From: Ondřej Surý Date: Mon, 4 Sep 2023 11:08:48 +0000 (+0200) Subject: Deprecate 'dnssec-must-be-secure' option X-Git-Tag: v9.18.19~12^2~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c9d6f0e400ea00de60e263aac294dfc848cc4f13;p=thirdparty%2Fbind9.git Deprecate 'dnssec-must-be-secure' option The dnssec-must-be-secure feature was added in the early days of BIND 9 and DNSSEC and it makes sense only as a debugging feature. Remove the feature to simplify the code. (cherry picked from commit 9e0b348a2b6a12da65d23ddb82fa0154a30f7111) --- diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index e332f6e4dda..bd6e0c2f1c1 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -18,8 +18,10 @@ server 1.2.3.4 { options { dnssec-validation yes; - dialup yes; - heartbeat-interval 60; + dialup yes; + heartbeat-interval 60; + + dnssec-must-be-secure mustbesecure.example yes; use-v4-udp-ports { range 1024 65535; }; use-v6-udp-ports { range 1024 65535; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index b3aca64c09b..8d82f926570 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -175,6 +175,7 @@ grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/nu grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 0f6758ec69e..02f111e513c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1722,9 +1722,11 @@ default is used. :any:`disable-ds-digests` are treated as insecure. .. namedconf:statement:: dnssec-must-be-secure - :tags: dnssec + :tags: deprecated :short: Defines hierarchies that must or may not be secure (signed and validated). + This option is deprecated and will be removed in a future release. + This specifies hierarchies which must be or may not be secure (signed and validated). If ``yes``, then :iscman:`named` only accepts answers if they are secure. If ``no``, then normal DNSSEC validation applies, diff --git a/doc/misc/options b/doc/misc/options index 017f1a5c969..e19261f1120 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -119,7 +119,7 @@ options { dnssec-accept-expired ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; - dnssec-must-be-secure ; // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); @@ -428,7 +428,7 @@ view [ ] { dnssec-accept-expired ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; - dnssec-must-be-secure ; // may occur multiple times + dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 918d3c0a94e..4e4c0980730 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2068,7 +2068,7 @@ static cfg_clausedef_t view_clauses[] = { { "dnssec-lookaside", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT }, { "dnssec-must-be-secure", &cfg_type_mustbesecure, - CFG_CLAUSEFLAG_MULTI }, + CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED }, { "dnssec-validation", &cfg_type_boolorauto, 0 }, #ifdef HAVE_DNSTAP { "dnstap", &cfg_type_dnstap, 0 },