Deprecate 'dnssec-must-be-secure' option

The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.

Remove the feature to simplify the code.

(cherry picked from commit 9e0b348a2b6a12da65d23ddb82fa0154a30f7111)

diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index e332f6e4dda1f54dca0531b6d5012b8c2eb7c46e..bd6e0c2f1c10ff3570bc973a0294fe9fa2fdb2ba 100644 (file)
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -18,8 +18,10 @@ server 1.2.3.4 {
 options {
        dnssec-validation yes;
 
-        dialup yes;
-        heartbeat-interval 60;
+       dialup yes;
+       heartbeat-interval 60;
+
+       dnssec-must-be-secure mustbesecure.example yes;
 
        use-v4-udp-ports { range 1024 65535; };
        use-v6-udp-ports { range 1024 65535; };

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index b3aca64c09b41f9ad83834239a7a6c73a0e06174..8d82f926570e10f7df64e18ab541b5dc9b3e7f10 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -175,6 +175,7 @@ grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/nu
 grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0f6758ec69e83ef0f65c84ff1f8e8e475e4ce12f..02f111e513c3c4f0b74e7e535c2c773b21f633f7 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1722,9 +1722,11 @@ default is used.
    :any:`disable-ds-digests` are treated as insecure.
 
 .. namedconf:statement:: dnssec-must-be-secure
-   :tags: dnssec
+   :tags: deprecated
    :short: Defines hierarchies that must or may not be secure (signed and validated).
 
+   This option is deprecated and will be removed in a future release.
+
    This specifies hierarchies which must be or may not be secure (signed and
    validated). If ``yes``, then :iscman:`named` only accepts answers if
    they are secure. If ``no``, then normal DNSSEC validation applies,

diff --git a/doc/misc/options b/doc/misc/options
index 017f1a5c969629d81c70bc9a6094cb66ee177376..e19261f1120658933dc8a0617d495296ea8053fc 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -119,7 +119,7 @@ options {
        dnssec-accept-expired <boolean>;
        dnssec-dnskey-kskonly <boolean>;
        dnssec-loadkeys-interval <integer>;
-       dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+       dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
        dnssec-policy <string>;
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );
@@ -428,7 +428,7 @@ view <string> [ <class> ] {
        dnssec-accept-expired <boolean>;
        dnssec-dnskey-kskonly <boolean>;
        dnssec-loadkeys-interval <integer>;
-       dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+       dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
        dnssec-policy <string>;
        dnssec-secure-to-insecure <boolean>;
        dnssec-update-mode ( maintain | no-resign );

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 918d3c0a94ed9b3adfcdcda68a71d0c4b1ca5d88..4e4c09807308dca3e51252eeefc723a8f615ae90 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2068,7 +2068,7 @@ static cfg_clausedef_t view_clauses[] = {
        { "dnssec-lookaside", NULL,
          CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
        { "dnssec-must-be-secure", &cfg_type_mustbesecure,
-         CFG_CLAUSEFLAG_MULTI },
+         CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
        { "dnssec-validation", &cfg_type_boolorauto, 0 },
 #ifdef HAVE_DNSTAP
        { "dnstap", &cfg_type_dnstap, 0 },