
|
||||
Note: When reading the trust anchor file,
|
||||
<command>delv</command> treats <option>dnssec-keys</option>
|
||||
<command>delv</command> treats <option>trust-anchors</option>
|
||||
<option>initial-key</option> and <option>static-key</option>
|
||||
entries identically. That is, even if a key is configured
|
||||
with <command>initial-key</command>, indicating that it is
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@ view \"_bind\" chaos {\n\
|
|||
# BEGIN DNSSEC KEYS\n"
|
||||
|
||||
/* Imported from bind.keys.h: */
|
||||
DNSSEC_KEYS
|
||||
TRUST_ANCHORS
|
||||
|
||||
"# END MANAGED KEYS\n\
|
||||
\n\
|
||||
|
|
|
|||
|
|
@ -110,15 +110,6 @@ dlz <replaceable>string</replaceable> {
|
|||
</literallayout>
|
||||
</refsection>
|
||||
|
||||
<refsection><info><title>DNSSEC-KEYS</title></info>
|
||||
<literallayout class="normal">
|
||||
dnssec-keys { <replaceable>string</replaceable> ( static-key |
|
||||
initial-key | static-ds | initial-ds )
|
||||
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>quoted_string</replaceable>; ... };
|
||||
</literallayout>
|
||||
</refsection>
|
||||
|
||||
<refsection><info><title>DYNDB</title></info>
|
||||
<literallayout class="normal">
|
||||
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
|
||||
|
|
@ -156,7 +147,7 @@ logging {
|
|||
</refsection>
|
||||
|
||||
<refsection><info><title>MANAGED-KEYS</title></info>
|
||||
<para>Deprecated - see DNSSEC-KEYS.</para>
|
||||
<para>Deprecated - see TRUST-ANCHORS.</para>
|
||||
<literallayout class="normal">
|
||||
managed-keys { <replaceable>string</replaceable> ( static-key
|
||||
| initial-key | static-ds |
|
||||
|
|
@ -527,8 +518,17 @@ statistics-channels {
|
|||
</literallayout>
|
||||
</refsection>
|
||||
|
||||
<refsection><info><title>TRUST-ANCHORS</title></info>
|
||||
<literallayout class="normal">
|
||||
trust-anchors { <replaceable>string</replaceable> ( static-key |
|
||||
initial-key | static-ds | initial-ds )
|
||||
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>quoted_string</replaceable>; ... };
|
||||
</literallayout>
|
||||
</refsection>
|
||||
|
||||
<refsection><info><title>TRUSTED-KEYS</title></info>
|
||||
<para>Deprecated - see DNSSEC-KEYS.</para>
|
||||
<para>Deprecated - see TRUST-ANCHORS.</para>
|
||||
<literallayout class="normal">
|
||||
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
|
|
@ -607,10 +607,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
|
|||
dnsrps-options { <replaceable>unspecified-text</replaceable> };
|
||||
dnssec-accept-expired <replaceable>boolean</replaceable>;
|
||||
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
|
||||
dnssec-keys { <replaceable>string</replaceable> ( static-key |
|
||||
initial-key | static-ds | initial-ds
|
||||
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>quoted_string</replaceable>; ... };
|
||||
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
|
||||
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
|
||||
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
|
||||
|
|
@ -801,6 +797,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
|
|||
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
|
||||
] [ dscp <replaceable>integer</replaceable> ];
|
||||
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
|
||||
trust-anchors { <replaceable>string</replaceable> ( static-key |
|
||||
initial-key | static-ds | initial-ds
|
||||
) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>quoted_string</replaceable>; ... };
|
||||
trusted-keys { <replaceable>string</replaceable>
|
||||
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>integer</replaceable>
|
||||
|
|
|
|||
|
|
@ -1012,7 +1012,7 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
|
|||
}
|
||||
|
||||
/*
|
||||
* Add the key to 'secroots'. Keys from a "dnssec-keys" or
|
||||
* Add the key to 'secroots'. Keys from a "trust-anchors" or
|
||||
* "managed-keys" statement may be either static or initializing
|
||||
* keys. If it's not initializing, we don't want to treat it as
|
||||
* managed, so we use 'initializing' twice here, for both the
|
||||
|
|
@ -1124,9 +1124,9 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
const cfg_obj_t *view_keys = NULL;
|
||||
const cfg_obj_t *global_keys = NULL;
|
||||
const cfg_obj_t *view_managed_keys = NULL;
|
||||
const cfg_obj_t *view_dnssec_keys = NULL;
|
||||
const cfg_obj_t *view_trust_anchors = NULL;
|
||||
const cfg_obj_t *global_managed_keys = NULL;
|
||||
const cfg_obj_t *global_dnssec_keys = NULL;
|
||||
const cfg_obj_t *global_trust_anchors = NULL;
|
||||
const cfg_obj_t *maps[4];
|
||||
const cfg_obj_t *voptions = NULL;
|
||||
const cfg_obj_t *options = NULL;
|
||||
|
|
@ -1147,11 +1147,11 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
(void) cfg_map_get(voptions, "trusted-keys",
|
||||
&view_keys);
|
||||
|
||||
/* managed-keys and dnssec-keys are synonyms. */
|
||||
/* managed-keys and trust-anchors are synonyms. */
|
||||
(void) cfg_map_get(voptions, "managed-keys",
|
||||
&view_managed_keys);
|
||||
(void) cfg_map_get(voptions, "dnssec-keys",
|
||||
&view_dnssec_keys);
|
||||
(void) cfg_map_get(voptions, "trust-anchors",
|
||||
&view_trust_anchors);
|
||||
|
||||
maps[i++] = voptions;
|
||||
}
|
||||
|
|
@ -1160,9 +1160,10 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
if (config != NULL) {
|
||||
(void)cfg_map_get(config, "trusted-keys", &global_keys);
|
||||
|
||||
/* managed-keys and dnssec-keys are synonyms. */
|
||||
/* managed-keys and trust-anchors are synonyms. */
|
||||
(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
|
||||
(void)cfg_map_get(config, "dnssec-keys", &global_dnssec_keys);
|
||||
(void)cfg_map_get(config, "trust-anchors",
|
||||
&global_trust_anchors);
|
||||
|
||||
(void)cfg_map_get(config, "options", &options);
|
||||
if (options != NULL) {
|
||||
|
|
@ -1194,7 +1195,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
|
||||
/*
|
||||
* If bind.keys exists and is populated, it overrides
|
||||
* the dnssec-keys clause hard-coded in named_g_config.
|
||||
* the trust-anchors clause hard-coded in named_g_config.
|
||||
*/
|
||||
if (bindkeys != NULL) {
|
||||
isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY,
|
||||
|
|
@ -1203,7 +1204,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
"from '%s'",
|
||||
view->name, named_g_server->bindkeysfile);
|
||||
|
||||
(void)cfg_map_get(bindkeys, "dnssec-keys",
|
||||
(void)cfg_map_get(bindkeys, "trust-anchors",
|
||||
&builtin_keys);
|
||||
|
||||
if (builtin_keys == NULL) {
|
||||
|
|
@ -1223,7 +1224,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
"using built-in root key for view %s",
|
||||
view->name);
|
||||
|
||||
(void)cfg_map_get(named_g_config, "dnssec-keys",
|
||||
(void)cfg_map_get(named_g_config, "trust-anchors",
|
||||
&builtin_keys);
|
||||
}
|
||||
|
||||
|
|
@ -1243,13 +1244,13 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
|
|||
|
||||
if (view->rdclass == dns_rdataclass_in) {
|
||||
CHECK(load_view_keys(view_keys, view, false, NULL, mctx));
|
||||
CHECK(load_view_keys(view_dnssec_keys, view, true, NULL,
|
||||
CHECK(load_view_keys(view_trust_anchors, view, true, NULL,
|
||||
mctx));
|
||||
CHECK(load_view_keys(view_managed_keys, view, true, NULL,
|
||||
mctx));
|
||||
|
||||
CHECK(load_view_keys(global_keys, view, false, NULL, mctx));
|
||||
CHECK(load_view_keys(global_dnssec_keys, view, true,
|
||||
CHECK(load_view_keys(global_trust_anchors, view, true,
|
||||
NULL, mctx));
|
||||
CHECK(load_view_keys(global_managed_keys, view, true,
|
||||
NULL, mctx));
|
||||
|
|
|
|||
|
|
@ -773,7 +773,7 @@
|
|||
<listitem>
|
||||
<para>
|
||||
Dump the security roots (i.e., trust anchors
|
||||
configured via <command>dnssec-keys</command> statements, or the
|
||||
configured via <command>trust-anchors</command> statements, or the
|
||||
managed-keys or trusted-keys statements (both deprecated), or
|
||||
via <command>dnssec-validation auto</command>) and negative trust
|
||||
anchors for the specified views. If no view is specified, all
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
|
||||
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
|
||||
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ options {
|
|||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
|
||||
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
|
||||
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
|
||||
|
|
@ -23,7 +23,7 @@ dnssec-keys {
|
|||
NQyrszHhWUU=";
|
||||
};
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
|
||||
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
|
||||
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ options {
|
|||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
|
||||
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
|
||||
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (19036) is to be phased out starting in 2017. It will
|
||||
# remain in the root zone for some time after its successor key
|
||||
# has been added. It will remain this file until it is removed from
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
|
||||
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
|
||||
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
|
||||
example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
|
||||
example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ options {
|
|||
dnssec-validation auto;
|
||||
};
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
|
||||
y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
|
||||
YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (19036) is to be phased out starting in 2017. It will
|
||||
# remain in the root zone for some time after its successor key
|
||||
# has been added. It will remain this file until it is removed from
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (19036) is to be phased out starting in 2017. It will
|
||||
# remain in the root zone for some time after its successor key
|
||||
# has been added. It will remain this file until it is removed from
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (20326) was published in the root zone in 2017.
|
||||
# Servers which were already using the old key (19036) should
|
||||
# roll seamlessly to this new one via RFC 5011 rollover. Servers
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (19036) is to be phased out starting in 2017. It will
|
||||
# remain in the root zone for some time after its successor key
|
||||
# has been added. It will remain this file until it is removed from
|
||||
|
|
|
|||
|
|
@ -9,6 +9,6 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
. static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (20326) was published in the root zone in 2017.
|
||||
# Servers which were already using the old key (19036) should
|
||||
# roll seamlessly to this new one via RFC 5011 rollover. Servers
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ options {
|
|||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
|
||||
25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
|
||||
tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
|
||||
|
|
|
|||
|
|
@ -9,6 +9,6 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -9,6 +9,6 @@
|
|||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -458,7 +458,7 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
|||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that using dnssec-keys and managed-keys generates an error ($n)"
|
||||
echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
|
||||
ret=0
|
||||
$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
|
||||
grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
|
||||
|
|
|
|||
|
|
@ -264,31 +264,31 @@ keyfile_to_dskeys() {
|
|||
}
|
||||
|
||||
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
|
||||
# provided to a *static-key* "dnssec-keys" section suitable for including in a
|
||||
# resolver's configuration file
|
||||
# provided to a *static-key* "trust-anchors" section suitable for including in
|
||||
# a resolver's configuration file
|
||||
keyfile_to_static_keys() {
|
||||
keyfile_to_keys "dnssec-keys" "static-key" $*
|
||||
keyfile_to_keys "trust-anchors" "static-key" $*
|
||||
}
|
||||
|
||||
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
|
||||
# provided to an *initial-key* "dnssec-keys" section suitable for including
|
||||
# provided to an *initial-key* "trust-anchors" section suitable for including
|
||||
# in a resolver's configuration file
|
||||
keyfile_to_initial_keys() {
|
||||
keyfile_to_keys "dnssec-keys" "initial-key" $*
|
||||
keyfile_to_keys "trust-anchors" "initial-key" $*
|
||||
}
|
||||
|
||||
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
|
||||
# provided to a *static-ds* "dnssec-keys" section suitable for including in a
|
||||
# provided to a *static-ds* "trust-anchors" section suitable for including in a
|
||||
# resolver's configuration file
|
||||
keyfile_to_static_ds() {
|
||||
keyfile_to_dskeys "dnssec-keys" "static-ds" $*
|
||||
keyfile_to_dskeys "trust-anchors" "static-ds" $*
|
||||
}
|
||||
|
||||
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
|
||||
# provided to an *initial-ds* "dnssec-keys" section suitable for including
|
||||
# provided to an *initial-ds* "trust-anchors" section suitable for including
|
||||
# in a resolver's configuration file
|
||||
keyfile_to_initial_ds() {
|
||||
keyfile_to_dskeys "dnssec-keys" "initial-ds" $*
|
||||
keyfile_to_dskeys "trust-anchors" "initial-ds" $*
|
||||
}
|
||||
|
||||
# keyfile_to_key_id: convert a key file name to a key ID
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
dnssec-keys {
|
||||
trust-anchors {
|
||||
"edns512-notcp." static-key 257 3 10 "AwEAAcEBkn/cuVhdRTWMHt19O7h9F4Hx2t68u1JUZg7swLLvwfljqnNYjsKYk9EzUhIaYOAHtVe7//cYwoVU4BFhY2DGbx1YE1LnKIGxfqpopFxDZC34TTl6jpoTP6kvj+XpeO0HfF2+DcyNgnQcMGgHXyLWeRUJFt1As6o9tmsBiInGIZMTE3/rANhtAGMLNzhRLN7CS/Tc5GhKaL66uebyEYenEOAyDVgsuhr8Q9D5ka6xZmxzXFVswy2KvsSxu9aoxVq4nACjIeTZ4GJy0v83zclV7hA+5jlPDXMFtIpvwux5XALrNkUUPq+Fb5sc5/u141LcvdASnlk58I77HbsnfausvDxdYYxEns7K9e9N85dwyreM/OGTmm8p4hNDngZESAea7MrSCsJpOGn9XLkVe6gZnBgB1cra+ezzTSWn+4QH17lIhFXYNjMV83df2h/gH3Gmthqnr9RgknZga8B/Czc7TeX6iy2gAOshKGyb6w12eJim1L8tS5T138V8d6SigzxZz1raiJNolVhXyA8SbbDpgBrcoEXN/WjwvWI+2ol5gzlqMeNw/F9SMoWdpGIWkkNCNWBbhLWhp6qfhpRLUFwVys54LGOIGSVRd9uJmc2hPdXoP8ephnCIeNJb8Zp6DnpssyN0JaF815dKkOHff9GEjaiRLj0xWvtZSqNFaGoB";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ ns2 is a validator that uses managed keys. "-T mkeytimers=2/20/40"
|
|||
is used so it will attempt do automated updates frequently. "-T tat=1"
|
||||
is used so it will send TAT queries once per second.
|
||||
|
||||
ns3 is a validator with a broken initializing key in dnssec-keys.
|
||||
ns3 is a validator with a broken initializing key in trust-anchors.
|
||||
|
||||
ns4 is a validator with a deliberately broken managed-keys.bind and
|
||||
managed-keys.jnl, causing RFC 5011 initialization to fail.
|
||||
|
|
|
|||
|
|
@ -41,6 +41,6 @@ zone "." {
|
|||
};
|
||||
|
||||
# purposely broken key for testing
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
"." initial-key 257 3 5 "PURPOSELYBROKEN/xs9iVj7QekClcpzjCf0JrvXW1z07hNMqMm6Q2FtIXMbRgfvTtHF3/ZNvcewT9hpfczC+JACHsQSYYdr7UI8oe4nJfal9+2F3pz4a+HR6CqkgrR6WLWQI1Q==";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@ signzone () {
|
|||
KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
|
||||
cat $1/$3 $1/$KEYNAME.key > $1/tmp
|
||||
$SIGNER -P -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
|
||||
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/dnssec-keys {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
|
||||
sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trust-anchors {"\1" static-key \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
|
||||
DSFILENAME=dsset-${2}${TP}
|
||||
rm $DSFILENAME $1/tmp
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
|
||||
# anchor information for the root zone.
|
||||
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
# This key (20326) was published in the root zone in 2017.
|
||||
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
||||
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#ifndef BIND_KEYS_H
|
||||
#define BIND_KEYS_H 1
|
||||
#define DNSSEC_KEYS "\
|
||||
#define TRUST_ANCHORS "\
|
||||
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
|
||||
# which are included as part of BIND 9. The only trust anchors it contains\n\
|
||||
# are for the DNS root zone (\".\"). Trust anchors for any other zones MUST\n\
|
||||
|
|
@ -29,7 +29,7 @@
|
|||
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
|
||||
# anchor information for the root zone.\n\
|
||||
\n\
|
||||
dnssec-keys {\n\
|
||||
trust-anchors {\n\
|
||||
# This key (20326) was published in the root zone in 2017.\n\
|
||||
. initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
|
||||
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
|
||||
|
|
|
|||
|
|
@ -2212,7 +2212,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
|||
<userinput>yes</userinput>, DNSSEC validation will only occur
|
||||
if at least one trust anchor has been explicitly configured
|
||||
in <filename>named.conf</filename>
|
||||
using a <command>dnssec-keys</command> statement (or the
|
||||
using a <command>trust-anchors</command> statement (or the
|
||||
<command>managed-keys</command> and <command>trusted-keys</command>
|
||||
statements, both deprecated).
|
||||
</para>
|
||||
|
|
@ -2227,7 +2227,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
|||
</para>
|
||||
|
||||
<para>
|
||||
The keys specified in <command>dnssec-keys</command>
|
||||
The keys specified in <command>trust-anchors</command>
|
||||
copies of DNSKEY RRs for zones that are used to form the
|
||||
first link in the cryptographic chain of trust. Keys configured
|
||||
with the keyword <command>static-key</command> or
|
||||
|
|
@ -2241,7 +2241,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
|||
</para>
|
||||
|
||||
<para>
|
||||
<command>dnssec-keys</command> is described in more detail
|
||||
<command>trust-anchors</command> is described in more detail
|
||||
later in this document.
|
||||
</para>
|
||||
|
||||
|
|
@ -2264,7 +2264,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
|
|||
</para>
|
||||
|
||||
<programlisting>
|
||||
dnssec-keys {
|
||||
trust-anchors {
|
||||
/* Root Key */
|
||||
"." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
|
||||
JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
|
||||
|
|
@ -3202,7 +3202,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||
</row>
|
||||
<row rowsep="0">
|
||||
<entry colname="1">
|
||||
<para><command>dnssec-keys</command></para>
|
||||
<para><command>trust-anchors</command></para>
|
||||
</entry>
|
||||
<entry colname="2">
|
||||
<para>
|
||||
|
|
@ -3223,9 +3223,9 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||
</entry>
|
||||
<entry colname="2">
|
||||
<para>
|
||||
is identical to <command>dnssec-keys</command>;
|
||||
is identical to <command>trust-anchors</command>;
|
||||
this option is deprecated in favor
|
||||
of <command>dnssec-keys</command> with
|
||||
of <command>trust-anchors</command> with
|
||||
the <command>initial-key</command> keyword,
|
||||
and may be removed in a future release.
|
||||
</para>
|
||||
|
|
@ -3239,7 +3239,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
|
|||
<para>
|
||||
defines permanent trusted DNSSEC keys;
|
||||
this option is deprecated in favor
|
||||
of <command>dnssec-keys</command> with
|
||||
of <command>trust-anchors</command> with
|
||||
the <command>static-key</command> keyword,
|
||||
and may be removed in a future release.
|
||||
</para>
|
||||
|
|
@ -4624,7 +4624,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
|||
track managed DNSSEC keys (i.e., those configured using
|
||||
the <command>initial-key</command> or
|
||||
<command>initial-ds</command> keywords in a
|
||||
<command>dnssec-keys</command> statement). By default,
|
||||
<command>trust-anchors</command> statement). By default,
|
||||
this is the working directory. The directory
|
||||
<emphasis>must</emphasis> be writable by the effective
|
||||
user ID of the <command>named</command> process.
|
||||
|
|
@ -5062,7 +5062,7 @@ options {
|
|||
as insecure.
|
||||
</para>
|
||||
<para>
|
||||
Configured trust anchors in <command>dnssec-keys</command>
|
||||
Configured trust anchors in <command>trust-anchors</command>
|
||||
(or <command>managed-keys</command> or
|
||||
<command>trusted-keys</command>, both deprecated)
|
||||
that match a disabled algorithm will be ignored and treated
|
||||
|
|
@ -5100,7 +5100,7 @@ options {
|
|||
they are secure. If <userinput>no</userinput>, then normal
|
||||
DNSSEC validation applies allowing for insecure answers to
|
||||
be accepted. The specified domain must be defined as a
|
||||
trust anchor, for instance in a <command>dnssec-keys</command>
|
||||
trust anchor, for instance in a <command>trust-anchors</command>
|
||||
statement, or <command>dnssec-validation auto</command> must
|
||||
be active.
|
||||
</para>
|
||||
|
|
@ -6217,7 +6217,7 @@ options {
|
|||
Causes <command>named</command> to send specially-formed
|
||||
queries once per day to domains for which trust anchors
|
||||
have been configured via, e.g.,
|
||||
<command>dnssec-keys</command> or
|
||||
<command>trust-anchors</command> or
|
||||
<command>dnssec-validation auto</command>.
|
||||
</para>
|
||||
<para>
|
||||
|
|
@ -6432,7 +6432,7 @@ options {
|
|||
<para>
|
||||
If set to <userinput>yes</userinput>, DNSSEC validation is
|
||||
enabled, but a trust anchor must be manually configured
|
||||
using a <command>dnssec-keys</command> statement (or
|
||||
using a <command>trust-anchors</command> statement (or
|
||||
the <command>managed-keys</command> or the
|
||||
<command>trusted-keys</command> statements, both deprecated).
|
||||
If there is no configured trust anchor, validation will
|
||||
|
|
@ -10848,14 +10848,14 @@ example.com CNAME rpz-tcp-only.
|
|||
</para>
|
||||
</section>
|
||||
|
||||
<section xml:id="dnssec_keys"><info><title><command>dnssec-keys</command> Statement Grammar</title></info>
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="dnssec-keys.grammar.xml"/>
|
||||
<section xml:id="trust_anchors"><info><title><command>trust-anchors</command> Statement Grammar</title></info>
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="trust-anchors.grammar.xml"/>
|
||||
</section>
|
||||
<section xml:id="dnssec-keys"><info><title><command>dnssec-keys</command> Statement Definition
|
||||
<section xml:id="trust-anchors"><info><title><command>trust-anchors</command> Statement Definition
|
||||
and Usage</title></info>
|
||||
|
||||
<para>
|
||||
The <command>dnssec-keys</command> statement defines DNSSEC
|
||||
The <command>trust-anchors</command> statement defines DNSSEC
|
||||
trust anchors. DNSSEC is described in <xref linkend="DNSSEC"/>.
|
||||
</para>
|
||||
<para>
|
||||
|
|
@ -10874,21 +10874,21 @@ example.com CNAME rpz-tcp-only.
|
|||
the <command>validate-except</command> option).
|
||||
</para>
|
||||
<para>
|
||||
All keys listed in <command>dnssec-keys</command>, and
|
||||
All keys listed in <command>trust-anchors</command>, and
|
||||
their corresponding zones, are deemed to exist regardless
|
||||
of what parent zones say. Only keys configured as trust anchors
|
||||
are used to validate the DNSKEY RRset for the corresponding
|
||||
name. The parent's DS RRset will not be used.
|
||||
</para>
|
||||
<para>
|
||||
<command>dnssec-keys</command> may be set at the top level
|
||||
<command>trust-anchors</command> may be set at the top level
|
||||
of <filename>named.conf</filename> or within a view. If it is
|
||||
set in both places, the configurations are additive: keys
|
||||
defined at the top level are inherited by all views, but keys
|
||||
defined in a view are only used within that view.
|
||||
</para>
|
||||
<para>
|
||||
The <command>dnssec-keys</command> statement can contain
|
||||
The <command>trust-anchors</command> statement can contain
|
||||
multiple trust anchor entries, each consisting of a
|
||||
domain name, followed by an "anchor type" keyword indicating
|
||||
the trust anchor's format, followed by the key or digest data.
|
||||
|
|
@ -10928,7 +10928,7 @@ example.com CNAME rpz-tcp-only.
|
|||
<command>static-ds</command> would be unable to validate
|
||||
this zone any longer; it would reply with a SERVFAIL response
|
||||
code. This would continue until the resolver operator had
|
||||
updated the <command>dnssec-keys</command> statement with
|
||||
updated the <command>trust-anchors</command> statement with
|
||||
the new key.
|
||||
</para>
|
||||
<para>
|
||||
|
|
@ -10964,7 +10964,7 @@ example.com CNAME rpz-tcp-only.
|
|||
<command>initial-key</command> or <command>initial-ds</command>
|
||||
configured in <filename>named.conf</filename>, it fetches the
|
||||
DNSKEY RRset directly from the zone apex, and validates it
|
||||
using the trust anchor specified in <command>dnssec-keys</command>.
|
||||
using the trust anchor specified in <command>trust-anchors</command>.
|
||||
If the DNSKEY RRset is validly signed by a key matching
|
||||
the trust anchor, then it is used as the basis for a new
|
||||
managed keys database.
|
||||
|
|
@ -10973,10 +10973,10 @@ example.com CNAME rpz-tcp-only.
|
|||
From that point on, whenever <command>named</command> runs, it
|
||||
sees the <command>initial-key</command> or
|
||||
<command>initial-ds</command> listed in
|
||||
<command>dnssec-keys</command>, checks to
|
||||
<command>trust-anchors</command>, checks to
|
||||
make sure RFC 5011 key maintenance has already been initialized
|
||||
for the specified domain, and if so, it simply moves on. The
|
||||
key specified in the <command>dnssec-keys</command>
|
||||
key specified in the <command>trust-anchors</command>
|
||||
statement is not used to validate answers; it is
|
||||
superseded by the key or keys stored in the managed keys
|
||||
database.
|
||||
|
|
@ -10985,7 +10985,7 @@ example.com CNAME rpz-tcp-only.
|
|||
The next time <command>named</command> runs after an
|
||||
<command>initial-key</command> or <command>initial-ds</command>
|
||||
trust anchor has been <emphasis>removed</emphasis> from the
|
||||
<command>dnssec-keys</command> statement (or changed to
|
||||
<command>trust-anchors</command> statement (or changed to
|
||||
a <command>static-key</command> or <command>static-ds</command>),
|
||||
the corresponding keys will be removed from the managed keys
|
||||
database, and RFC 5011 key maintenance will no longer be used
|
||||
|
|
@ -11261,7 +11261,7 @@ example.com CNAME rpz-tcp-only.
|
|||
|
||||
<para>
|
||||
The <command>managed-keys</command> statement has been
|
||||
deprecated in favor of <xref linkend="dnssec_keys"/>
|
||||
deprecated in favor of <xref linkend="trust_anchors"/>
|
||||
with the <command>initial-key</command> keyword.
|
||||
</para>
|
||||
</section>
|
||||
|
|
@ -11274,7 +11274,7 @@ example.com CNAME rpz-tcp-only.
|
|||
|
||||
<para>
|
||||
The <command>trusted-keys</command> statement has been
|
||||
deprecated in favor of <xref linkend="dnssec_keys"/>
|
||||
deprecated in favor of <xref linkend="trust_anchors"/>
|
||||
with the <command>static-key</command> keyword.
|
||||
</para>
|
||||
</section>
|
||||
|
|
@ -11663,7 +11663,7 @@ view "external" {
|
|||
(KSK) for the zone must be configured as a trust
|
||||
anchor in <filename>named.conf</filename>: that
|
||||
is, a key for the zone must be specified in
|
||||
<command>dnssec-keys</command>. In the case
|
||||
<command>trust-anchors</command>. In the case
|
||||
of the root zone, you may also rely on the
|
||||
built-in root trust anchor, which is enabled
|
||||
when <xref endterm="dnssec_validation_term"
|
||||
|
|
|
|||
|
|
@ -24,10 +24,10 @@
|
|||
<!-- TODO: command tag is overloaded for configuration and executables -->
|
||||
<para>To configure a validating resolver to use RFC 5011 to
|
||||
maintain a trust anchor, configure the trust anchor using a
|
||||
<command>dnssec-keys</command> statement and the
|
||||
<command>trust-anchors</command> statement and the
|
||||
<command>initial-key</command> or <command>initial-ds</command>
|
||||
keyword. Information about this can be found in
|
||||
<xref linkend="dnssec-keys"/>.</para>
|
||||
<xref linkend="trust-anchors"/>.</para>
|
||||
</section>
|
||||
<section><info><title>Authoritative Server</title></info>
|
||||
|
||||
|
|
|
|||
33
doc/arm/notes-9.15.7.xml
Normal file
33
doc/arm/notes-9.15.7.xml
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
<!--
|
||||
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
-
|
||||
- This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
-
|
||||
- See the COPYRIGHT file distributed with this work for additional
|
||||
- information regarding copyright ownership.
|
||||
-->
|
||||
|
||||
<section xml:id="relnotes-9.15.7"><info><title>Notes for BIND 9.15.7</title></info>
|
||||
|
||||
<section xml:id="relnotes-9.15.7-changes"><info><title>Feature Changes</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
The <command>dnssec-keys</command> configuration statement,
|
||||
which was introduced in 9.15.1 and revised in 9.15.6, has now
|
||||
been renamed to the more descriptive
|
||||
<command>trust-anchors</command>.
|
||||
</para>
|
||||
<para>
|
||||
(See the sections on
|
||||
<xref linkend="relnotes-9.15.6" xrefstyle="template:9.15.6"/> and
|
||||
<xref linkend="relnotes-9.15.1" xrefstyle="template:9.15.1"/>
|
||||
for prior discussion of this feature.)
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
</section>
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
<!-- Generated by doc/misc/docbook-options.pl -->
|
||||
|
||||
<programlisting>
|
||||
<command>dnssec-keys</command> { <replaceable>string</replaceable> ( static-key |
|
||||
<command>trust-anchors</command> { <replaceable>string</replaceable> ( static-key |
|
||||
<command>initial-key</command> | static-ds | initial-ds )
|
||||
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
|
||||
<replaceable>quoted_string</replaceable>; ... };
|
||||
|
|
@ -75,6 +75,6 @@ docbook: options
|
|||
${PERL} docbook-grammars.pl options.active options > ${top_srcdir}/doc/arm/options.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active server > ${top_srcdir}/doc/arm/server.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active dnssec-keys > ${top_srcdir}/doc/arm/dnssec-keys.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active trust-anchors > ${top_srcdir}/doc/arm/trust-anchors.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
|
||||
${PERL} docbook-grammars.pl options.active trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ been implemented but should still be considered experimental.
|
|||
|
||||
When acting as a caching name server, BIND9 is capable of performing
|
||||
basic DNSSEC validation of positive as well as nonexistence responses.
|
||||
This functionality is enabled by including a "dnssec-keys" clause
|
||||
This functionality is enabled by including a "trust-anchors" clause
|
||||
in the configuration file, containing the top-level zone key of the
|
||||
the DNSSEC tree.
|
||||
|
||||
|
|
|
|||
|
|
@ -3655,7 +3655,7 @@ check_non_ds_keys(isc_symtab_t *symtab, const cfg_obj_t *keylist,
|
|||
* Check for conflicts between static and initialiizing keys.
|
||||
*/
|
||||
static isc_result_t
|
||||
check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
|
||||
check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
|
||||
const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys,
|
||||
bool autovalidation, isc_mem_t *mctx, isc_log_t *logctx)
|
||||
{
|
||||
|
|
@ -3676,10 +3676,10 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
|
|||
|
||||
/*
|
||||
* First we record all the static keys (i.e., old-style
|
||||
* trusted-keys and dnssec-keys configured with "static-key"),
|
||||
* trusted-keys and trust-anchors configured with "static-key"),
|
||||
* and all the DS-style trust anchors.
|
||||
*/
|
||||
for (elt = cfg_list_first(global_dkeys);
|
||||
for (elt = cfg_list_first(global_ta);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
{
|
||||
|
|
@ -3696,7 +3696,7 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
|
|||
}
|
||||
}
|
||||
|
||||
for (elt = cfg_list_first(view_dkeys);
|
||||
for (elt = cfg_list_first(view_ta);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
{
|
||||
|
|
@ -3739,10 +3739,10 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
|
|||
|
||||
/*
|
||||
* Next, ensure that there's no conflict between the
|
||||
* static keys and the dnssec-keys configured with "initial-key",
|
||||
* or between DS-style and DNSKEY-style dnssec-keys.
|
||||
* static keys and the trust-anchors configured with "initial-key",
|
||||
* or between DS-style and DNSKEY-style trust-anchors.
|
||||
*/
|
||||
for (elt = cfg_list_first(global_dkeys);
|
||||
for (elt = cfg_list_first(global_ta);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
{
|
||||
|
|
@ -3758,7 +3758,7 @@ check_ta_conflicts(const cfg_obj_t *global_dkeys, const cfg_obj_t *view_dkeys,
|
|||
}
|
||||
}
|
||||
|
||||
for (elt = cfg_list_first(view_dkeys);
|
||||
for (elt = cfg_list_first(view_ta);
|
||||
elt != NULL;
|
||||
elt = cfg_list_next(elt))
|
||||
{
|
||||
|
|
@ -3965,7 +3965,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
const cfg_obj_t *zones = NULL;
|
||||
const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
|
||||
const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
|
||||
const cfg_obj_t *view_dkeys = NULL, *global_dkeys = NULL;
|
||||
const cfg_obj_t *view_ta = NULL, *global_ta = NULL;
|
||||
const cfg_obj_t *check_keys[2] = { NULL, NULL };
|
||||
const cfg_obj_t *keys = NULL;
|
||||
#ifndef HAVE_DLOPEN
|
||||
|
|
@ -4137,11 +4137,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
*/
|
||||
if (voptions != NULL) {
|
||||
(void)cfg_map_get(voptions, "trusted-keys", &view_tkeys);
|
||||
(void)cfg_map_get(voptions, "dnssec-keys", &view_dkeys);
|
||||
(void)cfg_map_get(voptions, "trust-anchors", &view_ta);
|
||||
(void)cfg_map_get(voptions, "managed-keys", &view_mkeys);
|
||||
}
|
||||
(void)cfg_map_get(config, "trusted-keys", &global_tkeys);
|
||||
(void)cfg_map_get(config, "dnssec-keys", &global_dkeys);
|
||||
(void)cfg_map_get(config, "trust-anchors", &global_ta);
|
||||
(void)cfg_map_get(config, "managed-keys", &global_mkeys);
|
||||
|
||||
/*
|
||||
|
|
@ -4178,7 +4178,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
ISC_LOG_WARNING,
|
||||
"trusted-keys entry for the root "
|
||||
"zone WILL FAIL after key "
|
||||
"rollover - use dnssec-keys "
|
||||
"rollover - use trust-anchors "
|
||||
"with initial-key "
|
||||
"or initial-ds instead.");
|
||||
}
|
||||
|
|
@ -4191,24 +4191,24 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
* Check dnssec/managed-keys. (Only one or the other can be used.)
|
||||
*/
|
||||
if ((view_mkeys != NULL || global_mkeys != NULL) &&
|
||||
(view_dkeys != NULL || global_dkeys != NULL))
|
||||
(view_ta != NULL || global_ta != NULL))
|
||||
{
|
||||
keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys;
|
||||
|
||||
cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
|
||||
"use of managed-keys is not allowed when "
|
||||
"dnssec-keys is also in use");
|
||||
"trust-anchors is also in use");
|
||||
result = ISC_R_FAILURE;
|
||||
|
||||
}
|
||||
|
||||
if (view_dkeys == NULL && global_dkeys == NULL) {
|
||||
view_dkeys = view_mkeys;
|
||||
global_dkeys = global_mkeys;
|
||||
if (view_ta == NULL && global_ta == NULL) {
|
||||
view_ta = view_mkeys;
|
||||
global_ta = global_mkeys;
|
||||
}
|
||||
|
||||
check_keys[0] = view_dkeys;
|
||||
check_keys[1] = global_dkeys;
|
||||
check_keys[0] = view_ta;
|
||||
check_keys[1] = global_ta;
|
||||
for (i = 0; i < 2; i++) {
|
||||
if (check_keys[i] != NULL) {
|
||||
unsigned int flags = 0;
|
||||
|
|
@ -4238,7 +4238,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
ISC_LOG_WARNING,
|
||||
"static entry for the root "
|
||||
"zone WILL FAIL after key "
|
||||
"rollover - use dnssec-keys "
|
||||
"rollover - use trust-anchors "
|
||||
"with initial-key "
|
||||
"or initial-ds instead.");
|
||||
}
|
||||
|
|
@ -4258,14 +4258,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
}
|
||||
|
||||
if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
|
||||
keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys;
|
||||
keys = (view_ta != NULL) ? view_ta : global_ta;
|
||||
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
|
||||
"both trusted-keys and dnssec-keys "
|
||||
"both trusted-keys and trust-anchors "
|
||||
"for the root zone are present");
|
||||
}
|
||||
|
||||
if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
|
||||
keys = (view_dkeys != NULL) ? view_dkeys : global_dkeys;
|
||||
keys = (view_ta != NULL) ? view_ta : global_ta;
|
||||
cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
|
||||
"both initial and static entries for the "
|
||||
"root zone are present");
|
||||
|
|
@ -4282,7 +4282,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
|
|||
autovalidation = true;
|
||||
}
|
||||
|
||||
tresult = check_ta_conflicts(global_dkeys, view_dkeys,
|
||||
tresult = check_ta_conflicts(global_ta, view_ta,
|
||||
global_tkeys, view_tkeys,
|
||||
autovalidation, mctx, logctx);
|
||||
if (tresult != ISC_R_SUCCESS) {
|
||||
|
|
|
|||
|
|
@ -4300,10 +4300,10 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
|
|||
* statements with the set of trust anchors found in the managed-keys.bind
|
||||
* zone. If a domain is no longer named in managed-keys, delete all keys
|
||||
* from that domain from the key zone. If a domain is configured as an
|
||||
* initial-key in dnssec-keys, but there are no references to it in the
|
||||
* initial-key in trust-anchors, but there are no references to it in the
|
||||
* key zone, load the key zone with the initializing key(s) for that
|
||||
* domain and schedule a key refresh. If a domain is configured as
|
||||
* an initial-ds in dnssec-keys, fetch the DNSKEY RRset, load the key
|
||||
* an initial-ds in trust-anchors, fetch the DNSKEY RRset, load the key
|
||||
* zone with the matching key, and schedule a key refresh.
|
||||
*/
|
||||
static isc_result_t
|
||||
|
|
@ -4335,7 +4335,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
|
|||
|
||||
/*
|
||||
* Walk the zone DB. If we find any keys whose names are no longer
|
||||
* in dnssec-keys, or which have been changed from initial to static,
|
||||
* in trust-anchors, or which have been changed from initial to static,
|
||||
* (meaning they are permanent and not RFC5011-maintained), delete
|
||||
* them from the zone. Otherwise call load_secroots(), which
|
||||
* loads keys into secroots as appropriate.
|
||||
|
|
|
|||
|
|
@ -198,7 +198,7 @@ configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
|
|||
}
|
||||
|
||||
keys = NULL;
|
||||
cfg_map_get(cfgobj, "dnssec-keys", &keys);
|
||||
cfg_map_get(cfgobj, "trust-anchors", &keys);
|
||||
if (keys == NULL) {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,9 +23,9 @@
|
|||
* Notes:
|
||||
* This module is very experimental and the configuration syntax or library
|
||||
* interfaces may change in future versions. Currently, only static
|
||||
* key configuration is supported; "trusted-keys" and "dnssec-keys"/
|
||||
* key configuration is supported; "trusted-keys" and "trust-anchors"/
|
||||
* "managed-keys" statements will be parsed exactly as they are in
|
||||
* named.conf, except that "dnssec-keys" and "managed-keys" entries will
|
||||
* named.conf, except that "trust-anchors" and "managed-keys" entries will
|
||||
* be treated as if they were configured with "static-key", even if they
|
||||
* were actually configured with "initial-key".
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -459,7 +459,7 @@ static cfg_type_t cfg_type_dnsseckey = {
|
|||
|
||||
/*%
|
||||
* A key initialization specifier, as used in the
|
||||
* "dnssec-keys" (or synonymous "managed-keys") statement.
|
||||
* "trust-anchors" (or synonymous "managed-keys") statement.
|
||||
*/
|
||||
static const char *anchortype_enums[] = {
|
||||
"static-key", "initial-key", "static-ds", "initial-ds", NULL
|
||||
|
|
@ -1056,11 +1056,11 @@ namedconf_or_view_clauses[] = {
|
|||
{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "managed-keys", &cfg_type_dnsseckeys,
|
||||
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
|
||||
{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "trusted-keys", &cfg_type_trustedkeys,
|
||||
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
|
||||
{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
|
||||
|
|
@ -1072,9 +1072,9 @@ namedconf_or_view_clauses[] = {
|
|||
*/
|
||||
static cfg_clausedef_t
|
||||
bindkeys_clauses[] = {
|
||||
{ "dnssec-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "managed-keys", &cfg_type_dnsseckeys,
|
||||
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
|
||||
{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
|
||||
{ "trusted-keys", &cfg_type_trustedkeys,
|
||||
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
|
||||
{ NULL, NULL, 0 }
|
||||
|
|
@ -2389,7 +2389,7 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
|
|||
&cfg_rep_map, namedconf_clausesets
|
||||
};
|
||||
|
||||
/*% The bind.keys syntax (dnssec-keys/managed-keys/trusted-keys only). */
|
||||
/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */
|
||||
static cfg_clausedef_t *
|
||||
bindkeys_clausesets[] = {
|
||||
bindkeys_clauses,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ while (<>) {
|
|||
$lines .= $_ . "\n";
|
||||
}
|
||||
|
||||
my $mkey = '#define DNSSEC_KEYS "\\' . "\n" . $lines . "\"\n";
|
||||
my $mkey = '#define TRUST_ANCHORS "\\' . "\n" . $lines . "\"\n";
|
||||
|
||||
print "#ifndef BIND_KEYS_H\n";
|
||||
print "#define BIND_KEYS_H 1\n";
|
||||
|
|
|
|||
|
|
@ -1417,7 +1417,6 @@
|
|||
./doc/arm/controls.grammar.xml SGML 2018,2019
|
||||
./doc/arm/delegation-only.zoneopt.xml SGML 2018,2019
|
||||
./doc/arm/dlz.xml SGML 2012,2013,2014,2015,2016,2018,2019
|
||||
./doc/arm/dnssec-keys.grammar.xml SGML 2019
|
||||
./doc/arm/dnssec-policy.grammar.xml SGML 2019
|
||||
./doc/arm/dnssec.xml SGML 2010,2011,2015,2016,2017,2018,2019
|
||||
./doc/arm/dyndb.xml SGML 2015,2016,2018,2019
|
||||
|
|
@ -1478,6 +1477,7 @@
|
|||
./doc/arm/notes-9.15.4.xml SGML 2019
|
||||
./doc/arm/notes-9.15.5.xml SGML 2019
|
||||
./doc/arm/notes-9.15.6.xml SGML 2019
|
||||
./doc/arm/notes-9.15.7.xml SGML 2019
|
||||
./doc/arm/notes-download.xml SGML 2019
|
||||
./doc/arm/notes-eol.xml SGML 2019
|
||||
./doc/arm/notes-intro.xml SGML 2019
|
||||
|
|
@ -1502,6 +1502,7 @@
|
|||
./doc/arm/static-stub.zoneopt.xml SGML 2018,2019
|
||||
./doc/arm/statistics-channels.grammar.xml SGML 2018,2019
|
||||
./doc/arm/stub.zoneopt.xml SGML 2018,2019
|
||||
./doc/arm/trust-anchors.grammar.xml SGML 2019
|
||||
./doc/arm/trusted-keys.grammar.xml SGML 2018,2019
|
||||
./doc/design/addressdb TXT.BRIEF 2000,2001,2004,2016,2018,2019
|
||||
./doc/design/cds-child TXT.BRIEF 2015,2016,2018,2019
|
||||
|
|
|
|||
Loading…
Reference in a new issue