From: Michał Kępień Date: Mon, 1 Sep 2025 19:23:30 +0000 (+0200) Subject: Deprecate the "tkey-gssapi-credential" statement X-Git-Tag: v9.21.12~12^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6de435c5285b7b87321064752aab3e3178d9448f;p=thirdparty%2Fbind9.git Deprecate the "tkey-gssapi-credential" statement The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a simpler and more reliable way than using the "tkey-gssapi-credential" statement and setting environment variables (e.g. KRB5_KTNAME). Mark the "tkey-gssapi-credential" statement as deprecated to eventually only have one method for setting up GSS-TSIG in named. Do not mention "tkey-gssapi-credential" in the section of the ARM on dynamic updates. --- diff --git a/doc/arm/advanced.inc.rst b/doc/arm/advanced.inc.rst index 5ebb6a3dc9c..34665fc444c 100644 --- a/doc/arm/advanced.inc.rst +++ b/doc/arm/advanced.inc.rst @@ -31,11 +31,10 @@ are permitted for the key ``local-ddns``, which is generated by :iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details. Dynamic updates using Kerberos-signed requests can be made using the -TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option -or by setting both the :any:`tkey-gssapi-credential` and -:any:`tkey-domain` options. Once enabled, Kerberos-signed requests are -matched against the update policies for the zone, using the Kerberos -principal as the signer for the request. +TKEY/GSS protocol, by setting the :any:`tkey-gssapi-keytab` option. +Once enabled, Kerberos-signed requests are matched against the update +policies for the zone, using the Kerberos principal as the signer for +the request. Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG, NSEC, and NSEC3 records affected by updates are automatically regenerated diff --git a/doc/misc/options b/doc/misc/options index 01b000e6cc3..b05e7f26078 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -303,7 +303,7 @@ options { tcp-receive-buffer ; tcp-send-buffer ; tkey-domain ; - tkey-gssapi-credential ; + tkey-gssapi-credential ; // deprecated tkey-gssapi-keytab ; tls-port ; transfer-format ( many-answers | one-answer ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 6c7469e46d3..711360d9923 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1349,7 +1349,8 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-send-buffer", &cfg_type_uint32, 0 }, { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "tkey-domain", &cfg_type_qstring, 0 }, - { "tkey-gssapi-credential", &cfg_type_qstring, 0 }, + { "tkey-gssapi-credential", &cfg_type_qstring, + CFG_CLAUSEFLAG_DEPRECATED }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 }, { "transfer-message-size", &cfg_type_uint32, 0 }, { "transfers-in", &cfg_type_uint32, 0 },