Remove trusted-keys and managed-keys options

These options have been deprecated in 9.19 in favor of the trust-anchors
option. They are now removed to clean up the configuration and the code.

bin/delv/delv.c

@@ -668,7 +668,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client, dns_view_t *toview) {
 	if (cfg_obj_isvoid(obj)) {
 		/*
 		 * "anchortype" is not defined, this must be a static-key
-		 * configured with trusted-keys.
+		 * configured with trust-anchors.
 		 */
 		anchortype = STATIC_KEY;
 	} else {
@@ -834,8 +834,6 @@ static isc_result_t
 setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *trusted_keys = NULL;
-	const cfg_obj_t *managed_keys = NULL;
 	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 
@@ -877,16 +875,7 @@ setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) {
 	}
 
 	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
-	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
 	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
-
-	if (trusted_keys != NULL) {
-		CHECK(load_keys(trusted_keys, client, toview));
-	}
-	if (managed_keys != NULL) {
-		CHECK(load_keys(managed_keys, client, toview));
-	}
 	if (trust_anchors != NULL) {
 		CHECK(load_keys(trust_anchors, client, toview));
 	}

bin/named/server.c

@@ -995,11 +995,11 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 	}
 
 	/*
-	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
-	 * "managed-keys" statement may be either static or initializing
-	 * keys. If it's not initializing, we don't want to treat it as
-	 * managed, so we use 'initializing' twice here, for both the
-	 * 'managed' and 'initializing' arguments to dns_keytable_add().
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" statement
+	 * may be either static or initializing keys. If it's not initializing,
+	 * we don't want to treat it as managed, so we use 'initializing'
+	 * twice here, for both the 'managed' and 'initializing' arguments to
+	 * dns_keytable_add().
 	 */
 	result = dns_keytable_add(secroots, initializing, initializing, keyname,
 				  &ds, sfd_add, view);
@@ -1082,11 +1082,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
 			  bool auto_root) {
 	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *view_keys = NULL;
-	const cfg_obj_t *global_keys = NULL;
-	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *view_trust_anchors = NULL;
-	const cfg_obj_t *global_managed_keys = NULL;
 	const cfg_obj_t *global_trust_anchors = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
@@ -1105,26 +1101,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
-			(void)cfg_map_get(voptions, "trusted-keys", &view_keys);
-
-			/* managed-keys and trust-anchors are synonyms. */
-			(void)cfg_map_get(voptions, "managed-keys",
-					  &view_managed_keys);
 			(void)cfg_map_get(voptions, "trust-anchors",
 					  &view_trust_anchors);
-
 			maps[i++] = voptions;
 		}
 	}
 
 	if (config != NULL) {
-		(void)cfg_map_get(config, "trusted-keys", &global_keys);
-
-		/* managed-keys and trust-anchors are synonyms. */
-		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
 		(void)cfg_map_get(config, "trust-anchors",
 				  &global_trust_anchors);
-
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
 			maps[i++] = options;
@@ -1189,13 +1174,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	}
 
 	if (view->rdclass == dns_rdataclass_in) {
-		CHECK(load_view_keys(view_keys, view, false, NULL));
 		CHECK(load_view_keys(view_trust_anchors, view, true, NULL));
-		CHECK(load_view_keys(view_managed_keys, view, true, NULL));
-
-		CHECK(load_view_keys(global_keys, view, false, NULL));
 		CHECK(load_view_keys(global_trust_anchors, view, true, NULL));
-		CHECK(load_view_keys(global_managed_keys, view, true, NULL));
 	}
 
 	/*

bin/rndc/rndc.rst

@@ -491,9 +491,8 @@ Currently supported commands are:
 .. option:: secroots [-] [view ...]
 
    This command dumps the security roots (i.e., trust anchors configured via
-   ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements
-   [both deprecated], or ``dnssec-validation auto``) and negative trust anchors
-   for the specified views. If no view is specified, all views are
+   ``trust-anchors`` statement, or ``dnssec-validation auto``) and negative
+   trust anchors for the specified views. If no view is specified, all views are
    dumped. Security roots indicate whether they are configured as trusted
    keys, managed keys, or initializing managed keys (managed keys that have not
    yet been updated by a successful key refresh query).

bin/tests/system/checkconf/bad-duplicate-root-key.conf

@@ -25,12 +25,12 @@ trust-anchors {
 		NQyrszHhWUU=";
 };
 
-trusted-keys {
-	. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
-		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
-		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
-		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
-		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
-		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
-		6zqCkwuMmrU=";
+trust-anchors {
+	. static-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
 };

bin/tests/system/checkconf/bad-no-trusted-key.conf

@@ -1,16 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	dnssec-validation yes;
-};

bin/tests/system/checkconf/check-mixed-keys.conf

@@ -25,7 +25,7 @@ trust-anchors {
 		QxA+Uk1ihz0=";
 };
 
-managed-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/check-root-trusted-key.conf

@@ -1,29 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-trusted-keys {
-	# This key (20326) was published in the root zone in 2017.
-	# Servers which were already using the old key (19036) should
-	# roll seamlessly to this new one via RFC 5011 rollover. Servers
-	# being set up for the first time can use the contents of this
-	# file as initializing keys; thereafter, the keys in the
-	# managed key database will be trusted and maintained
-	# automatically.
-	. 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
-		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
-		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
-		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
-		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
-		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
-		R1AkUTV74bU=";
-};

bin/tests/system/checkconf/deprecated.conf

@@ -18,18 +18,7 @@ options {
 	sortlist { };
 };
 
-trusted-keys {
-	fake.trusted. 257 3 8
-		"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
-		QxA+Uk1ihz0=";
-};
-
-managed-keys {
+trust-anchors {
 	fake.managed. initial-key 257 3 8
 		"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

bin/tests/system/checkconf/good-dup-trusted-key.conf

@@ -1,33 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	dnssec-validation yes;
-};
-
-trusted-keys {
-	example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
-		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
-		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
-		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
-		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
-		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
-		NQyrszHhWUU=";
-	example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
-		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
-		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
-		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
-		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
-		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
-		6zqCkwuMmrU=";
-};

bin/tests/system/checkconf/good-empty-trusted-keys.conf

@@ -1,18 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	dnssec-validation yes;
-};
-
-trusted-keys {};

bin/tests/system/checkconf/good-nonempty-trusted-keys.conf

@@ -1,26 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-	dnssec-validation yes;
-};
-
-trusted-keys {
-	example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
-		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
-		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
-		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
-		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
-		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
-		NQyrszHhWUU=";
-};

bin/tests/system/checkconf/tests.sh

@@ -183,8 +183,6 @@ n=$((n + 1))
 echo_i "checking named-checkconf deprecate warnings ($n)"
 ret=0
 $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
-grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -593,28 +591,6 @@ if [ $ret -ne 0 ]; then
 fi
 status=$((status + ret))
 
-n=$((n + 1))
-echo_i "check that a trusted-keys entry for root generates a warning ($n)"
-ret=0
-$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
-  echo_i "failed"
-  ret=1
-fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
-ret=0
-$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1
-grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
-  echo_i "failed"
-  ret=1
-fi
-status=$((status + ret))
-
 n=$((n + 1))
 echo_i "checking named-checkconf kasp errors ($n)"
 ret=0

bin/tests/system/conf.sh

@@ -164,13 +164,6 @@ keyfile_to_dskeys() {
   echo "};"
 }
 
-# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
-# provided to a "trust-keys" section suitable for including in a
-# resolver's configuration file
-keyfile_to_trusted_keys() {
-  keyfile_to_keys "trusted-keys" "" $*
-}
-
 # keyfile_to_static_keys: convert key data contained in the keyfile(s)
 # provided to a *static-key* "trust-anchors" section suitable for including in
 # a resolver's configuration file

bin/tests/system/dnssec/ns1/sign.sh

@@ -50,7 +50,7 @@ cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
 cp trusted.conf ../ns9/trusted.conf
 
-keyfile_to_trusted_keys "$ksk" >trusted.keys
+keyfile_to_static_keys "$ksk" >trusted.keys
 
 # ...or with an initializing key.
 keyfile_to_initial_ds "$ksk" >managed.conf

doc/arm/reference.rst

@@ -440,12 +440,6 @@ The following blocks are supported:
     :any:`trust-anchors`
         Defines DNSSEC trust anchors: if used with the ``initial-key`` or ``initial-ds`` keyword, trust anchors are kept up-to-date using :rfc:`5011` trust anchor maintenance; if used with ``static-key`` or ``static-ds``, keys are permanent.
 
-    :any:`managed-keys`
-        Is identical to :any:`trust-anchors`; this option is deprecated in favor of :any:`trust-anchors` with the ``initial-key`` keyword, and may be removed in a future release.
-
-    :any:`trusted-keys`
-        Defines permanent trusted DNSSEC keys; this option is deprecated in favor of :any:`trust-anchors` with the ``static-key`` keyword, and may be removed in a future release.
-
     :any:`view`
         Defines a view.
 
@@ -1664,9 +1658,8 @@ default is used.
    If all supported algorithms are disabled, the zones covered by the
    :any:`disable-algorithms` setting are treated as insecure.
 
-   Configured trust anchors in :any:`trust-anchors` (or :any:`managed-keys` or
-   :any:`trusted-keys`) that match a disabled algorithm are ignored and treated
-   as if they were not configured.
+   Configured trust anchors in :any:`trust-anchors` that match a disabled
+   algorithm are ignored and treated as if they were not configured.
 
 .. namedconf:statement:: disable-ds-digests
    :tags: dnssec, zone
@@ -2550,13 +2543,11 @@ Boolean Options
    anchor for the DNS root zone is used. This trust anchor is provided
    as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key
    management. Adding an explicit static key using the :any:`trust-anchors`
-   statement, with a ``static-key`` anchor type (or using the deprecated
-   :any:`trusted-keys` statement) for the root zone, is not supported with the
-   ``auto`` setting and is treated as a configuration error.
+   statement, with a ``static-key`` anchor type for the root zone, is not
+   supported with the ``auto`` setting and is treated as a configuration error.
 
    If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be
-   manually configured using a :any:`trust-anchors` statement (or the
-   :any:`managed-keys` or :any:`trusted-keys` statements, both deprecated). If
+   manually configured using a :any:`trust-anchors` statement. If
    :any:`trust-anchors` is not configured, it is a configuration error. If
    :any:`trust-anchors` does not include a valid root key, then validation does
    not take place for names which are not covered by any of the configured trust
@@ -6111,8 +6102,6 @@ Trust anchors configured with the
 anchor types are immutable, while keys configured with
 ``initial-key`` or ``initial-ds``
 can be kept up-to-date automatically, without intervention from the resolver operator.
-(``static-key`` keys are identical to keys configured using the
-deprecated :any:`trusted-keys` statement.)
 
 Suppose, for example, that a zone's key-signing key was compromised, and
 the zone owner had to revoke and replace the key. A resolver which had
@@ -6612,29 +6601,6 @@ The following options apply to DS queries sent to :any:`parental-agents`:
    This option acts like :any:`parental-source`, but applies to parental DS
    queries sent to IPv6 addresses.
 
-:any:`managed-keys` Block Grammar
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: managed-keys
-   :tags: deprecated
-
-:any:`managed-keys` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The :any:`managed-keys` statement has been
-deprecated in favor of :any:`trust-anchors`
-with the ``initial-key`` keyword.
-
-:any:`trusted-keys` Block Grammar
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.. namedconf:statement:: trusted-keys
-   :tags: deprecated
-
-:any:`trusted-keys` Block Definition and Usage
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The :any:`trusted-keys` statement has been deprecated in favor of
-:any:`trust-anchors` with the ``static-key`` keyword.
-
 :any:`view` Block Grammar
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 .. namedconf:statement:: view

doc/design/unsupported-algorithms-in-bind9

@@ -79,14 +79,8 @@ treated as unsupported.
 
 ### Trust anchors
 
-In BIND 9, trust anchors can be configured using two clauses:
-
-  * `trusted-keys`, which contains hardcoded (static) trust anchors,
-  * `managed-keys`, which will be kept up to date automatically, following the
-     zone's key rollovers (according to the algorithm specified in RFC 5011).
-
-When put into the above clauses, keys using unsupported algorithms will be
-ignored:
+In BIND 9, trust anchors can be configured using `trust-anchors`. When put into
+such clause, keys using unsupported algorithms will be ignored:
 
     trusted.conf:3: skipping trusted key for 't.example.': algorithm is unsupported
     managed.conf:3: skipping managed key for 'm.example.': algorithm is unsupported
@@ -118,8 +112,8 @@ treated as secure and thus attempts to resolve names in the domains pointed to
 by the records in that DLV zone will yield SERVFAIL responses.  Consider the
 following example:
 
-    trusted-keys {
-        "dlv.example." 257 3 1 ...;
+    trust-anchors {
+        "dlv.example." static-key 257 3 1 ...;
     };
 
     options {
@@ -141,7 +135,7 @@ ignored altogether and do not cause an associated trust point to be defined.
 
 A zone for which BIND 9 has a trust anchor configured may decide to do an
 algorithm rollover to an unsupported algorithm.  If configured with
-`managed-keys`, BIND 9 will ignore the newly introduced DNSKEY if it does
+`trust-anchors`, BIND 9 will ignore the newly introduced DNSKEY if it does
 not support the algorithm.  That means that the moment the predecessor DNSKEY
 gets revoked, BIND 9 will no longer have any trust anchors for the given zone
 and it will treat the trust point as if it does not exist, meaning that

doc/dnssec-guide/validation.rst

@@ -379,7 +379,7 @@ take a closer look at what DNSSEC validation actually does, and some other optio
    };
 
 This “auto” line enables automatic DNSSEC trust anchor configuration
-using the :any:`managed-keys` feature. In this case, no manual key
+using the :any:`trust-anchors` feature. In this case, no manual key
 configuration is needed. There are three possible choices for the
 :any:`dnssec-validation` option:
 

doc/misc/options

@@ -64,8 +64,6 @@ logging {
 	}; // may occur multiple times
 };
 
-managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
-
 options {
 	allow-new-zones <boolean>;
 	allow-notify { <address_match_element>; ... };
@@ -374,8 +372,6 @@ tls <string> {
 
 trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
 
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
-
 view <string> [ <class> ] {
 	allow-new-zones <boolean>;
 	allow-notify { <address_match_element>; ... };
@@ -457,7 +453,6 @@ view <string> [ <class> ] {
 	key-directory <quoted_string>;
 	lame-ttl <duration>;
 	lmdb-mapsize <sizeval>; // optional (only available if configured)
-	managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
 	masterfile-format ( raw | text );
 	masterfile-style ( full | relative );
 	match-clients { <address_match_element>; ... };
@@ -591,7 +586,6 @@ view <string> [ <class> ] {
 	transfer-source-v6 ( <ipv6_address> | * );
 	trust-anchor-telemetry <boolean>;
 	trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
-	trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
 	try-tcp-refresh <boolean>;
 	update-check-ksk <boolean>; // obsolete
 	v6-bias <integer>;

lib/dns/include/dns/keytable.h

@@ -72,7 +72,7 @@ dns_keytable_add(dns_keytable_t *keytable, bool managed, bool initial,
  *
  * The value of keynode->managed is set to 'managed', and the
  * value of keynode->initial is set to 'initial'. (Note: 'initial'
- * should only be used when adding managed-keys from configuration.
+ * should only be used when adding trust-anchors from configuration.
  * This indicates the key is in "initializing" state, and has not yet
  * been confirmed with a key refresh query.  Once a key refresh query
  * has validated, we update the keynode with initial == false.)

lib/dns/zone.c

@@ -143,12 +143,12 @@
  */
 #define KASP_LOCK(k)                \
 	if ((k) != NULL) {          \
-		LOCK((&((k)->lock))); \
+		LOCK(&((k)->lock)); \
 	}
 
 #define KASP_UNLOCK(k)                \
 	if ((k) != NULL) {            \
-		UNLOCK((&((k)->lock))); \
+		UNLOCK(&((k)->lock)); \
 	}
 
 /*
@@ -216,7 +216,7 @@ typedef struct dns_include dns_include_t;
 	} while (0)
 #endif /* ifdef DNS_ZONE_CHECKLOCK */
 
-#define ZONEDB_INITLOCK(l)    isc_rwlock_init((l))
+#define ZONEDB_INITLOCK(l)    isc_rwlock_init(l)
 #define ZONEDB_DESTROYLOCK(l) isc_rwlock_destroy(l)
 #define ZONEDB_LOCK(l, t)     RWLOCK((l), (t))
 #define ZONEDB_UNLOCK(l, t)   RWUNLOCK((l), (t))
@@ -4492,9 +4492,9 @@ addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode,
 }
 
 /*
- * Synchronize the set of initializing keys found in managed-keys {}
+ * Synchronize the set of initializing keys found in trust-anchors {}
  * statements with the set of trust anchors found in the managed-keys.bind
- * zone.  If a domain is no longer named in managed-keys, delete all keys
+ * zone.  If a domain is no longer named in trust-anchors, delete all keys
  * from that domain from the key zone.	If a domain is configured as an
  * initial-key in trust-anchors, but there are no references to it in the
  * key zone, load the key zone with the initializing key(s) for that
@@ -10828,7 +10828,7 @@ done:
 failure:
 	if (result != ISC_R_SUCCESS) {
 		dnssec_log(zone, ISC_LOG_ERROR,
-			   "error during managed-keys processing (%s): "
+			   "error during trust anchor processing (%s): "
 			   "DNSSEC validation may be at risk",
 			   isc_result_totext(result));
 	}

lib/isccfg/check.c

@@ -4463,7 +4463,8 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 #define ROOT_KSK_2017	 0x08
 
 static isc_result_t
-check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) {
+check_trust_anchor(const cfg_obj_t *key, unsigned int *flagsp) {
+	bool managed = true;
 	const char *str = NULL, *namestr = NULL;
 	dns_fixedname_t fkeyname;
 	dns_name_t *keyname = NULL;
@@ -4479,7 +4480,6 @@ check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) {
 		STATIC_DNSKEY,
 		INIT_DS,
 		STATIC_DS,
-		TRUSTED
 	} anchortype;
 
 	/*
@@ -4575,9 +4575,7 @@ check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) {
 		result = ISC_R_FAILURE;
 	}
 
-	if (managed) {
 	atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
-
 	if (strcasecmp(atstr, "static-key") == 0) {
 		managed = false;
 		anchortype = STATIC_DNSKEY;
@@ -4594,22 +4592,16 @@ check_trust_anchor(const cfg_obj_t *key, bool managed, unsigned int *flagsp) {
 			    "invalid initialization method '%s'",
 			    namestr, atstr);
 		result = ISC_R_FAILURE;
-
 		/*
 		 * We can't interpret the trust anchor, so
 		 * we skip all other checks.
 		 */
 		goto cleanup;
 	}
-	} else {
-		atstr = "trusted-key";
-		anchortype = TRUSTED;
-	}
 
 	switch (anchortype) {
 	case INIT_DNSKEY:
 	case STATIC_DNSKEY:
-	case TRUSTED:
 		if (rdata1 > 0xffff) {
 			cfg_obj_log(key, ISC_LOG_ERROR, "flags too big: %u",
 				    rdata1);
@@ -4916,7 +4908,6 @@ record_ds_keys(isc_symtab_t *symtab, isc_mem_t *mctx,
  */
 static isc_result_t
 check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
-		   const cfg_obj_t *global_tkeys, const cfg_obj_t *view_tkeys,
 		   bool autovalidation, isc_mem_t *mctx) {
 	isc_result_t result, tresult;
 	const cfg_listelt_t *elt = NULL;
@@ -4934,9 +4925,8 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 	}
 
 	/*
-	 * First we record all the static keys (i.e., old-style
-	 * trusted-keys and trust-anchors configured with "static-key"),
-	 * and all the DS-style trust anchors.
+	 * First we record all the static keys (trust-anchors configured with
+	 * "static-key"), and all the DS-style trust anchors.
 	 */
 	for (elt = cfg_list_first(global_ta); elt != NULL;
 	     elt = cfg_list_next(elt))
@@ -4970,28 +4960,6 @@ check_ta_conflicts(const cfg_obj_t *global_ta, const cfg_obj_t *view_ta,
 		}
 	}
 
-	for (elt = cfg_list_first(global_tkeys); elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
-		keylist = cfg_listelt_value(elt);
-		tresult = record_static_keys(statictab, mctx, keylist,
-					     autovalidation);
-		if (result == ISC_R_SUCCESS) {
-			result = tresult;
-		}
-	}
-
-	for (elt = cfg_list_first(view_tkeys); elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
-		keylist = cfg_listelt_value(elt);
-		tresult = record_static_keys(statictab, mctx, keylist,
-					     autovalidation);
-		if (result == ISC_R_SUCCESS) {
-			result = tresult;
-		}
-	}
-
 	/*
 	 * Next, ensure that there's no conflict between the
 	 * static keys and the trust-anchors configured with "initial-key".
@@ -5320,8 +5288,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       isc_symtab_t *files, isc_symtab_t *keydirs, unsigned int flags,
 	       isc_symtab_t *inview, isc_mem_t *mctx) {
 	const cfg_obj_t *zones = NULL;
-	const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
-	const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
 	const cfg_obj_t *view_ta = NULL, *global_ta = NULL;
 	const cfg_obj_t *check_keys[2] = { NULL, NULL };
 	const cfg_obj_t *keys = NULL;
@@ -5335,7 +5301,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	const cfg_obj_t *opts = NULL;
 	const cfg_obj_t *plugin_list = NULL;
 	bool autovalidation = false;
-	unsigned int tflags = 0, dflags = 0;
+	unsigned int dflags = 0;
 	int i;
 	bool check_plugins = (flags & BIND_CHECK_PLUGINS) != 0;
 	bool check_algorithms = (flags & BIND_CHECK_ALGORITHMS) != 0;
@@ -5513,72 +5479,9 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	 * Load all DNSSEC keys.
 	 */
 	if (voptions != NULL) {
-		(void)cfg_map_get(voptions, "trusted-keys", &view_tkeys);
 		(void)cfg_map_get(voptions, "trust-anchors", &view_ta);
-		(void)cfg_map_get(voptions, "managed-keys", &view_mkeys);
 	}
-	(void)cfg_map_get(config, "trusted-keys", &global_tkeys);
 	(void)cfg_map_get(config, "trust-anchors", &global_ta);
-	(void)cfg_map_get(config, "managed-keys", &global_mkeys);
-
-	/*
-	 * Check trusted-keys.
-	 */
-	check_keys[0] = view_tkeys;
-	check_keys[1] = global_tkeys;
-	for (i = 0; i < 2; i++) {
-		if (check_keys[i] != NULL) {
-			unsigned int taflags = 0;
-
-			for (element = cfg_list_first(check_keys[i]);
-			     element != NULL; element = cfg_list_next(element))
-			{
-				const cfg_obj_t *keylist =
-					cfg_listelt_value(element);
-				for (element2 = cfg_list_first(keylist);
-				     element2 != NULL;
-				     element2 = cfg_list_next(element2))
-				{
-					obj = cfg_listelt_value(element2);
-					tresult = check_trust_anchor(obj, false,
-								     &taflags);
-					if (tresult != ISC_R_SUCCESS) {
-						result = tresult;
-					}
-				}
-			}
-
-			if ((taflags & ROOT_KSK_STATIC) != 0) {
-				cfg_obj_log(check_keys[i], ISC_LOG_WARNING,
-					    "trusted-keys entry for the root "
-					    "zone WILL FAIL after key "
-					    "rollover - use trust-anchors "
-					    "with initial-key "
-					    "or initial-ds instead.");
-			}
-
-			tflags |= taflags;
-		}
-	}
-
-	/*
-	 * Check dnssec/managed-keys. (Only one or the other can be used.)
-	 */
-	if ((view_mkeys != NULL || global_mkeys != NULL) &&
-	    (view_ta != NULL || global_ta != NULL))
-	{
-		keys = (view_mkeys != NULL) ? view_mkeys : global_mkeys;
-
-		cfg_obj_log(keys, ISC_LOG_ERROR,
-			    "use of managed-keys is not allowed when "
-			    "trust-anchors is also in use");
-		result = ISC_R_FAILURE;
-	}
-
-	if (view_ta == NULL && global_ta == NULL) {
-		view_ta = view_mkeys;
-		global_ta = global_mkeys;
-	}
 
 	check_keys[0] = view_ta;
 	check_keys[1] = global_ta;
@@ -5596,7 +5499,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 				     element2 = cfg_list_next(element2))
 				{
 					obj = cfg_listelt_value(element2);
-					tresult = check_trust_anchor(obj, true,
+					tresult = check_trust_anchor(obj,
 								     &taflags);
 					if (tresult != ISC_R_SUCCESS) {
 						result = tresult;
@@ -5626,13 +5529,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		}
 	}
 
-	if ((tflags & ROOT_KSK_ANY) != 0 && (dflags & ROOT_KSK_ANY) != 0) {
-		keys = (view_ta != NULL) ? view_ta : global_ta;
-		cfg_obj_log(keys, ISC_LOG_WARNING,
-			    "both trusted-keys and trust-anchors "
-			    "for the root zone are present");
-	}
-
 	if ((dflags & ROOT_KSK_ANY) == ROOT_KSK_ANY) {
 		keys = (view_ta != NULL) ? view_ta : global_ta;
 		cfg_obj_log(keys, ISC_LOG_WARNING,
@@ -5651,9 +5547,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		if (!cfg_obj_isboolean(obj)) {
 			autovalidation = true;
 		} else if (cfg_obj_asboolean(obj)) {
-			if (global_ta == NULL && view_ta == NULL &&
-			    global_tkeys == NULL && view_tkeys == NULL)
-			{
+			if (global_ta == NULL && view_ta == NULL) {
 				cfg_obj_log(obj, ISC_LOG_ERROR,
 					    "the 'dnssec-validation yes' "
 					    "option requires configured "
@@ -5664,8 +5558,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		}
 	}
 
-	tresult = check_ta_conflicts(global_ta, view_ta, global_tkeys,
-				     view_tkeys, autovalidation, mctx);
+	tresult = check_ta_conflicts(global_ta, view_ta, autovalidation, mctx);
 	if (tresult != ISC_R_SUCCESS) {
 		result = tresult;
 	}

lib/isccfg/namedconf.c

@@ -515,22 +515,6 @@ static cfg_type_t cfg_type_maxduration = {
 	doc_maxduration,	  &cfg_rep_duration, maxduration_enums
 };
 
-/*%
- * A dnssec key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t dnsseckey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "anchortype", &cfg_type_void, 0 },
-	{ "rdata1", &cfg_type_uint32, 0 },
-	{ "rdata2", &cfg_type_uint32, 0 },
-	{ "rdata3", &cfg_type_uint32, 0 },
-	{ "data", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_dnsseckey = { "dnsseckey",	  cfg_parse_tuple,
-					 cfg_print_tuple, cfg_doc_tuple,
-					 &cfg_rep_tuple,  dnsseckey_fields };
-
 /*%
  * Optional enums.
  *
@@ -550,8 +534,7 @@ doc_optional_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 /*%
- * A key initialization specifier, as used in the
- * "trust-anchors" (or synonymous "managed-keys") statement.
+ * A key initialization specifier, as used in the "trust-anchors" statement.
  */
 static const char *anchortype_enums[] = { "static-key", "initial-key",
 					  "static-ds", "initial-ds", NULL };
@@ -900,14 +883,6 @@ static cfg_type_t cfg_type_keylist = { "keylist",
 				       &cfg_rep_list,
 				       &cfg_type_astring };
 
-/*% A list of dnssec keys, as in "trusted-keys". Deprecated. */
-static cfg_type_t cfg_type_trustedkeys = { "trustedkeys",
-					   cfg_parse_bracketed_list,
-					   cfg_print_bracketed_list,
-					   cfg_doc_bracketed_list,
-					   &cfg_rep_list,
-					   &cfg_type_dnsseckey };
-
 /*%
  * A list of managed trust anchors.  Each entry contains a name, a keyword
  * ("static-key", initial-key", "static-ds" or "initial-ds"), and the
@@ -1191,12 +1166,11 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = {
 	{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
 	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
 	{ "managed-keys", &cfg_type_dnsseckeys,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "plugin", &cfg_type_plugin, CFG_CLAUSEFLAG_MULTI },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
 	{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_trustedkeys,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_NODOC },
 	{ NULL, NULL, 0 }
 };
@@ -1206,10 +1180,9 @@ static cfg_clausedef_t namedconf_or_view_clauses[] = {
  */
 static cfg_clausedef_t bindkeys_clauses[] = {
 	{ "managed-keys", &cfg_type_dnsseckeys,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "trust-anchors", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_trustedkeys,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
+	{ "trusted-keys", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ NULL, NULL, 0 }
 };
 
@@ -2465,7 +2438,7 @@ cfg_type_t cfg_type_namedconf = { "namedconf",	     cfg_parse_mapbody,
 				  cfg_print_mapbody, cfg_doc_mapbody,
 				  &cfg_rep_map,	     namedconf_clausesets };
 
-/*% The bind.keys syntax (trust-anchors/managed-keys/trusted-keys only). */
+/*% The bind.keys syntax (trust-anchors). */
 static cfg_clausedef_t *bindkeys_clausesets[] = { bindkeys_clauses, NULL };
 cfg_type_t cfg_type_bindkeys = { "bindkeys",	    cfg_parse_mapbody,
 				 cfg_print_mapbody, cfg_doc_mapbody,