dialup no;\n\
dnssec-dnskey-kskonly yes;\n\
dnssec-loadkeys-interval 60;\n\
- dnssec-secure-to-insecure no;\n\
dnssec-update-mode maintain;\n\
# forward <none>\n\
# forwarders <none>\n\
dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME,
ignore);
- obj = NULL;
- result = named_config_get(maps, "dnssec-secure-to-insecure",
- &obj);
- INSIST(result == ISC_R_SUCCESS && obj != NULL);
- dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE,
- cfg_obj_asboolean(obj));
-
obj = NULL;
result = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
if (result == ISC_R_SUCCESS) {
auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
- dnssec-secure-to-insecure yes;
dnssec-update-mode maintain;
inline-signing no;
sig-validity-interval 3600;
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
.. namedconf:statement:: dnssec-secure-to-insecure
:tags: dnssec
- :short: Allows a dynamic zone to transition from secure to insecure by deleting all DNSKEY records.
-
- This allows a dynamic zone to transition from secure to insecure (i.e.,
- signed to unsigned) by deleting all of the DNSKEY records. The
- default is ``no``. If set to ``yes``, and if the DNSKEY RRset at the
- zone apex is deleted, all RRSIG and NSEC records are removed from
- the zone as well.
-
- If the zone uses NSEC3, it is also necessary to delete the
- NSEC3PARAM RRset from the zone apex; this causes the removal of
- all corresponding NSEC3 records. (It is expected that this
- requirement will be eliminated in a future release.)
-
- Note that if a zone has been configured with ``auto-dnssec maintain``
- and the private keys remain accessible in the key repository,
- the zone will be automatically signed again the next time :iscman:`named`
- is started.
+ :short: Allows a dynamic zone to transition from secure to insecure by deleting all DNSKEY records (obsoleted).
+
+ This option used to allow a dynamic zone to transition from secure to insecure by deleting all DNSKEY records.
+ It has been obsoleted because DNSSEC key operations triggered by dynamic updates are no longer supported.
.. namedconf:statement:: synth-from-dnssec
:tags: dnssec
dnssec\-loadkeys\-interval <integer>;
dnssec\-must\-be\-secure <string> <boolean>; // may occur multiple times
dnssec\-policy <string>;
- dnssec\-secure\-to\-insecure <boolean>;
+ dnssec\-secure\-to\-insecure <boolean>; // obsolete
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnssec\-loadkeys\-interval <integer>;
dnssec\-must\-be\-secure <string> <boolean>; // may occur multiple times
dnssec\-policy <string>;
- dnssec\-secure\-to\-insecure <boolean>;
+ dnssec\-secure\-to\-insecure <boolean>; // obsolete
dnssec\-update\-mode ( maintain | no\-resign );
dnssec\-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnssec\-dnskey\-kskonly <boolean>;
dnssec\-loadkeys\-interval <integer>;
dnssec\-policy <string>;
- dnssec\-secure\-to\-insecure <boolean>;
+ dnssec\-secure\-to\-insecure <boolean>; // obsolete
dnssec\-update\-mode ( maintain | no\-resign );
file <quoted_string>;
forward ( first | only );
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
- dnssec-secure-to-insecure <boolean>;
+ dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-policy <string>;
- dnssec-secure-to-insecure <boolean>;
+ dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnssec-dnskey-kskonly <boolean>;
dnssec-loadkeys-interval <integer>;
dnssec-policy <string>;
- dnssec-secure-to-insecure <boolean>;
+ dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign );
file <quoted_string>;
forward ( first | only );
result = ISC_R_FAILURE;
}
- obj = NULL;
- res1 = cfg_map_get(zoptions, "dnssec-secure-to-insecure", &obj);
- if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "dnssec-secure-to-insecure: cannot be "
- "configured if dnssec-policy is also set");
- result = ISC_R_FAILURE;
- }
-
obj = NULL;
res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY &&
*/
DNS_ZONEOPT_NOTIFYTOSOA = 1 << 21, /*%< Notify the SOA MNAME */
DNS_ZONEOPT_NSEC3TESTZONE = 1 << 22, /*%< nsec3-test-zone */
- DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure
- */
+ DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure,
+ * obsoleted */
DNS_ZONEOPT_DNSKEYKSKONLY = 1 << 24, /*%< dnssec-dnskey-kskonly */
DNS_ZONEOPT_CHECKDUPRR = 1 << 25, /*%< check-dup-records */
DNS_ZONEOPT_CHECKDUPRRFAIL = 1 << 26, /*%< fatal check-dup-records
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
{ "dnssec-policy", &cfg_type_astring,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
- { "dnssec-secure-to-insecure", &cfg_type_boolean, CFG_ZONE_PRIMARY },
+ { "dnssec-secure-to-insecure", &cfg_type_boolean,
+ CFG_ZONE_PRIMARY | CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-update-mode", &cfg_type_dnssecupdatemode,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
{ "forward", &cfg_type_forwardtype,
CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, 0,
&has_dnskey));
-#define ALLOW_SECURE_TO_INSECURE(zone) \
- ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
-
CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
0, &had_dnskey));
- if (!ALLOW_SECURE_TO_INSECURE(zone)) {
- if (had_dnskey && !has_dnskey) {
- update_log(client, zone, LOGLEVEL_PROTOCOL,
- "update rejected: all DNSKEY "
- "records removed and "
- "'dnssec-secure-to-insecure' "
- "not set");
- result = DNS_R_REFUSED;
- goto failure;
- }
- }
CHECK(rollback_private(db, privatetype, ver, &diff));
projects / thirdparty / bind9.git / commitdiff
