Deprecate the "tkey-gssapi-credential" statement

The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).

Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named.  Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.

diff --git a/doc/arm/advanced.inc.rst b/doc/arm/advanced.inc.rst
index 5ebb6a3dc9c316256b37178d26448bf9657aabfa..34665fc444cbcb364b4cc07e5ea4c3b1b5ee590e 100644 (file)
--- a/doc/arm/advanced.inc.rst
+++ b/doc/arm/advanced.inc.rst
@@ -31,11 +31,10 @@ are permitted for the key ``local-ddns``, which is generated by
 :iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
 
 Dynamic updates using Kerberos-signed requests can be made using the
-TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option
-or by setting both the :any:`tkey-gssapi-credential` and
-:any:`tkey-domain` options. Once enabled, Kerberos-signed requests are
-matched against the update policies for the zone, using the Kerberos
-principal as the signer for the request.
+TKEY/GSS protocol, by setting the :any:`tkey-gssapi-keytab` option.
+Once enabled, Kerberos-signed requests are matched against the update
+policies for the zone, using the Kerberos principal as the signer for
+the request.
 
 Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
 NSEC, and NSEC3 records affected by updates are automatically regenerated

diff --git a/doc/misc/options b/doc/misc/options
index 01b000e6cc349f5d68c7177cd1cc99ab23c2b13b..b05e7f26078d46951ed6add75345942e432cb3f3 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -303,7 +303,7 @@ options {
        tcp-receive-buffer <integer>;
        tcp-send-buffer <integer>;
        tkey-domain <quoted_string>;
-       tkey-gssapi-credential <quoted_string>;
+       tkey-gssapi-credential <quoted_string>; // deprecated
        tkey-gssapi-keytab <quoted_string>;
        tls-port <integer>;
        transfer-format ( many-answers | one-answer );

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 6c7469e46d334fe82c8c1ae76331cdf1ec120c34..711360d992301483ec5fa714d4be25ebef491f79 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1349,7 +1349,8 @@ static cfg_clausedef_t options_clauses[] = {
        { "tcp-send-buffer", &cfg_type_uint32, 0 },
        { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
        { "tkey-domain", &cfg_type_qstring, 0 },
-       { "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+       { "tkey-gssapi-credential", &cfg_type_qstring,
+         CFG_CLAUSEFLAG_DEPRECATED },
        { "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
        { "transfer-message-size", &cfg_type_uint32, 0 },
        { "transfers-in", &cfg_type_uint32, 0 },