Deprecate 'dnssec-must-be-secure' option

The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.

Remove the feature to simplify the code.

diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index bdda4c80c09f86e8dfb12efc8cf5cb8526bd18c4..15d719d6a449d75ec55ad6701c2fc49519d3534e 100644 (file)
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -26,6 +26,8 @@ options {
        use-v6-udp-ports { range 1024 65535; };
        avoid-v4-udp-ports { range 1 1023; };
        avoid-v6-udp-ports { range 1 1023; };
+
+       dnssec-must-be-secure mustbesecure.example yes;
 };
 
 trusted-keys {

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 94a1d3a7f3ff7a938e0289053e03fbcbc764be28..464879c975ec9b1a66e586135d22da027d6343ca 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -155,6 +155,7 @@ grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null
 grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 065f05ccce589fd934a7e981f3cdf0717bf64d5e..1c2c3d4e105f834c9758f43cb28925d2c172eab8 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1654,9 +1654,11 @@ default is used.
    :any:`disable-ds-digests` are treated as insecure.
 
 .. namedconf:statement:: dnssec-must-be-secure
-   :tags: dnssec
+   :tags: deprecated
    :short: Defines hierarchies that must or may not be secure (signed and validated).
 
+   This option is deprecated and will be removed in a future release.
+
    This specifies hierarchies which must be or may not be secure (signed and
    validated). If ``yes``, then :iscman:`named` only accepts answers if
    they are secure. If ``no``, then normal DNSSEC validation applies,

diff --git a/doc/misc/options b/doc/misc/options
index edb8e862909bd16644c69d372f5eefa8c0ac8f43..c01314b7899e5600e63c5106b585cf7616b47952 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -118,7 +118,7 @@ options {
        dnssec-accept-expired <boolean>;
        dnssec-dnskey-kskonly <boolean>; // obsolete
        dnssec-loadkeys-interval <integer>;
-       dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+       dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
        dnssec-policy <string>;
        dnssec-secure-to-insecure <boolean>; // obsolete
        dnssec-update-mode ( maintain | no-resign ); // obsolete
@@ -416,7 +416,7 @@ view <string> [ <class> ] {
        dnssec-accept-expired <boolean>;
        dnssec-dnskey-kskonly <boolean>; // obsolete
        dnssec-loadkeys-interval <integer>;
-       dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+       dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
        dnssec-policy <string>;
        dnssec-secure-to-insecure <boolean>; // obsolete
        dnssec-update-mode ( maintain | no-resign ); // obsolete

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 97ed56c515234f54fe27b344bac47c58691254d2..afe4f5fabd193fc5c0eeb9bf2d0450132f3d2cc6 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2056,7 +2056,7 @@ static cfg_clausedef_t view_clauses[] = {
        { "dnssec-lookaside", NULL,
          CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
        { "dnssec-must-be-secure", &cfg_type_mustbesecure,
-         CFG_CLAUSEFLAG_MULTI },
+         CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
        { "dnssec-validation", &cfg_type_boolorauto, 0 },
 #ifdef HAVE_DNSTAP
        { "dnstap", &cfg_type_dnstap, 0 },