ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Deprecate 'dnssec-must-be-secure' option

Browse Source 
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.

Remove the feature to simplify the code.
This commit is contained in:
Ondřej Surý
2023-09-04 13:08:48 +02:00
parent eac0a4b3ed
commit 9e0b348a2b
5 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/tests/system/checkconf/deprecated.conf
View File

@@ -26,6 +26,8 @@ options {
use-v6-udp-ports { range 1024 65535; };
avoid-v4-udp-ports { range 1 1023; };
avoid-v6-udp-ports { range 1 1023; };
dnssec-must-be-secure mustbesecure.example yes;
};
trusted-keys {

1
bin/tests/system/checkconf/tests.sh
View File

@@ -155,6 +155,7 @@ grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null
grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))

4
doc/arm/reference.rst
View File

@@ -1654,9 +1654,11 @@ default is used.
:any:`disable-ds-digests` are treated as insecure.
.. namedconf:statement:: dnssec-must-be-secure
:tags: dnssec
:tags: deprecated
:short: Defines hierarchies that must or may not be secure (signed and validated).
This option is deprecated and will be removed in a future release.
This specifies hierarchies which must be or may not be secure (signed and
validated). If ``yes``, then :iscman:`named` only accepts answers if
they are secure. If ``no``, then normal DNSSEC validation applies,

4
doc/misc/options
View File

@@ -118,7 +118,7 @@ options {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign ); // obsolete
@@ -416,7 +416,7 @@ view <string> [ <class> ] {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign ); // obsolete

2
lib/isccfg/namedconf.c
View File

@@ -2056,7 +2056,7 @@ static cfg_clausedef_t view_clauses[] = {
{ "dnssec-lookaside", NULL,
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI },
CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_DEPRECATED },
{ "dnssec-validation", &cfg_type_boolorauto, 0 },
#ifdef HAVE_DNSTAP
{ "dnstap", &cfg_type_dnstap, 0 },