ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

2799. [cleanup] Changed the "secure-to-insecure" option to

Browse Source 
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
This commit is contained in:
Evan Hunt
2009-12-03 23:18:17 +00:00
parent f70450a70f
commit 8e4f3f1cbc
11 changed files with 44 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,3 +1,7 @@
2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]

2
NSEC3-NOTES
View File

@@ -129,7 +129,7 @@ NSEC chain will be generated before the NSEC3 chain is removed.
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes. This requires
secure-to-insecure to be set in named.conf.
dnssec-secure-to-insecure to be set in named.conf.
Periodic re-signing.

4
bin/dnssec/dnssec-signzone.docbook
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.43 2009/11/03 21:44:46 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
@@ -559,7 +559,7 @@
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<command>dnskey-ksk-only yes;</command> zone option in
<command>dnssec-dnskey-kskonly yes;</command> zone option in
<command>named</command>.)
</para>
</listitem>

6
bin/named/config.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.104 2009/10/26 23:14:53 each Exp $ */
/* $Id: config.c,v 1.105 2009/12/03 23:18:16 each Exp $ */
/*! \file */
@@ -189,7 +189,7 @@ options {\n\
max-refresh-time 2419200; /* 4 weeks */\n\
min-refresh-time 300;\n\
multi-master no;\n\
secure-to-insecure no;\n\
dnssec-secure-to-insecure no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
@@ -204,7 +204,7 @@ options {\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
dnskey-ksk-only no;\n\
dnssec-dnskey-kskonly no;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"

14
bin/named/named.conf.docbook
View File

@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.43 2009/10/16 02:59:41 each Exp $ -->
<!-- $Id: named.conf.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
@@ -302,7 +302,7 @@ options {
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
@@ -353,7 +353,7 @@ options {
try-tcp-refresh <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
@@ -476,7 +476,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
allow-update { <replaceable>address_match_element</replaceable>; ... };
allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;
@@ -521,7 +521,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
key-directory <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
fetch-glue <replaceable>boolean</replaceable>; // obsolete
@@ -556,7 +556,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
ixfr-from-differences <replaceable>boolean</replaceable>;
journal <replaceable>quoted_string</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
allow-query { <replaceable>address_match_element</replaceable>; ... };
allow-query-on { <replaceable>address_match_element</replaceable>; ... };
@@ -572,7 +572,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
<optional>...</optional>
}</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>;
dnskey-ksk-only <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
masterfile-format ( text | raw );
notify <replaceable>notifytype</replaceable>;

7
bin/named/update.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.171 2009/11/24 03:42:32 each Exp $ */
/* $Id: update.c,v 1.172 2009/12/03 23:18:16 each Exp $ */
#include <config.h>
@@ -4122,8 +4122,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
&had_dnskey));
if (had_dnskey && !has_dnskey) {
update_log(client, zone, LOGLEVEL_PROTOCOL,
"update rejected: all DNSKEY records "
"removed and 'secure-to-insecure' "
"update rejected: all DNSKEY "
"records removed and "
"'dnssec-secure-to-insecure' "
"not set");
result = DNS_R_REFUSED;
goto failure;

6
bin/named/zoneconf.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.159 2009/10/22 03:43:16 each Exp $ */
/* $Id: zoneconf.c,v 1.160 2009/12/03 23:18:17 each Exp $ */
/*% */
@@ -855,7 +855,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
cfg_obj_asboolean(obj));
obj = NULL;
result = ns_config_get(maps, "dnskey-ksk-only", &obj);
result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
@@ -933,7 +933,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "secure-to-insecure", &obj);
result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
INSIST(obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
cfg_obj_asboolean(obj));

22
doc/arm/Bv9ARM-book.xml
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.447 2009/11/28 15:57:37 vjs Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.448 2009/12/03 23:18:17 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -4923,8 +4923,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
<optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
@@ -6556,7 +6556,7 @@ options {
</varlistentry>
<varlistentry>
<term><command>dnskey-ksk-only</command></term>
<term><command>dnssec-dnskey-kskonly</command></term>
<listitem>
<para>
When this option and <command>update-check-ksk</command>
@@ -6588,7 +6588,7 @@ options {
</varlistentry>
<varlistentry>
<term><command>secure-to-insecure</command></term>
<term><command>dnssec-secure-to-insecure</command></term>
<listitem>
<para>
Allow a zone to transition from secure to insecure by
@@ -9520,8 +9520,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnskey-ksk-only <replaceable>yes_or_no</replaceable>; </optional>
<optional> secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
<optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -10034,11 +10034,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
<term><command>dnskey-ksk-only</command></term>
<term><command>dnssec-dnskey-kskonly</command></term>
<listitem>
<para>
See the description of
<command>dnskey-ksk-only</command> in <xref linkend="boolean_options"/>.
<command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>
@@ -10479,11 +10479,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
<term><command>secure-to-insecure</command></term>
<term><command>dnssec-secure-to-insecure</command></term>
<listitem>
<para>
See the description of
<command>secure-to-insecure</command> in <xref linkend="boolean_options"/>.
<command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
</para>
</listitem>
</varlistentry>

6
lib/bind9/check.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.112 2009/10/12 23:48:01 tbox Exp $ */
/* $Id: check.c,v 1.113 2009/12/03 23:18:17 each Exp $ */
/*! \file */
@@ -1101,7 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "min-retry-time", SLAVEZONE | STUBZONE },
{ "max-refresh-time", SLAVEZONE | STUBZONE },
{ "min-refresh-time", SLAVEZONE | STUBZONE },
{ "secure-to-insecure", MASTERZONE },
{ "dnssec-secure-to-insecure", MASTERZONE },
{ "sig-validity-interval", MASTERZONE },
{ "sig-re-signing-interval", MASTERZONE },
{ "sig-signing-nodes", MASTERZONE },
@@ -1126,7 +1126,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "check-srv-cname", MASTERZONE },
{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
{ "update-check-ksk", MASTERZONE },
{ "dnskey-ksk-only", MASTERZONE },
{ "dnssec-dnskey-kskonly", MASTERZONE },
{ "auto-dnssec", MASTERZONE },
{ "try-tcp-refresh", SLAVEZONE },
};

6
lib/dns/include/dns/zone.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.h,v 1.170 2009/10/12 20:48:12 each Exp $ */
/* $Id: zone.h,v 1.171 2009/12/03 23:18:17 each Exp $ */
#ifndef DNS_ZONE_H
#define DNS_ZONE_H 1
@@ -71,8 +71,8 @@ typedef enum {
#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U /*%< try tcp refresh on udp failure */
#define DNS_ZONEOPT_NOTIFYTOSOA 0x02000000U /*%< Notify the SOA MNAME */
#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U /*%< nsec3-test-zone */
#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnskey-ksk-only */
#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnssec-dnskey-kskonly */
#ifndef NOMINUM_PUBLIC
/*

6
lib/isccfg/namedconf.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: namedconf.c,v 1.111 2009/11/28 15:57:37 vjs Exp $ */
/* $Id: namedconf.c,v 1.112 2009/12/03 23:18:17 each Exp $ */
/*! \file */
@@ -1126,7 +1126,8 @@ zone_clauses[] = {
{ "check-srv-cname", &cfg_type_checkmode, 0 },
{ "check-wildcard", &cfg_type_boolean, 0 },
{ "dialup", &cfg_type_dialuptype, 0 },
{ "dnskey-ksk-only", &cfg_type_boolean, 0 },
{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
{ "forward", &cfg_type_forwardtype, 0 },
{ "forwarders", &cfg_type_portiplist, 0 },
{ "key-directory", &cfg_type_qstring, 0 },
@@ -1149,7 +1150,6 @@ zone_clauses[] = {
{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
{ "notify-to-soa", &cfg_type_boolean, 0 },
{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
{ "secure-to-insecure", &cfg_type_boolean, 0 },
{ "sig-signing-nodes", &cfg_type_uint32, 0 },
{ "sig-signing-signatures", &cfg_type_uint32, 0 },
{ "sig-signing-type", &cfg_type_uint32, 0 },