isc_commandline_errprint = false;
-#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:whV"
+#define OPTIONS "12Aa:Cc:d:Ff:K:sT:v:whV"
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case '1':
case 'f':
filename = isc_commandline_argument;
break;
- case 'l':
- fatal("-l option (DLV lookaside) is obsolete");
- break;
case 's':
usekeyset = true;
break;
atomic_init(&shuttingdown, false);
atomic_init(&finished, false);
- /* Unused letters: Bb G J q Yy (and F is reserved). */
-#define CMDLINE_FLAGS \
- "3:AaCc:Dd:E:e:f:FgG:hH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
+ /*
+ * Unused letters: Bb G J l q Yy (and F is reserved).
+ * l was previously used for DLV lookaside.
+ */
+#define CMDLINE_FLAGS \
+ "3:AaCc:Dd:E:e:f:FgG:hH:i:I:j:J:K:k:L:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
"VX:xzZ:"
/*
}
break;
- case 'l':
- fatal("-l option (DLV lookaside) is obsolete");
- break;
-
case 'M':
endp = NULL;
set_maxttl = true;
A validator has more possible interactions with unsupported algorithms:
* a key using one of these algorithms may be configured as a trust anchor,
- * a DLV record for such a key may be placed in a DLV zone.
- * upstream answers may contain signatures using such algorithms,
+ * upstream answers may contain signatures using such algorithms.
### Disabled algorithms
BIND 9 will ignore such trust anchors, and responses for those domains will
now be treated as insecure.
-### DLV
-
-If a DLV record in a DLV zone points to a DNSKEY using an unsupported algorithm
-or an algorithm which has been disabled for the relevant part of the tree using
-a `disable-algorithms` clause in `named.conf`, the corresponding zone will be
-treated as insecure.
-
-However, if the trust anchor specified for the DLV zone itself uses an
-unsupported or disabled algorithm, no DLV record in that DLV zone can be
-treated as secure and thus attempts to resolve names in the domains pointed to
-by the records in that DLV zone will yield SERVFAIL responses. Consider the
-following example:
-
- trust-anchors {
- "dlv.example." static-key 257 3 1 ...;
- };
-
- options {
- ...
- dnssec-lookaside "foo." trust-anchor "dlv.example";
- };
-
-The example above specifies a DLV trust anchor using the RSAMD5 algorithm
-(algorithm number 1), which effectively prevents resolution of data in any zone
-at and below `foo.` that is listed in `dlv.example` (and does not have a valid,
-non-DLV chain of trust established otherwise). This outcome is different than
-for a trust anchor which uses an unsupported or disabled algorithm and is not
-associated with a `dnssec-lookaside` clause; the reason for this is that in the
-case of a DLV-referenced, unusable key, the trust point is still defined, but
-has no keys associated with it, whereas non-DLV-referenced, unusable keys are
-ignored altogether and do not cause an associated trust point to be defined.
-
### Algorithm rollover
A zone for which BIND 9 has a trust anchor configured may decide to do an
projects / thirdparty / bind9.git / commitdiff
