From 8e4f3f1cbceef520ba889270c993de0ac376a2a7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 3 Dec 2009 23:18:17 +0000 Subject: [PATCH] 2799. [cleanup] Changed the "secure-to-insecure" option to "dnssec-secure-to-insecure", and "dnskey-ksk-only" to "dnssec-dnskey-kskonly", for clarity. [RT #20586] --- CHANGES | 4 ++++ NSEC3-NOTES | 2 +- bin/dnssec/dnssec-signzone.docbook | 4 ++-- bin/named/config.c | 6 +++--- bin/named/named.conf.docbook | 14 +++++++------- bin/named/update.c | 7 ++++--- bin/named/zoneconf.c | 6 +++--- doc/arm/Bv9ARM-book.xml | 22 +++++++++++----------- lib/bind9/check.c | 6 +++--- lib/dns/include/dns/zone.h | 6 +++--- lib/isccfg/namedconf.c | 6 +++--- 11 files changed, 44 insertions(+), 39 deletions(-) diff --git a/CHANGES b/CHANGES index d724a51e78..d3549c72ff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2799. [cleanup] Changed the "secure-to-insecure" option to + "dnssec-secure-to-insecure", and "dnskey-ksk-only" + to "dnssec-dnskey-kskonly", for clarity. [RT #20586] + 2798. [bug] Addressed bugs in managed-keys initialization and rollover. [RT #20683] diff --git a/NSEC3-NOTES b/NSEC3-NOTES index 73a8cca4e4..8b23ed42e1 100644 --- a/NSEC3-NOTES +++ b/NSEC3-NOTES @@ -129,7 +129,7 @@ NSEC chain will be generated before the NSEC3 chain is removed. To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains will be removed as well as associated NSEC3PARAM records. This will take place after the update requests completes. This requires -secure-to-insecure to be set in named.conf. +dnssec-secure-to-insecure to be set in named.conf. Periodic re-signing. diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 7148c7d831..128ebe9634 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -559,7 +559,7 @@ Only sign the DNSKEY RRset with key-signing keys, and omit signatures from zone-signing keys. (This is similar to the - dnskey-ksk-only yes; zone option in + dnssec-dnskey-kskonly yes; zone option in named.) diff --git a/bin/named/config.c b/bin/named/config.c index 4623482998..70b4a2fca3 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.104 2009/10/26 23:14:53 each Exp $ */ +/* $Id: config.c,v 1.105 2009/12/03 23:18:16 each Exp $ */ /*! \file */ @@ -189,7 +189,7 @@ options {\n\ max-refresh-time 2419200; /* 4 weeks */\n\ min-refresh-time 300;\n\ multi-master no;\n\ - secure-to-insecure no;\n\ + dnssec-secure-to-insecure no;\n\ sig-validity-interval 30; /* days */\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ @@ -204,7 +204,7 @@ options {\n\ check-srv-cname warn;\n\ zero-no-soa-ttl yes;\n\ update-check-ksk yes;\n\ - dnskey-ksk-only no;\n\ + dnssec-dnskey-kskonly no;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ };\n\ " diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook index c81cab9838..359deebfff 100644 --- a/bin/named/named.conf.docbook +++ b/bin/named/named.conf.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + Aug 13, 2004 @@ -302,7 +302,7 @@ options { allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-check-ksk boolean; - dnskey-ksk-only boolean; + dnssec-dnskey-kskonly boolean; masterfile-format ( text | raw ); notify notifytype; @@ -353,7 +353,7 @@ options { try-tcp-refresh boolean; zero-no-soa-ttl boolean; zero-no-soa-ttl-cache boolean; - secure-to-insecure boolean; + dnssec-secure-to-insecure boolean; deny-answer-addresses { address_match_list } except-from { namelist } ; @@ -476,7 +476,7 @@ view string optional_class allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-check-ksk boolean; - dnskey-ksk-only boolean; + dnssec-dnskey-kskonly boolean; masterfile-format ( text | raw ); notify notifytype; @@ -521,7 +521,7 @@ view string optional_class key-directory quoted_string; zero-no-soa-ttl boolean; zero-no-soa-ttl-cache boolean; - secure-to-insecure boolean; + dnssec-secure-to-insecure boolean; allow-v6-synthesis { address_match_element; ... }; // obsolete fetch-glue boolean; // obsolete @@ -556,7 +556,7 @@ zone string optional_class ixfr-from-differences boolean; journal quoted_string; zero-no-soa-ttl boolean; - secure-to-insecure boolean; + dnssec-secure-to-insecure boolean; allow-query { address_match_element; ... }; allow-query-on { address_match_element; ... }; @@ -572,7 +572,7 @@ zone string optional_class ... }; update-check-ksk boolean; - dnskey-ksk-only boolean; + dnssec-dnskey-kskonly boolean; masterfile-format ( text | raw ); notify notifytype; diff --git a/bin/named/update.c b/bin/named/update.c index 68afe207c4..02fe721e61 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.171 2009/11/24 03:42:32 each Exp $ */ +/* $Id: update.c,v 1.172 2009/12/03 23:18:16 each Exp $ */ #include @@ -4122,8 +4122,9 @@ update_action(isc_task_t *task, isc_event_t *event) { &had_dnskey)); if (had_dnskey && !has_dnskey) { update_log(client, zone, LOGLEVEL_PROTOCOL, - "update rejected: all DNSKEY records " - "removed and 'secure-to-insecure' " + "update rejected: all DNSKEY " + "records removed and " + "'dnssec-secure-to-insecure' " "not set"); result = DNS_R_REFUSED; goto failure; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index ce615d5cac..fdd4e806ef 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.159 2009/10/22 03:43:16 each Exp $ */ +/* $Id: zoneconf.c,v 1.160 2009/12/03 23:18:17 each Exp $ */ /*% */ @@ -855,7 +855,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, cfg_obj_asboolean(obj)); obj = NULL; - result = ns_config_get(maps, "dnskey-ksk-only", &obj); + result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj); INSIST(result == ISC_R_SUCCESS); dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY, cfg_obj_asboolean(obj)); @@ -933,7 +933,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore); obj = NULL; - result = ns_config_get(maps, "secure-to-insecure", &obj); + result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj); INSIST(obj != NULL); dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE, cfg_obj_asboolean(obj)); diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 5fe48af799..ebf757b924 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -4923,8 +4923,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] allow-update { address_match_list }; allow-update-forwarding { address_match_list }; update-check-ksk yes_or_no; - dnskey-ksk-only yes_or_no; - secure-to-insecure yes_or_no ; + dnssec-dnskey-kskonly yes_or_no; + dnssec-secure-to-insecure yes_or_no ; try-tcp-refresh yes_or_no; allow-v6-synthesis { address_match_list }; blackhole { address_match_list }; @@ -6556,7 +6556,7 @@ options { - dnskey-ksk-only + dnssec-dnskey-kskonly When this option and update-check-ksk @@ -6588,7 +6588,7 @@ options { - secure-to-insecure + dnssec-secure-to-insecure Allow a zone to transition from secure to insecure by @@ -9520,8 +9520,8 @@ zone zone_name class allow-transfer { address_match_list }; allow-update-forwarding { address_match_list }; update-check-ksk yes_or_no; - dnskey-ksk-only yes_or_no; - secure-to-insecure yes_or_no ; + dnssec-dnskey-kskonly yes_or_no; + dnssec-secure-to-insecure yes_or_no ; try-tcp-refresh yes_or_no; also-notify { ip_addr port ip_port ; ip_addr port ip_port ; ... }; @@ -10034,11 +10034,11 @@ zone zone_name class - dnskey-ksk-only + dnssec-dnskey-kskonly See the description of - dnskey-ksk-only in . + dnssec-dnskey-kskonly in . @@ -10479,11 +10479,11 @@ zone zone_name class - secure-to-insecure + dnssec-secure-to-insecure See the description of - secure-to-insecure in . + dnssec-secure-to-insecure in . diff --git a/lib/bind9/check.c b/lib/bind9/check.c index db360e2b5d..89f421298b 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.112 2009/10/12 23:48:01 tbox Exp $ */ +/* $Id: check.c,v 1.113 2009/12/03 23:18:17 each Exp $ */ /*! \file */ @@ -1101,7 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, { "min-retry-time", SLAVEZONE | STUBZONE }, { "max-refresh-time", SLAVEZONE | STUBZONE }, { "min-refresh-time", SLAVEZONE | STUBZONE }, - { "secure-to-insecure", MASTERZONE }, + { "dnssec-secure-to-insecure", MASTERZONE }, { "sig-validity-interval", MASTERZONE }, { "sig-re-signing-interval", MASTERZONE }, { "sig-signing-nodes", MASTERZONE }, @@ -1126,7 +1126,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, { "check-srv-cname", MASTERZONE }, { "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE }, { "update-check-ksk", MASTERZONE }, - { "dnskey-ksk-only", MASTERZONE }, + { "dnssec-dnskey-kskonly", MASTERZONE }, { "auto-dnssec", MASTERZONE }, { "try-tcp-refresh", SLAVEZONE }, }; diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index 9dae4d7e42..0be5b633a8 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.h,v 1.170 2009/10/12 20:48:12 each Exp $ */ +/* $Id: zone.h,v 1.171 2009/12/03 23:18:17 each Exp $ */ #ifndef DNS_ZONE_H #define DNS_ZONE_H 1 @@ -71,8 +71,8 @@ typedef enum { #define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U /*%< try tcp refresh on udp failure */ #define DNS_ZONEOPT_NOTIFYTOSOA 0x02000000U /*%< Notify the SOA MNAME */ #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U /*%< nsec3-test-zone */ -#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */ -#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnskey-ksk-only */ +#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */ +#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U /*%< dnssec-dnskey-kskonly */ #ifndef NOMINUM_PUBLIC /* diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 30c02411f1..9bd8ff1eb0 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namedconf.c,v 1.111 2009/11/28 15:57:37 vjs Exp $ */ +/* $Id: namedconf.c,v 1.112 2009/12/03 23:18:17 each Exp $ */ /*! \file */ @@ -1126,7 +1126,8 @@ zone_clauses[] = { { "check-srv-cname", &cfg_type_checkmode, 0 }, { "check-wildcard", &cfg_type_boolean, 0 }, { "dialup", &cfg_type_dialuptype, 0 }, - { "dnskey-ksk-only", &cfg_type_boolean, 0 }, + { "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 }, + { "dnssec-secure-to-insecure", &cfg_type_boolean, 0 }, { "forward", &cfg_type_forwardtype, 0 }, { "forwarders", &cfg_type_portiplist, 0 }, { "key-directory", &cfg_type_qstring, 0 }, @@ -1149,7 +1150,6 @@ zone_clauses[] = { { "notify-source-v6", &cfg_type_sockaddr6wild, 0 }, { "notify-to-soa", &cfg_type_boolean, 0 }, { "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY }, - { "secure-to-insecure", &cfg_type_boolean, 0 }, { "sig-signing-nodes", &cfg_type_uint32, 0 }, { "sig-signing-signatures", &cfg_type_uint32, 0 }, { "sig-signing-type", &cfg_type_uint32, 0 },