Deprecate auto-dnssec

Deprecate auto-dnssec, add specific log warning to migrate to
dnssec-policy.

diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
new file mode 100644 (file)
index 0000000..cd37d14
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ * 
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "test" {
+       type primary;
+       file "test.db";
+       auto-dnssec maintain;
+};

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index d4aa341cb90f4c713581ef695f08f9ff04154866..e4afd713faad844728e089d9af31ad77e23d612d 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -145,12 +145,17 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf dnssec warnings ($n)"
 ret=0
 # dnssec.1: auto-dnssec warning
-$CHECKCONF dnssec.1 > checkconf.out$n.2 2>&1
-grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1
-# dnssec.2: should have no warnings
-$CHECKCONF dnssec.2 > checkconf.out$n.3 2>&1
-grep '.*' < checkconf.out$n.3 > /dev/null && ret=1
-if [ $ret -ne 0 ]; then echo_i "failed"; fi
+$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1
+grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1
+# dnssec.2: should have no warnings (other than deprecation warning)
+$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1
+grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n.2")
+if [ $lines != 1 ]; then ret=1; fi
+# dnssec.3: should have specific deprecation warning
+$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1
+grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`

diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index b110355210d83c7459e6b00df9e6056c2efa4419..8cf7eb93ad40985cb58364c392d581b7252e30d8 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -132,7 +132,7 @@ options {
        answer\-cookie <boolean>;
        attach\-cache <string>;
        auth\-nxdomain <boolean>;
-       auto\-dnssec ( allow | maintain | off );
+       auto\-dnssec ( allow | maintain | off ); // deprecated
        automatic\-interface\-scan <boolean>;
        avoid\-v4\-udp\-ports { <portrange>; ... };
        avoid\-v6\-udp\-ports { <portrange>; ... };
@@ -446,7 +446,7 @@ view <string> [ <class> ] {
        alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        attach\-cache <string>;
        auth\-nxdomain <boolean>;
-       auto\-dnssec ( allow | maintain | off );
+       auto\-dnssec ( allow | maintain | off ); // deprecated
        catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
        check\-dup\-records ( fail | warn | ignore );
        check\-integrity <boolean>;
@@ -673,7 +673,7 @@ zone <string> [ <class> ] {
        also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
        alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-       auto\-dnssec ( allow | maintain | off );
+       auto\-dnssec ( allow | maintain | off ); // deprecated
        check\-dup\-records ( fail | warn | ignore );
        check\-integrity <boolean>;
        check\-mx ( fail | warn | ignore );
@@ -747,7 +747,7 @@ zone <string> [ <class> ] {
        also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
        alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-       auto\-dnssec ( allow | maintain | off );
+       auto\-dnssec ( allow | maintain | off ); // deprecated
        check\-names ( fail | warn | ignore );
        database <string>;
        dialup ( notify | notify\-passive | passive | refresh | <boolean> );

diff --git a/doc/misc/options b/doc/misc/options
index 23d82d6c14bcf6c3b62e154107ed6f3f928f28fe..7b427a5bd4d79e1a73fc1b97dbee9b59fc0cfb23 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -75,7 +75,7 @@ options {
        answer-cookie <boolean>;
        attach-cache <string>;
        auth-nxdomain <boolean>;
-       auto-dnssec ( allow | maintain | off );
+       auto-dnssec ( allow | maintain | off ); // deprecated
        automatic-interface-scan <boolean>;
        avoid-v4-udp-ports { <portrange>; ... };
        avoid-v6-udp-ports { <portrange>; ... };
@@ -389,7 +389,7 @@ view <string> [ <class> ] {
        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        attach-cache <string>;
        auth-nxdomain <boolean>;
-       auto-dnssec ( allow | maintain | off );
+       auto-dnssec ( allow | maintain | off ); // deprecated
        catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
        check-dup-records ( fail | warn | ignore );
        check-integrity <boolean>;

diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt
index 6f90200fcf2c4168b0f3311cd9021f46d0e68b0b..12034f3b057824b5396e35b59471c2623fe86757 100644 (file)
--- a/doc/misc/primary.zoneopt
+++ b/doc/misc/primary.zoneopt
@@ -7,7 +7,7 @@ zone <string> [ <class> ] {
        also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-       auto-dnssec ( allow | maintain | off );
+       auto-dnssec ( allow | maintain | off ); // deprecated
        check-dup-records ( fail | warn | ignore );
        check-integrity <boolean>;
        check-mx ( fail | warn | ignore );

diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt
index ecb7b7b5d47a2ba73134df0826f75c16cd115e8b..dfeb63eee813c03462e90b7f0c3c9a936b9115ce 100644 (file)
--- a/doc/misc/secondary.zoneopt
+++ b/doc/misc/secondary.zoneopt
@@ -8,7 +8,7 @@ zone <string> [ <class> ] {
        also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-       auto-dnssec ( allow | maintain | off );
+       auto-dnssec ( allow | maintain | off ); // deprecated
        check-names ( fail | warn | ignore );
        database <string>;
        dialup ( notify | notify-passive | passive | refresh | <boolean> );

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 8d9ac580e54c80cef3341b613c921f6f70a60eb1..857f2dd997bf823af5697d8c2849ad1d272d13ac 100644 (file)
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3470,6 +3470,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
                res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
                if (res3 == ISC_R_SUCCESS) {
                        arg = cfg_obj_asstring(obj);
+                       cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+                                   "'auto-dnssec' option is deprecated and "
+                                   "will be removed in BIND 9.19. Please "
+                                   "migrate to dnssec-policy");
                }
                if (strcasecmp(arg, "off") != 0) {
                        if (!ddns && !signing && !has_dnssecpolicy) {

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index cd729bcca036f0e49b221d8e9765fb1452fcb56c..e1e31aa62dee8180540756237c87c40c294e0f18 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2245,7 +2245,7 @@ static cfg_clausedef_t zone_clauses[] = {
        { "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
          CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
        { "auto-dnssec", &cfg_type_autodnssec,
-         CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
+         CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_DEPRECATED },
        { "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
        { "check-integrity", &cfg_type_boolean, CFG_ZONE_PRIMARY },
        { "check-mx", &cfg_type_checkmode, CFG_ZONE_PRIMARY },