From b6ca20929279fd00efb00da26d942d0fbde16856 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 6 Dec 2024 16:30:04 +0100 Subject: [PATCH] Remove trusted-keys and managed-keys options These options have been deprecated in 9.19 in favor of the trust-anchors option. They are now removed to clean up the configuration and the code. --- bin/delv/delv.c | 13 +- bin/named/server.c | 30 +--- bin/rndc/rndc.rst | 5 +- .../checkconf/bad-duplicate-root-key.conf | 16 +- .../system/checkconf/bad-no-trusted-key.conf | 16 -- .../system/checkconf/check-mixed-keys.conf | 2 +- .../checkconf/check-root-trusted-key.conf | 29 --- bin/tests/system/checkconf/deprecated.conf | 13 +- ...d-key.conf => good-dup-trust-anchors.conf} | 0 .../checkconf/good-dup-trusted-key.conf | 33 ---- .../checkconf/good-empty-trusted-keys.conf | 18 -- .../checkconf/good-nonempty-trusted-keys.conf | 26 --- bin/tests/system/checkconf/tests.sh | 24 --- bin/tests/system/conf.sh | 7 - bin/tests/system/dnssec/ns1/sign.sh | 2 +- doc/arm/reference.rst | 44 +---- doc/design/unsupported-algorithms-in-bind9 | 16 +- doc/dnssec-guide/validation.rst | 2 +- doc/misc/options | 6 - lib/dns/include/dns/keytable.h | 2 +- lib/dns/zone.c | 20 +-- lib/isccfg/check.c | 165 +++--------------- lib/isccfg/namedconf.c | 39 +---- 23 files changed, 76 insertions(+), 452 deletions(-) delete mode 100644 bin/tests/system/checkconf/bad-no-trusted-key.conf delete mode 100644 bin/tests/system/checkconf/check-root-trusted-key.conf rename bin/tests/system/checkconf/{good-dup-managed-key.conf => good-dup-trust-anchors.conf} (100%) delete mode 100644 bin/tests/system/checkconf/good-dup-trusted-key.conf delete mode 100644 bin/tests/system/checkconf/good-empty-trusted-keys.conf delete mode 100644 bin/tests/system/checkconf/good-nonempty-trusted-keys.conf diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 3c74195812..ab01b12033 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -668,7 +668,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client, dns_view_t *toview) { if (cfg_obj_isvoid(obj)) { /* * "anchortype" is not defined, this must be a static-key - * configured with trusted-keys. + * configured with trust-anchors. */ anchortype = STATIC_KEY; } else { @@ -834,8 +834,6 @@ static isc_result_t setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) { isc_result_t result; cfg_parser_t *parser = NULL; - const cfg_obj_t *trusted_keys = NULL; - const cfg_obj_t *managed_keys = NULL; const cfg_obj_t *trust_anchors = NULL; cfg_obj_t *bindkeys = NULL; @@ -877,16 +875,7 @@ setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) { } INSIST(bindkeys != NULL); - cfg_map_get(bindkeys, "trusted-keys", &trusted_keys); - cfg_map_get(bindkeys, "managed-keys", &managed_keys); cfg_map_get(bindkeys, "trust-anchors", &trust_anchors); - - if (trusted_keys != NULL) { - CHECK(load_keys(trusted_keys, client, toview)); - } - if (managed_keys != NULL) { - CHECK(load_keys(managed_keys, client, toview)); - } if (trust_anchors != NULL) { CHECK(load_keys(trust_anchors, client, toview)); } diff --git a/bin/named/server.c b/bin/named/server.c index 6e3775a478..2c231feb3b 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -995,11 +995,11 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots, } /* - * Add the key to 'secroots'. Keys from a "trust-anchors" or - * "managed-keys" statement may be either static or initializing - * keys. If it's not initializing, we don't want to treat it as - * managed, so we use 'initializing' twice here, for both the - * 'managed' and 'initializing' arguments to dns_keytable_add(). + * Add the key to 'secroots'. Keys from a "trust-anchors" statement + * may be either static or initializing keys. If it's not initializing, + * we don't want to treat it as managed, so we use 'initializing' + * twice here, for both the 'managed' and 'initializing' arguments to + * dns_keytable_add(). */ result = dns_keytable_add(secroots, initializing, initializing, keyname, &ds, sfd_add, view); @@ -1082,11 +1082,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, const cfg_obj_t *config, const cfg_obj_t *bindkeys, bool auto_root) { isc_result_t result = ISC_R_SUCCESS; - const cfg_obj_t *view_keys = NULL; - const cfg_obj_t *global_keys = NULL; - const cfg_obj_t *view_managed_keys = NULL; const cfg_obj_t *view_trust_anchors = NULL; - const cfg_obj_t *global_managed_keys = NULL; const cfg_obj_t *global_trust_anchors = NULL; const cfg_obj_t *maps[4]; const cfg_obj_t *voptions = NULL; @@ -1105,26 +1101,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, if (vconfig != NULL) { voptions = cfg_tuple_get(vconfig, "options"); if (voptions != NULL) { - (void)cfg_map_get(voptions, "trusted-keys", &view_keys); - - /* managed-keys and trust-anchors are synonyms. */ - (void)cfg_map_get(voptions, "managed-keys", - &view_managed_keys); (void)cfg_map_get(voptions, "trust-anchors", &view_trust_anchors); - maps[i++] = voptions; } } if (config != NULL) { - (void)cfg_map_get(config, "trusted-keys", &global_keys); - - /* managed-keys and trust-anchors are synonyms. */ - (void)cfg_map_get(config, "managed-keys", &global_managed_keys); (void)cfg_map_get(config, "trust-anchors", &global_trust_anchors); - (void)cfg_map_get(config, "options", &options); if (options != NULL) { maps[i++] = options; @@ -1189,13 +1174,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig, } if (view->rdclass == dns_rdataclass_in) { - CHECK(load_view_keys(view_keys, view, false, NULL)); CHECK(load_view_keys(view_trust_anchors, view, true, NULL)); - CHECK(load_view_keys(view_managed_keys, view, true, NULL)); - - CHECK(load_view_keys(global_keys, view, false, NULL)); CHECK(load_view_keys(global_trust_anchors, view, true, NULL)); - CHECK(load_view_keys(global_managed_keys, view, true, NULL)); } /* diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 0559ed7339..11c35c2d03 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -491,9 +491,8 @@ Currently supported commands are: .. option:: secroots [-] [view ...] This command dumps the security roots (i.e., trust anchors configured via - ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements - [both deprecated], or ``dnssec-validation auto``) and negative trust anchors - for the specified views. If no view is specified, all views are + ``trust-anchors`` statement, or ``dnssec-validation auto``) and negative + trust anchors for the specified views. If no view is specified, all views are dumped. Security roots indicate whether they are configured as trusted keys, managed keys, or initializing managed keys (managed keys that have not yet been updated by a successful key refresh query). diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf index 1cbc7d4fb8..ca6bf533bf 100644 --- a/bin/tests/system/checkconf/bad-duplicate-root-key.conf +++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf @@ -25,12 +25,12 @@ trust-anchors { NQyrszHhWUU="; }; -trusted-keys { - . 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod - y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ - YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX - 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw - E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ - Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn - 6zqCkwuMmrU="; +trust-anchors { + . static-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl + 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG + tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY + kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ + fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS + WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI + NQyrszHhWUU="; }; diff --git a/bin/tests/system/checkconf/bad-no-trusted-key.conf b/bin/tests/system/checkconf/bad-no-trusted-key.conf deleted file mode 100644 index 42cfe1fd79..0000000000 --- a/bin/tests/system/checkconf/bad-no-trusted-key.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnssec-validation yes; -}; diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf index 1dd018dc03..7b90123837 100644 --- a/bin/tests/system/checkconf/check-mixed-keys.conf +++ b/bin/tests/system/checkconf/check-mixed-keys.conf @@ -25,7 +25,7 @@ trust-anchors { QxA+Uk1ihz0="; }; -managed-keys { +trust-anchors { # This key (20326) was published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers diff --git a/bin/tests/system/checkconf/check-root-trusted-key.conf b/bin/tests/system/checkconf/check-root-trusted-key.conf deleted file mode 100644 index 65261a8677..0000000000 --- a/bin/tests/system/checkconf/check-root-trusted-key.conf +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -trusted-keys { - # This key (20326) was published in the root zone in 2017. - # Servers which were already using the old key (19036) should - # roll seamlessly to this new one via RFC 5011 rollover. Servers - # being set up for the first time can use the contents of this - # file as initializing keys; thereafter, the keys in the - # managed key database will be trusted and maintained - # automatically. - . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 - +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv - ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF - 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e - oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd - RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN - R1AkUTV74bU="; -}; diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index eebf0d8bb8..2498b05a24 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -18,18 +18,7 @@ options { sortlist { }; }; -trusted-keys { - fake.trusted. 257 3 8 - "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; -}; - -managed-keys { +trust-anchors { fake.managed. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-trust-anchors.conf similarity index 100% rename from bin/tests/system/checkconf/good-dup-managed-key.conf rename to bin/tests/system/checkconf/good-dup-trust-anchors.conf diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf deleted file mode 100644 index 46089c46d3..0000000000 --- a/bin/tests/system/checkconf/good-dup-trusted-key.conf +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnssec-validation yes; -}; - -trusted-keys { - example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl - 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG - tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY - kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ - fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS - WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI - NQyrszHhWUU="; - example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod - y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ - YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX - 2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw - E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/ - Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn - 6zqCkwuMmrU="; -}; diff --git a/bin/tests/system/checkconf/good-empty-trusted-keys.conf b/bin/tests/system/checkconf/good-empty-trusted-keys.conf deleted file mode 100644 index b153d4512f..0000000000 --- a/bin/tests/system/checkconf/good-empty-trusted-keys.conf +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnssec-validation yes; -}; - -trusted-keys {}; diff --git a/bin/tests/system/checkconf/good-nonempty-trusted-keys.conf b/bin/tests/system/checkconf/good-nonempty-trusted-keys.conf deleted file mode 100644 index 43c9b499e0..0000000000 --- a/bin/tests/system/checkconf/good-nonempty-trusted-keys.conf +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnssec-validation yes; -}; - -trusted-keys { - example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl - 25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG - tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY - kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ - fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS - WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI - NQyrszHhWUU="; -}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index a7a533e0d7..a4b35ba4ce 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -183,8 +183,6 @@ n=$((n + 1)) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1 -grep "option 'managed-keys' is deprecated" /dev/null || ret=1 -grep "option 'trusted-keys' is deprecated" /dev/null || ret=1 grep "option 'max-zone-ttl' is deprecated" /dev/null || ret=1 grep "option 'sortlist' is deprecated" /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -593,28 +591,6 @@ if [ $ret -ne 0 ]; then fi status=$((status + ret)) -n=$((n + 1)) -echo_i "check that a trusted-keys entry for root generates a warning ($n)" -ret=0 -$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 -grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 -if [ $ret -ne 0 ]; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - -n=$((n + 1)) -echo_i "check that using trust-anchors and managed-keys generates an error ($n)" -ret=0 -$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 -grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 -if [ $ret -ne 0 ]; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - n=$((n + 1)) echo_i "checking named-checkconf kasp errors ($n)" ret=0 diff --git a/bin/tests/system/conf.sh b/bin/tests/system/conf.sh index 40ca8210de..6f1092749b 100644 --- a/bin/tests/system/conf.sh +++ b/bin/tests/system/conf.sh @@ -164,13 +164,6 @@ keyfile_to_dskeys() { echo "};" } -# keyfile_to_trusted_keys: convert key data contained in the keyfile(s) -# provided to a "trust-keys" section suitable for including in a -# resolver's configuration file -keyfile_to_trusted_keys() { - keyfile_to_keys "trusted-keys" "" $* -} - # keyfile_to_static_keys: convert key data contained in the keyfile(s) # provided to a *static-key* "trust-anchors" section suitable for including in # a resolver's configuration file diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 286b27883d..0247b9d8b4 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -50,7 +50,7 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf -keyfile_to_trusted_keys "$ksk" >trusted.keys +keyfile_to_static_keys "$ksk" >trusted.keys # ...or with an initializing key. keyfile_to_initial_ds "$ksk" >managed.conf diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 1eede45b6d..51a261c068 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -440,12 +440,6 @@ The following blocks are supported: :any:`trust-anchors` Defines DNSSEC trust anchors: if used with the ``initial-key`` or ``initial-ds`` keyword, trust anchors are kept up-to-date using :rfc:`5011` trust anchor maintenance; if used with ``static-key`` or ``static-ds``, keys are permanent. - :any:`managed-keys` - Is identical to :any:`trust-anchors`; this option is deprecated in favor of :any:`trust-anchors` with the ``initial-key`` keyword, and may be removed in a future release. - - :any:`trusted-keys` - Defines permanent trusted DNSSEC keys; this option is deprecated in favor of :any:`trust-anchors` with the ``static-key`` keyword, and may be removed in a future release. - :any:`view` Defines a view. @@ -1664,9 +1658,8 @@ default is used. If all supported algorithms are disabled, the zones covered by the :any:`disable-algorithms` setting are treated as insecure. - Configured trust anchors in :any:`trust-anchors` (or :any:`managed-keys` or - :any:`trusted-keys`) that match a disabled algorithm are ignored and treated - as if they were not configured. + Configured trust anchors in :any:`trust-anchors` that match a disabled + algorithm are ignored and treated as if they were not configured. .. namedconf:statement:: disable-ds-digests :tags: dnssec, zone @@ -2550,13 +2543,11 @@ Boolean Options anchor for the DNS root zone is used. This trust anchor is provided as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key management. Adding an explicit static key using the :any:`trust-anchors` - statement, with a ``static-key`` anchor type (or using the deprecated - :any:`trusted-keys` statement) for the root zone, is not supported with the - ``auto`` setting and is treated as a configuration error. + statement, with a ``static-key`` anchor type for the root zone, is not + supported with the ``auto`` setting and is treated as a configuration error. If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be - manually configured using a :any:`trust-anchors` statement (or the - :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If + manually configured using a :any:`trust-anchors` statement. If :any:`trust-anchors` is not configured, it is a configuration error. If :any:`trust-anchors` does not include a valid root key, then validation does not take place for names which are not covered by any of the configured trust @@ -6111,8 +6102,6 @@ Trust anchors configured with the anchor types are immutable, while keys configured with ``initial-key`` or ``initial-ds`` can be kept up-to-date automatically, without intervention from the resolver operator. -(``static-key`` keys are identical to keys configured using the -deprecated :any:`trusted-keys` statement.) Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had @@ -6612,29 +6601,6 @@ The following options apply to DS queries sent to :any:`parental-agents`: This option acts like :any:`parental-source`, but applies to parental DS queries sent to IPv6 addresses. -:any:`managed-keys` Block Grammar -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. namedconf:statement:: managed-keys - :tags: deprecated - -:any:`managed-keys` Block Definition and Usage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The :any:`managed-keys` statement has been -deprecated in favor of :any:`trust-anchors` -with the ``initial-key`` keyword. - -:any:`trusted-keys` Block Grammar -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. namedconf:statement:: trusted-keys - :tags: deprecated - -:any:`trusted-keys` Block Definition and Usage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The :any:`trusted-keys` statement has been deprecated in favor of -:any:`trust-anchors` with the ``static-key`` keyword. - :any:`view` Block Grammar ~~~~~~~~~~~~~~~~~~~~~~~~~~ .. namedconf:statement:: view diff --git a/doc/design/unsupported-algorithms-in-bind9 b/doc/design/unsupported-algorithms-in-bind9 index 35c107db52..8870aa6d26 100644 --- a/doc/design/unsupported-algorithms-in-bind9 +++ b/doc/design/unsupported-algorithms-in-bind9 @@ -79,14 +79,8 @@ treated as unsupported. ### Trust anchors -In BIND 9, trust anchors can be configured using two clauses: - - * `trusted-keys`, which contains hardcoded (static) trust anchors, - * `managed-keys`, which will be kept up to date automatically, following the - zone's key rollovers (according to the algorithm specified in RFC 5011). - -When put into the above clauses, keys using unsupported algorithms will be -ignored: +In BIND 9, trust anchors can be configured using `trust-anchors`. When put into +such clause, keys using unsupported algorithms will be ignored: trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported @@ -118,8 +112,8 @@ treated as secure and thus attempts to resolve names in the domains pointed to by the records in that DLV zone will yield SERVFAIL responses. Consider the following example: - trusted-keys { - "dlv.example." 257 3 1 ...; + trust-anchors { + "dlv.example." static-key 257 3 1 ...; }; options { @@ -141,7 +135,7 @@ ignored altogether and do not cause an associated trust point to be defined. A zone for which BIND 9 has a trust anchor configured may decide to do an algorithm rollover to an unsupported algorithm. If configured with -`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does +`trust-anchors`, BIND 9 will ignore the newly introduced DNSKEY if it does not support the algorithm. That means that the moment the predecessor DNSKEY gets revoked, BIND 9 will no longer have any trust anchors for the given zone and it will treat the trust point as if it does not exist, meaning that diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 9ad528d85b..3bcd065edc 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -379,7 +379,7 @@ take a closer look at what DNSSEC validation actually does, and some other optio }; This “auto” line enables automatic DNSSEC trust anchor configuration -using the :any:`managed-keys` feature. In this case, no manual key +using the :any:`trust-anchors` feature. In this case, no manual key configuration is needed. There are three possible choices for the :any:`dnssec-validation` option: diff --git a/doc/misc/options b/doc/misc/options index 14b428f61a..39dda6d191 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -64,8 +64,6 @@ logging { }; // may occur multiple times }; -managed-keys { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times, deprecated - options { allow-new-zones ; allow-notify { ; ... }; @@ -374,8 +372,6 @@ tls { trust-anchors { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times -trusted-keys { ; ... }; // may occur multiple times, deprecated - view [ ] { allow-new-zones ; allow-notify { ; ... }; @@ -457,7 +453,6 @@ view [ ] { key-directory ; lame-ttl ; lmdb-mapsize ; // optional (only available if configured) - managed-keys { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times, deprecated masterfile-format ( raw | text ); masterfile-style ( full | relative ); match-clients { ; ... }; @@ -591,7 +586,6 @@ view [ ] { transfer-source-v6 ( | * ); trust-anchor-telemetry ; trust-anchors { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times - trusted-keys { ; ... }; // may occur multiple times, deprecated try-tcp-refresh ; update-check-ksk ; // obsolete v6-bias ; diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h index b407cf2552..dc0b398622 100644 --- a/lib/dns/include/dns/keytable.h +++ b/lib/dns/include/dns/keytable.h @@ -72,7 +72,7 @@ dns_keytable_add(dns_keytable_t *keytable, bool managed, bool initial, * * The value of keynode->managed is set to 'managed', and the * value of keynode->initial is set to 'initial'. (Note: 'initial' - * should only be used when adding managed-keys from configuration. + * should only be used when adding trust-anchors from configuration. * This indicates the key is in "initializing" state, and has not yet * been confirmed with a key refresh query. Once a key refresh query * has validated, we update the keynode with initial == false.) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index ba5bd8f731..3e08b77da1 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -141,14 +141,14 @@ /*% * KASP flags */ -#define KASP_LOCK(k) \ - if ((k) != NULL) { \ - LOCK((&((k)->lock))); \ +#define KASP_LOCK(k) \ + if ((k) != NULL) { \ + LOCK(&((k)->lock)); \ } -#define KASP_UNLOCK(k) \ - if ((k) != NULL) { \ - UNLOCK((&((k)->lock))); \ +#define KASP_UNLOCK(k) \ + if ((k) != NULL) { \ + UNLOCK(&((k)->lock)); \ } /* @@ -216,7 +216,7 @@ typedef struct dns_include dns_include_t; } while (0) #endif /* ifdef DNS_ZONE_CHECKLOCK */ -#define ZONEDB_INITLOCK(l) isc_rwlock_init((l)) +#define ZONEDB_INITLOCK(l) isc_rwlock_init(l) #define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l) #define ZONEDB_LOCK(l, t) RWLOCK((l), (t)) #define ZONEDB_UNLOCK(l, t) RWUNLOCK((l), (t)) @@ -4492,9 +4492,9 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode, } /* - * Synchronize the set of initializing keys found in managed-keys {} + * Synchronize the set of initializing keys found in trust-anchors {} * statements with the set of trust anchors found in the managed-keys.bind - * zone. If a domain is no longer named in managed-keys, delete all keys + * zone. If a domain is no longer named in trust-anchors, delete all keys * from that domain from the key zone. If a domain is configured as an * initial-key in trust-anchors, but there are no references to it in the * key zone, load the key zone with the initializing key(s) for that @@ -10828,7 +10828,7 @@ done: failure: if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, - "error during managed-keys processing (%s): " + "error during trust anchor processing (%s): " "DNSSEC validation may be at risk", isc_result_totext(result)); } diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index a796f43a92..d0887be3b8 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -4463,7 +4463,8 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, #define ROOT_KSK_2017 0x08 static isc_result_t -check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) { +check_trust_anchor(const cfg_obj_t *key, unsigned int *flagsp) { + bool managed = true; const char *str = NULL, *namestr = NULL; dns_fixedname_t fkeyname; dns_name_t *keyname = NULL; @@ -4479,7 +4480,6 @@ check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) { STATIC_DNSKEY, INIT_DS, STATIC_DS, - TRUSTED } anchortype; /* @@ -4575,41 +4575,33 @@ check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) { result = ISC_R_FAILURE; } - if (managed) { - atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype")); - - if (strcasecmp(atstr, "static-key") == 0) { - managed = false; - anchortype = STATIC_DNSKEY; - } else if (strcasecmp(atstr, "static-ds") == 0) { - managed = false; - anchortype = STATIC_DS; - } else if (strcasecmp(atstr, "initial-key") == 0) { - anchortype = INIT_DNSKEY; - } else if (strcasecmp(atstr, "initial-ds") == 0) { - anchortype = INIT_DS; - } else { - cfg_obj_log(key, ISC_LOG_ERROR, - "key '%s': " - "invalid initialization method '%s'", - namestr, atstr); - result = ISC_R_FAILURE; - - /* - * We can't interpret the trust anchor, so - * we skip all other checks. - */ - goto cleanup; - } + atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype")); + if (strcasecmp(atstr, "static-key") == 0) { + managed = false; + anchortype = STATIC_DNSKEY; + } else if (strcasecmp(atstr, "static-ds") == 0) { + managed = false; + anchortype = STATIC_DS; + } else if (strcasecmp(atstr, "initial-key") == 0) { + anchortype = INIT_DNSKEY; + } else if (strcasecmp(atstr, "initial-ds") == 0) { + anchortype = INIT_DS; } else { - atstr = "trusted-key"; - anchortype = TRUSTED; + cfg_obj_log(key, ISC_LOG_ERROR, + "key '%s': " + "invalid initialization method '%s'", + namestr, atstr); + result = ISC_R_FAILURE; + /* + * We can't interpret the trust anchor, so + * we skip all other checks. + */ + goto cleanup; } switch (anchortype) { case INIT_DNSKEY: case STATIC_DNSKEY: - case TRUSTED: if (rdata1 > 0xffff) { cfg_obj_log(key, ISC_LOG_ERROR, "flags too big: %u", rdata1); @@ -4916,7 +4908,6 @@ record_ds_keys(isc_symtab_t *symtab, isc_mem_t *mctx, */ static isc_result_t check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta, - const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys, bool autovalidation, isc_mem_t *mctx) { isc_result_t result, tresult; const cfg_listelt_t *elt = NULL; @@ -4934,9 +4925,8 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta, } /* - * First we record all the static keys (i.e., old-style - * trusted-keys and trust-anchors configured with "static-key"), - * and all the DS-style trust anchors. + * First we record all the static keys (trust-anchors configured with + * "static-key"), and all the DS-style trust anchors. */ for (elt = cfg_list_first(global_ta); elt != NULL; elt = cfg_list_next(elt)) @@ -4970,28 +4960,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta, } } - for (elt = cfg_list_first(global_tkeys); elt != NULL; - elt = cfg_list_next(elt)) - { - keylist = cfg_listelt_value(elt); - tresult = record_static_keys(statictab, mctx, keylist, - autovalidation); - if (result == ISC_R_SUCCESS) { - result = tresult; - } - } - - for (elt = cfg_list_first(view_tkeys); elt != NULL; - elt = cfg_list_next(elt)) - { - keylist = cfg_listelt_value(elt); - tresult = record_static_keys(statictab, mctx, keylist, - autovalidation); - if (result == ISC_R_SUCCESS) { - result = tresult; - } - } - /* * Next, ensure that there's no conflict between the * static keys and the trust-anchors configured with "initial-key". @@ -5320,8 +5288,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, isc_symtab_t *files, isc_symtab_t *keydirs, unsigned int flags, isc_symtab_t *inview, isc_mem_t *mctx) { const cfg_obj_t *zones = NULL; - const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL; - const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL; const cfg_obj_t *view_ta = NULL, *global_ta = NULL; const cfg_obj_t *check_keys[2] = { NULL, NULL }; const cfg_obj_t *keys = NULL; @@ -5335,7 +5301,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const cfg_obj_t *opts = NULL; const cfg_obj_t *plugin_list = NULL; bool autovalidation = false; - unsigned int tflags = 0, dflags = 0; + unsigned int dflags = 0; int i; bool check_plugins = (flags & BIND_CHECK_PLUGINS) != 0; bool check_algorithms = (flags & BIND_CHECK_ALGORITHMS) != 0; @@ -5513,72 +5479,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, * Load all DNSSEC keys. */ if (voptions != NULL) { - (void)cfg_map_get(voptions, "trusted-keys", &view_tkeys); (void)cfg_map_get(voptions, "trust-anchors", &view_ta); - (void)cfg_map_get(voptions, "managed-keys", &view_mkeys); } - (void)cfg_map_get(config, "trusted-keys", &global_tkeys); (void)cfg_map_get(config, "trust-anchors", &global_ta); - (void)cfg_map_get(config, "managed-keys", &global_mkeys); - - /* - * Check trusted-keys. - */ - check_keys[0] = view_tkeys; - check_keys[1] = global_tkeys; - for (i = 0; i < 2; i++) { - if (check_keys[i] != NULL) { - unsigned int taflags = 0; - - for (element = cfg_list_first(check_keys[i]); - element != NULL; element = cfg_list_next(element)) - { - const cfg_obj_t *keylist = - cfg_listelt_value(element); - for (element2 = cfg_list_first(keylist); - element2 != NULL; - element2 = cfg_list_next(element2)) - { - obj = cfg_listelt_value(element2); - tresult = check_trust_anchor(obj, false, - &taflags); - if (tresult != ISC_R_SUCCESS) { - result = tresult; - } - } - } - - if ((taflags & ROOT_KSK_STATIC) != 0) { - cfg_obj_log(check_keys[i], ISC_LOG_WARNING, - "trusted-keys entry for the root " - "zone WILL FAIL after key " - "rollover - use trust-anchors " - "with initial-key " - "or initial-ds instead."); - } - - tflags |= taflags; - } - } - - /* - * Check dnssec/managed-keys. (Only one or the other can be used.) - */ - if ((view_mkeys != NULL || global_mkeys != NULL) && - (view_ta != NULL || global_ta != NULL)) - { - keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys; - - cfg_obj_log(keys, ISC_LOG_ERROR, - "use of managed-keys is not allowed when " - "trust-anchors is also in use"); - result = ISC_R_FAILURE; - } - - if (view_ta == NULL && global_ta == NULL) { - view_ta = view_mkeys; - global_ta = global_mkeys; - } check_keys[0] = view_ta; check_keys[1] = global_ta; @@ -5596,7 +5499,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, element2 = cfg_list_next(element2)) { obj = cfg_listelt_value(element2); - tresult = check_trust_anchor(obj, true, + tresult = check_trust_anchor(obj, &taflags); if (tresult != ISC_R_SUCCESS) { result = tresult; @@ -5626,13 +5529,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } } - if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) { - keys = (view_ta != NULL) ? view_ta : global_ta; - cfg_obj_log(keys, ISC_LOG_WARNING, - "both trusted-keys and trust-anchors " - "for the root zone are present"); - } - if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) { keys = (view_ta != NULL) ? view_ta : global_ta; cfg_obj_log(keys, ISC_LOG_WARNING, @@ -5651,9 +5547,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (!cfg_obj_isboolean(obj)) { autovalidation = true; } else if (cfg_obj_asboolean(obj)) { - if (global_ta == NULL && view_ta == NULL && - global_tkeys == NULL && view_tkeys == NULL) - { + if (global_ta == NULL && view_ta == NULL) { cfg_obj_log(obj, ISC_LOG_ERROR, "the 'dnssec-validation yes' " "option requires configured " @@ -5664,8 +5558,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, } } - tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys, - view_tkeys, autovalidation, mctx); + tresult = check_ta_conflicts(global_ta, view_ta, autovalidation, mctx); if (tresult != ISC_R_SUCCESS) { result = tresult; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 24091d02de..967b29a75d 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -515,22 +515,6 @@ static cfg_type_t cfg_type_maxduration = { doc_maxduration, &cfg_rep_duration, maxduration_enums }; -/*% - * A dnssec key, as used in the "trusted-keys" statement. - */ -static cfg_tuplefielddef_t dnsseckey_fields[] = { - { "name", &cfg_type_astring, 0 }, - { "anchortype", &cfg_type_void, 0 }, - { "rdata1", &cfg_type_uint32, 0 }, - { "rdata2", &cfg_type_uint32, 0 }, - { "rdata3", &cfg_type_uint32, 0 }, - { "data", &cfg_type_qstring, 0 }, - { NULL, NULL, 0 } -}; -static cfg_type_t cfg_type_dnsseckey = { "dnsseckey", cfg_parse_tuple, - cfg_print_tuple, cfg_doc_tuple, - &cfg_rep_tuple, dnsseckey_fields }; - /*% * Optional enums. * @@ -550,8 +534,7 @@ doc_optional_enum(cfg_printer_t *pctx, const cfg_type_t *type) { } /*% - * A key initialization specifier, as used in the - * "trust-anchors" (or synonymous "managed-keys") statement. + * A key initialization specifier, as used in the "trust-anchors" statement. */ static const char *anchortype_enums[] = { "static-key", "initial-key", "static-ds", "initial-ds", NULL }; @@ -900,14 +883,6 @@ static cfg_type_t cfg_type_keylist = { "keylist", &cfg_rep_list, &cfg_type_astring }; -/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */ -static cfg_type_t cfg_type_trustedkeys = { "trustedkeys", - cfg_parse_bracketed_list, - cfg_print_bracketed_list, - cfg_doc_bracketed_list, - &cfg_rep_list, - &cfg_type_dnsseckey }; - /*% * A list of managed trust anchors. Each entry contains a name, a keyword * ("static-key", initial-key", "static-ds" or "initial-ds"), and the @@ -1191,12 +1166,11 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = { { "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI }, { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, { "managed-keys", &cfg_type_dnsseckeys, - CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI }, { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_trustedkeys, - CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, + { "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC }, { NULL, NULL, 0 } }; @@ -1206,10 +1180,9 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = { */ static cfg_clausedef_t bindkeys_clauses[] = { { "managed-keys", &cfg_type_dnsseckeys, - CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, - { "trusted-keys", &cfg_type_trustedkeys, - CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, + { "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { NULL, NULL, 0 } }; @@ -2465,7 +2438,7 @@ cfg_type_t cfg_type_namedconf = { "namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody, &cfg_rep_map, namedconf_clausesets }; -/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */ +/*% The bind.keys syntax (trust-anchors). */ static cfg_clausedef_t *bindkeys_clausesets[] = { bindkeys_clauses, NULL }; cfg_type_t cfg_type_bindkeys = { "bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,