rem: usr: Remove trusted-keys and managed-keys options

These options have been deprecated in 9.19 in favor of the 'trust-anchors' option and are now being removed.

Closes #5080

Merge branch '5080-remove-trusted-and-managed-keys' into 'main'

See merge request isc-projects/bind9!9855

bin/delv/delv.c

@@ -668,7 +668,7 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client, dns_view_t *toview) {
 	if (cfg_obj_isvoid(obj)) {
 		/*
 		 * "anchortype" is not defined, this must be a static-key
-		 * configured with trusted-keys.
+		 * configured with trust-anchors.
 		 */
 		anchortype = STATIC_KEY;
 	} else {
@@ -834,8 +834,6 @@ static isc_result_t
 setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) {
 	isc_result_t result;
 	cfg_parser_t *parser = NULL;
-	const cfg_obj_t *trusted_keys = NULL;
-	const cfg_obj_t *managed_keys = NULL;
 	const cfg_obj_t *trust_anchors = NULL;
 	cfg_obj_t *bindkeys = NULL;
 
@@ -877,16 +875,7 @@ setup_dnsseckeys(dns_client_t *client, dns_view_t *toview) {
 	}
 
 	INSIST(bindkeys != NULL);
-	cfg_map_get(bindkeys, "trusted-keys", &trusted_keys);
-	cfg_map_get(bindkeys, "managed-keys", &managed_keys);
 	cfg_map_get(bindkeys, "trust-anchors", &trust_anchors);
-
-	if (trusted_keys != NULL) {
-		CHECK(load_keys(trusted_keys, client, toview));
-	}
-	if (managed_keys != NULL) {
-		CHECK(load_keys(managed_keys, client, toview));
-	}
 	if (trust_anchors != NULL) {
 		CHECK(load_keys(trust_anchors, client, toview));
 	}

bin/named/server.c

@@ -995,11 +995,11 @@ process_key(const cfg_obj_t *key, dns_keytable_t *secroots,
 	}
 
 	/*
-	 * Add the key to 'secroots'.  Keys from a "trust-anchors" or
-	 * "managed-keys" statement may be either static or initializing
-	 * keys. If it's not initializing, we don't want to treat it as
-	 * managed, so we use 'initializing' twice here, for both the
-	 * 'managed' and 'initializing' arguments to dns_keytable_add().
+	 * Add the key to 'secroots'.  Keys from a "trust-anchors" statement
+	 * may be either static or initializing keys. If it's not initializing,
+	 * we don't want to treat it as managed, so we use 'initializing'
+	 * twice here, for both the 'managed' and 'initializing' arguments to
+	 * dns_keytable_add().
 	 */
 	result = dns_keytable_add(secroots, initializing, initializing, keyname,
 				  &ds, sfd_add, view);
@@ -1082,11 +1082,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
 			  bool auto_root) {
 	isc_result_t result = ISC_R_SUCCESS;
-	const cfg_obj_t *view_keys = NULL;
-	const cfg_obj_t *global_keys = NULL;
-	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *view_trust_anchors = NULL;
-	const cfg_obj_t *global_managed_keys = NULL;
 	const cfg_obj_t *global_trust_anchors = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
@@ -1105,26 +1101,15 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
-			(void)cfg_map_get(voptions, "trusted-keys", &view_keys);
-
-			/* managed-keys and trust-anchors are synonyms. */
-			(void)cfg_map_get(voptions, "managed-keys",
-					  &view_managed_keys);
 			(void)cfg_map_get(voptions, "trust-anchors",
 					  &view_trust_anchors);
-
 			maps[i++] = voptions;
 		}
 	}
 
 	if (config != NULL) {
-		(void)cfg_map_get(config, "trusted-keys", &global_keys);
-
-		/* managed-keys and trust-anchors are synonyms. */
-		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
 		(void)cfg_map_get(config, "trust-anchors",
 				  &global_trust_anchors);
-
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
 			maps[i++] = options;
@@ -1189,13 +1174,8 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	}
 
 	if (view->rdclass == dns_rdataclass_in) {
-		CHECK(load_view_keys(view_keys, view, false, NULL));
 		CHECK(load_view_keys(view_trust_anchors, view, true, NULL));
-		CHECK(load_view_keys(view_managed_keys, view, true, NULL));
-
-		CHECK(load_view_keys(global_keys, view, false, NULL));
 		CHECK(load_view_keys(global_trust_anchors, view, true, NULL));
-		CHECK(load_view_keys(global_managed_keys, view, true, NULL));
 	}
 
 	/*

bin/rndc/rndc.rst

@@ -491,9 +491,8 @@ Currently supported commands are:
 .. option:: secroots [-] [view ...]
 
    This command dumps the security roots (i.e., trust anchors configured via
-   ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements
-   [both deprecated], or ``dnssec-validation auto``) and negative trust anchors
-   for the specified views. If no view is specified, all views are
+   ``trust-anchors`` statement, or ``dnssec-validation auto``) and negative
+   trust anchors for the specified views. If no view is specified, all views are
    dumped. Security roots indicate whether they are configured as trusted
    keys, managed keys, or initializing managed keys (managed keys that have not
    yet been updated by a successful key refresh query).

bin/tests/system/checkconf/bad-duplicate-root-key.conf

@@ -25,12 +25,12 @@ trust-anchors {
 		NQyrszHhWUU=";
 };
 
-trusted-keys {
-	. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
-		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
-		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
-		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
-		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
-		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
-		6zqCkwuMmrU=";
+trust-anchors {
+	. static-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
 };

bin/tests/system/checkconf/check-mixed-keys.conf

@@ -25,7 +25,7 @@ trust-anchors {
 		QxA+Uk1ihz0=";
 };
 
-managed-keys {
+trust-anchors {
 	# This key (20326) was published in the root zone in 2017.
 	# Servers which were already using the old key (19036) should
 	# roll seamlessly to this new one via RFC 5011 rollover. Servers

bin/tests/system/checkconf/deprecated.conf

@@ -18,18 +18,7 @@ options {
 	sortlist { };
 };
 
-trusted-keys {
-	fake.trusted. 257 3 8
-		"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
-		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
-		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
-		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
-		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
-		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
-		QxA+Uk1ihz0=";
-};
-
-managed-keys {
+trust-anchors {
 	fake.managed. initial-key 257 3 8
 		"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
 		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv

bin/tests/system/checkconf/tests.sh

@@ -183,8 +183,6 @@ n=$((n + 1))
 echo_i "checking named-checkconf deprecate warnings ($n)"
 ret=0
 $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
-grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
-grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -593,28 +591,6 @@ if [ $ret -ne 0 ]; then
 fi
 status=$((status + ret))
 
-n=$((n + 1))
-echo_i "check that a trusted-keys entry for root generates a warning ($n)"
-ret=0
-$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1
-grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
-  echo_i "failed"
-  ret=1
-fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
-ret=0
-$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1
-grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1
-if [ $ret -ne 0 ]; then
-  echo_i "failed"
-  ret=1
-fi
-status=$((status + ret))
-
 n=$((n + 1))
 echo_i "checking named-checkconf kasp errors ($n)"
 ret=0

bin/tests/system/conf.sh

@@ -164,13 +164,6 @@ keyfile_to_dskeys() {
   echo "};"
 }
 
-# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
-# provided to a "trust-keys" section suitable for including in a
-# resolver's configuration file
-keyfile_to_trusted_keys() {
-  keyfile_to_keys "trusted-keys" "" $*
-}
-
 # keyfile_to_static_keys: convert key data contained in the keyfile(s)
 # provided to a *static-key* "trust-anchors" section suitable for including in
 # a resolver's configuration file

bin/tests/system/dnssec/ns1/sign.sh

@@ -50,7 +50,7 @@ cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
 cp trusted.conf ../ns9/trusted.conf
 
-keyfile_to_trusted_keys "$ksk" >trusted.keys
+keyfile_to_static_keys "$ksk" >trusted.keys
 
 # ...or with an initializing key.
 keyfile_to_initial_ds "$ksk" >managed.conf