From: Matthijs Mekking Date: Mon, 7 Nov 2022 13:40:28 +0000 (+0100) Subject: Obsolete dnssec-secure-to-insecure option X-Git-Tag: v9.19.8~51^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f71a6692db904b610a825efee89de8ded955b253;p=thirdparty%2Fbind9.git Obsolete dnssec-secure-to-insecure option Now that the key management operations using dynamic updates feature has been removed, the 'dnssec-secure-to-insecure' option has become obsoleted. --- diff --git a/bin/named/config.c b/bin/named/config.c index 2524263c999..e2b5006c565 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -223,7 +223,6 @@ options {\n\ dialup no;\n\ dnssec-dnskey-kskonly yes;\n\ dnssec-loadkeys-interval 60;\n\ - dnssec-secure-to-insecure no;\n\ dnssec-update-mode maintain;\n\ # forward \n\ # forwarders \n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 33d9098c7f6..630fb36aa6f 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1813,13 +1813,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME, ignore); - obj = NULL; - result = named_config_get(maps, "dnssec-secure-to-insecure", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(mayberaw, DNS_ZONEOPT_SECURETOINSECURE, - cfg_obj_asboolean(obj)); - obj = NULL; result = cfg_map_get(zoptions, "dnssec-update-mode", &obj); if (result == ISC_R_SUCCESS) { diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index b67a0e1d9a5..57dd6adfe06 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -20,7 +20,6 @@ zone "nsec3.net" { auto-dnssec maintain; dnskey-sig-validity 3600; dnssec-dnskey-kskonly yes; - dnssec-secure-to-insecure yes; dnssec-update-mode maintain; inline-signing no; sig-validity-interval 3600; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 8317876981f..d4aa341cb90 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -498,7 +498,6 @@ grep "'inline-signing yes;' must also be configured explicitly for zones using d grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 4459e78f2e9..419e1b8bc2d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -2842,23 +2842,10 @@ Boolean Options .. namedconf:statement:: dnssec-secure-to-insecure :tags: dnssec - :short: Allows a dynamic zone to transition from secure to insecure by deleting all DNSKEY records. - - This allows a dynamic zone to transition from secure to insecure (i.e., - signed to unsigned) by deleting all of the DNSKEY records. The - default is ``no``. If set to ``yes``, and if the DNSKEY RRset at the - zone apex is deleted, all RRSIG and NSEC records are removed from - the zone as well. - - If the zone uses NSEC3, it is also necessary to delete the - NSEC3PARAM RRset from the zone apex; this causes the removal of - all corresponding NSEC3 records. (It is expected that this - requirement will be eliminated in a future release.) - - Note that if a zone has been configured with ``auto-dnssec maintain`` - and the private keys remain accessible in the key repository, - the zone will be automatically signed again the next time :iscman:`named` - is started. + :short: Allows a dynamic zone to transition from secure to insecure by deleting all DNSKEY records (obsoleted). + + This option used to allow a dynamic zone to transition from secure to insecure by deleting all DNSKEY records. + It has been obsoleted because DNSSEC key operations triggered by dynamic updates are no longer supported. .. namedconf:statement:: synth-from-dnssec :tags: dnssec diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 6831f2b329b..b110355210d 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -179,7 +179,7 @@ options { dnssec\-loadkeys\-interval ; dnssec\-must\-be\-secure ; // may occur multiple times dnssec\-policy ; - dnssec\-secure\-to\-insecure ; + dnssec\-secure\-to\-insecure ; // obsolete dnssec\-update\-mode ( maintain | no\-resign ); dnssec\-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured @@ -487,7 +487,7 @@ view [ ] { dnssec\-loadkeys\-interval ; dnssec\-must\-be\-secure ; // may occur multiple times dnssec\-policy ; - dnssec\-secure\-to\-insecure ; + dnssec\-secure\-to\-insecure ; // obsolete dnssec\-update\-mode ( maintain | no\-resign ); dnssec\-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured @@ -691,7 +691,7 @@ zone [ ] { dnssec\-dnskey\-kskonly ; dnssec\-loadkeys\-interval ; dnssec\-policy ; - dnssec\-secure\-to\-insecure ; + dnssec\-secure\-to\-insecure ; // obsolete dnssec\-update\-mode ( maintain | no\-resign ); file ; forward ( first | only ); diff --git a/doc/misc/options b/doc/misc/options index 00333ae2cfd..23d82d6c14b 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -122,7 +122,7 @@ options { dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times dnssec-policy ; - dnssec-secure-to-insecure ; + dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured @@ -430,7 +430,7 @@ view [ ] { dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times dnssec-policy ; - dnssec-secure-to-insecure ; + dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index a3c38afc756..6f90200fcf2 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -25,7 +25,7 @@ zone [ ] { dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; dnssec-policy ; - dnssec-secure-to-insecure ; + dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); file ; forward ( first | only ); diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 99b41c051a3..8d9ac580e54 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3524,15 +3524,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, result = ISC_R_FAILURE; } - obj = NULL; - res1 = cfg_map_get(zoptions, "dnssec-secure-to-insecure", &obj); - if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-secure-to-insecure: cannot be " - "configured if dnssec-policy is also set"); - result = ISC_R_FAILURE; - } - obj = NULL; res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj); if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SECONDARY && diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index ae84a5ff676..8cf4cc3aaaa 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -90,8 +90,8 @@ typedef enum { */ DNS_ZONEOPT_NOTIFYTOSOA = 1 << 21, /*%< Notify the SOA MNAME */ DNS_ZONEOPT_NSEC3TESTZONE = 1 << 22, /*%< nsec3-test-zone */ - DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure - */ + DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure, + * obsoleted */ DNS_ZONEOPT_DNSKEYKSKONLY = 1 << 24, /*%< dnssec-dnskey-kskonly */ DNS_ZONEOPT_CHECKDUPRR = 1 << 25, /*%< check-dup-records */ DNS_ZONEOPT_CHECKDUPRRFAIL = 1 << 26, /*%< fatal check-dup-records diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 63bc80a89f3..cd729bcca03 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2263,7 +2263,8 @@ static cfg_clausedef_t zone_clauses[] = { CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, { "dnssec-policy", &cfg_type_astring, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, - { "dnssec-secure-to-insecure", &cfg_type_boolean, CFG_ZONE_PRIMARY }, + { "dnssec-secure-to-insecure", &cfg_type_boolean, + CFG_ZONE_PRIMARY | CFG_CLAUSEFLAG_OBSOLETE }, { "dnssec-update-mode", &cfg_type_dnssecupdatemode, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, { "forward", &cfg_type_forwardtype, diff --git a/lib/ns/update.c b/lib/ns/update.c index 1d98ff379bb..274f4379640 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -3392,22 +3392,8 @@ update_action(isc_task_t *task, isc_event_t *event) { CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey, 0, &has_dnskey)); -#define ALLOW_SECURE_TO_INSECURE(zone) \ - ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0) - CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey, 0, &had_dnskey)); - if (!ALLOW_SECURE_TO_INSECURE(zone)) { - if (had_dnskey && !has_dnskey) { - update_log(client, zone, LOGLEVEL_PROTOCOL, - "update rejected: all DNSKEY " - "records removed and " - "'dnssec-secure-to-insecure' " - "not set"); - result = DNS_R_REFUSED; - goto failure; - } - } CHECK(rollback_private(db, privatetype, ver, &diff));