Lines Matching defs:keys
3181 * OpenSSL verification of RSA keys with exponent 3 is known to be
3182 * broken prior OpenSSL 0.9.8c/0.9.7k. Look for such keys and warn
3524 * apex to exist and contain no keys using NSEC-only algorithms.
3824 /* Refresh new keys from the zone apex as soon as possible. */
3948 * valid (i.e., the add holddown timer has expired) become trusted keys.
4233 * Synchronize the set of initializing keys found in managed-keys {}
4234 * statements with the set of trust anchors found in the managed-keys.bind
4235 * zone. If a domain is no longer named in managed-keys, delete all keys
4237 * managed-keys but there are no references to it in the key zone, load
4253 dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
4268 * Walk the zone DB. If we find any keys whose names are no longer
4269 * in managed-keys (or *are* in trusted-keys, meaning they are
4271 * zone. Otherwise call load_secroots(), which loads keys into
4310 * Now walk secroots to find any managed keys that aren't
4336 "unable to synchronize managed keys: %s",
6027 dst_key_t **keys, unsigned int *nkeys)
6034 memset(keys, 0, sizeof(*keys) * maxkeys);
6036 directory, now, mctx, maxkeys, keys,
6101 delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
6109 if (rrsig_ptr->algorithm != dst_key_alg(keys[i]))
6111 if (dst_key_isprivate(keys[i])) {
6112 if (KSK(keys[i]))
6117 if (KSK(keys[i]))
6139 if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
6140 (rrsig_ptr->keyid == dst_key_id(keys[i])))
6156 dns_rdatatype_t type, zonediff_t *zonediff, dst_key_t **keys,
6201 if (delsig_ok(&rrsig, keys, nkeys, &warn)) {
6258 if (rrsig.algorithm == dst_key_alg(keys[i]) &&
6259 rrsig.keyid == dst_key_id(keys[i])) {
6266 if (!dst_key_inactive(keys[i]) &&
6267 !dst_key_isprivate(keys[i]))
6334 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
6373 if (!dst_key_isprivate(keys[i]))
6375 if (dst_key_inactive(keys[i])) /* Should be redundant. */
6378 if (check_ksk && !REVOKE(keys[i])) {
6380 if (KSK(keys[i])) {
6388 if (j == i || ALG(keys[i]) != ALG(keys[j]))
6390 if (!dst_key_isprivate(keys[j]))
6392 if (dst_key_inactive(keys[j])) /* SBR */
6394 if (REVOKE(keys[j]))
6396 if (KSK(keys[j]))
6407 if (!KSK(keys[i]) && keyset_kskonly)
6409 } else if (KSK(keys[i]))
6411 } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
6416 CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
8268 * Incrementally sign the zone using the keys requested.
8467 * Find the keys we want to sign with.
8540 * If we are adding we are done. Look for other keys
8806 * After normalizing keys to the same format (DNSKEY, with revoke bit
9129 * over again; trusted keys might have changed.
9134 * Validate the dnskeyset against the current trusted keys.
9196 * trusted keys then all we can do is look at any revoked keys.
9202 "with current keys", namebuf);
9206 * First scan keydataset to find keys that are not in dnskeyset
9207 * - Missing keys which are not scheduled for removal,
9209 * - Missing keys which are scheduled for removal and
9212 * - Missing keys whose acceptance timers have not yet
9215 * - All keys not being removed have their refresh timers
9238 * automatically trust all the keys we find at the zone apex.
9274 "managed keys database",
9308 * - If new keys are found (i.e., lacking a match in keydataset)
9313 * - Previously-known keys that have been revoked
9317 * - Previously-known unrevoked keys whose acceptance timers
9319 * - All keys not being removed have their refresh
9365 "managed keys database",
9398 "managed keys database",
9574 * If "updatekey" was true for all keys found in the DNSKEY
9575 * response and the previous update of those keys happened
9676 * Scan the stored keys looking for ones that need
9937 * Do we need to refresh keys?
13665 "managed-keys-zone" : (zone->type == dns_zone_redirect) ?
13682 "managed-keys-zone" : (zone->type == dns_zone_redirect) ?
13704 zstr = "managed-keys-zone";
17574 * cause them to sign so that so that newly activated keys
17668 /* Refuse to allow NSEC3 with NSEC-only keys */
17764 dns_dnsseckeylist_t dnskeys, keys, rmkeys;
17782 ISC_LIST_INIT(keys);
17803 dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
17844 &keys);
17849 result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
17859 "couldn't update zone keys: %s",
17878 * See if any pre-existing keys have newly become active;
17939 /* Remove any signatures from removed keys. */
17959 * with all active keys, whether they're new or not.
17982 * keys.
18098 clear_keylist(&keys, mctx);