From: Michał Kępień Date: Mon, 1 Sep 2025 19:35:33 +0000 (+0200) Subject: Obsolete the "tkey-domain" statement X-Git-Tag: v9.21.12~11^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=805f1c0f6539dae29d11799af2de4f8ab2a02a98;p=thirdparty%2Fbind9.git Obsolete the "tkey-domain" statement The "tkey-domain" statement has effectively been a no-op since commit bd4576b3cef88bcb78ae0dd7619019be4fdfb2ea, which removed the only bit of code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman). A subsequent cleanup commit, 885c132f4ae6d895ee973648e15d9e61d01555a8, also missed the opportunity to remove the "tkey-domain" statement altogether. Mark the "tkey-domain" statement as obsolete and remove all code and documentation related to it. --- diff --git a/bin/named/config.c b/bin/named/config.c index 380c8ebc51f..b6718a4cef2 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -127,7 +127,6 @@ options {\n\ tcp-primaries-timeout 150;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-domain \n\ # tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ transfers-in 10;\n\ diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 569a7873e97..564c5affacc 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -55,19 +55,6 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, dns_tkeyctx_create(mctx, &tctx); - obj = NULL; - result = cfg_map_get(options, "tkey-domain", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(obj); - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0)); - tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t)); - dns_name_init(tctx->domain); - dns_name_dup(name, mctx, tctx->domain); - } - obj = NULL; result = cfg_map_get(options, "tkey-gssapi-credential", &obj); if (result == ISC_R_SUCCESS) { diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 9e4990f3459..f79eb595208 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1462,24 +1462,7 @@ default is used. principal which the server can acquire through the default system key file, normally ``/etc/krb5.keytab``. The location of the keytab file can be overridden using the :any:`tkey-gssapi-keytab` option. Normally this - principal is of the form ``DNS/server.domain``. To use - GSS-TSIG, :any:`tkey-domain` must also be set if a specific keytab is - not set with :any:`tkey-gssapi-keytab`. - -.. namedconf:statement:: tkey-domain - :tags: security - :short: Sets the domain appended to the names of all shared keys generated with ``TKEY``. - - This domain is appended to the names of all shared keys generated with - ``TKEY``. When a client requests a ``TKEY`` exchange, it may or may - not specify the desired name for the key. If present, the name of the - shared key is ``client-specified part`` + :any:`tkey-domain`. - Otherwise, the name of the shared key is ``random hex digits`` - + :any:`tkey-domain`. In most cases, the ``domainname`` - should be the server's domain name, or an otherwise nonexistent - subdomain like ``_tkey.domainname``. If using GSS-TSIG, - this variable must be defined, unless a specific keytab - is indicated using :any:`tkey-gssapi-keytab`. + principal is of the form ``DNS/server.domain``. .. namedconf:statement:: dump-file :tags: logging diff --git a/doc/misc/options b/doc/misc/options index b05e7f26078..0c80800b58b 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -302,7 +302,7 @@ options { tcp-primaries-timeout ; tcp-receive-buffer ; tcp-send-buffer ; - tkey-domain ; + tkey-domain ; // obsolete tkey-gssapi-credential ; // deprecated tkey-gssapi-keytab ; tls-port ; diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index 8b9c76f28d7..e580f860973 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -31,7 +31,6 @@ #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dns_name_t *domain; dns_gss_cred_id_t gsscred; isc_mem_t *mctx; char *gssapi_keytab; diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index cec72ac442d..e5857c5bfec 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -100,12 +100,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { *tctxp = NULL; mctx = tctx->mctx; - if (tctx->domain != NULL) { - if (dns_name_dynamic(tctx->domain)) { - dns_name_free(tctx->domain, mctx); - } - isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t)); - } if (tctx->gssapi_keytab != NULL) { isc_mem_free(mctx, tctx->gssapi_keytab); } @@ -434,21 +428,6 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx, ring)); break; case DNS_TKEYMODE_GSSAPI: - /* - * For non-delete operations we do this: - * - * if (qname != ".") - * keyname = qname + defaultdomain - * else - * keyname = + defaultdomain - */ - if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) - { - tkey_log("dns_tkey_processquery: tkey-domain not set"); - result = DNS_R_REFUSED; - goto failure; - } - keyname = dns_fixedname_initname(&fkeyname); if (!dns_name_equal(qname, dns_rootname)) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 711360d9923..8ec7607d7ae 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1348,7 +1348,7 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-receive-buffer", &cfg_type_uint32, 0 }, { "tcp-send-buffer", &cfg_type_uint32, 0 }, { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "tkey-domain", &cfg_type_qstring, 0 }, + { "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE }, { "tkey-gssapi-credential", &cfg_type_qstring, CFG_CLAUSEFLAG_DEPRECATED }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 },