dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
- <replaceable>string</replaceable> | auto | no );
+ <replaceable>string</replaceable> | auto | no );, deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
- <replaceable>string</replaceable> | auto | no );
+ <replaceable>string</replaceable> | auto | no );, deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
options {
dnssec-validation yes;
+ dnssec-lookaside . trust-anchor dlv.example.com;
};
trusted-keys {
view view4 {
match-clients { none; };
- dnssec-lookaside no;
};
view view5 {
1.2.3.4;
};
};
- dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto;
zone-statistics full;
};
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
+grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' does not generate a warning ($n)"
+echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)"
ret=0
$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
-[ -s checkconf.out$n ] && ret=1
+lines=$(wc -l < checkconf.out$n)
+if [ $lines != 1 ]; then ret=1; fi
+grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
<userinput>no</userinput>, then dnssec-lookaside
is not used.
</para>
+ <para>
+ This option is deprecated and its use is discouraged.
+ </para>
<para>
NOTE: The ISC-provided DLV service at
<literal>dlv.isc.org</literal>, has been shut down.
<itemizedlist>
<listitem>
<para>
- The <command>dnssec-enable</command> option has been deprecated and
+ The <command>dnssec-enable</command> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866]
</para>
removed. [GL !1731]
</para>
</listitem>
+ <listitem>
+ <para>
+ The <command>dnssec-lookaside</command> option has been deprecated.
+ The feature still works, but it is discouraged to use it. [GL #7]
+ </para>
+ </listitem>
</itemizedlist>
</section>
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
- <replaceable>string</replaceable> | auto | no );
+ <replaceable>string</replaceable> | auto | no );, deprecated
<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
- <string> | auto | no ); // may occur multiple times
+ <string> | auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
<integer> <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor
- <string> | auto | no ); // may occur multiple times
+ <string> | auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
#endif
{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
- { "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
+ { "dnssec-lookaside", &cfg_type_lookaside,
+ CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
projects / thirdparty / bind9.git / commitdiff
