From b4429660dac3aa4e97e3a3658d8f3994777787ed Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 23 Nov 2022 08:13:25 +0100
Subject: [PATCH] Deprecate alt-transfer-source and companions

Deprecate the alternate transfer sources from BIND 8.

(cherry picked from commit 105465d3168acc417f8d319075f895cc8fc6c53a)
---
 doc/arm/reference.rst      |  6 +++---
 doc/man/named.conf.5in     | 30 +++++++++++++++---------------
 doc/misc/mirror.zoneopt    |  6 +++---
 doc/misc/options           | 12 ++++++------
 doc/misc/primary.zoneopt   |  4 ++--
 doc/misc/secondary.zoneopt |  6 +++---
 doc/misc/stub.zoneopt      |  2 +-
 lib/isccfg/namedconf.c     |  9 ++++++---
 8 files changed, 39 insertions(+), 36 deletions(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4aa2b03d25..80eff78669 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3576,7 +3576,7 @@ options apply to zone transfers.
    using IPv6.
 
 .. namedconf:statement:: alt-transfer-source
-   :tags: transfer
+   :tags: deprecated
    :short: Defines alternate local IPv4 address(es) to be used by the server for inbound zone transfers, if the address(es) defined by :any:`transfer-source` fail and :any:`use-alt-transfer-source` is enabled.
 
    This indicates an alternate transfer source if the one listed in :any:`transfer-source`
@@ -3588,14 +3588,14 @@ options apply to zone transfers.
       query.
 
 .. namedconf:statement:: alt-transfer-source-v6
-   :tags: transfer
+   :tags: deprecated
    :short: Defines alternate local IPv6 address(es) to be used by the server for inbound zone transfers.
 
    This indicates an alternate transfer source if the one listed in
    :any:`transfer-source-v6` fails and :any:`use-alt-transfer-source` is set.
 
 .. namedconf:statement:: use-alt-transfer-source
-   :tags: transfer
+   :tags: deprecated
    :short: Indicates whether :any:`alt-transfer-source` and :any:`alt-transfer-source-v6` can be used.
 
    This indicates whether the alternate transfer sources should be used. If views are specified,
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index a837d00213..1192521ed5 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -127,8 +127,8 @@ options {
 	allow\-update { <address_match_element>; ... };
 	allow\-update\-forwarding { <address_match_element>; ... };
 	also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	answer\-cookie <boolean>;
 	attach\-cache <string>;
 	auth\-nxdomain <boolean>;
@@ -367,7 +367,7 @@ options {
 	udp\-receive\-buffer <integer>;
 	udp\-send\-buffer <integer>;
 	update\-check\-ksk <boolean>;
-	use\-alt\-transfer\-source <boolean>;
+	use\-alt\-transfer\-source <boolean>; // deprecated
 	use\-v4\-udp\-ports { <portrange>; ... };
 	use\-v6\-udp\-ports { <portrange>; ... };
 	v6\-bias <integer>;
@@ -442,8 +442,8 @@ view <string> [ <class> ] {
 	allow\-update { <address_match_element>; ... };
 	allow\-update\-forwarding { <address_match_element>; ... };
 	also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	attach\-cache <string>;
 	auth\-nxdomain <boolean>;
 	auto\-dnssec ( allow | maintain | off ); // deprecated
@@ -643,7 +643,7 @@ view <string> [ <class> ] {
 	trusted\-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
 	try\-tcp\-refresh <boolean>;
 	update\-check\-ksk <boolean>;
-	use\-alt\-transfer\-source <boolean>;
+	use\-alt\-transfer\-source <boolean>; // deprecated
 	v6\-bias <integer>;
 	validate\-except { <string>; ... };
 	zero\-no\-soa\-ttl <boolean>;
@@ -670,8 +670,8 @@ zone <string> [ <class> ] {
 	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow\-update { <address_match_element>; ... };
 	also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	auto\-dnssec ( allow | maintain | off ); // deprecated
 	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity <boolean>;
@@ -743,8 +743,8 @@ zone <string> [ <class> ] {
 	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow\-update\-forwarding { <address_match_element>; ... };
 	also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	auto\-dnssec ( allow | maintain | off ); // deprecated
 	check\-names ( fail | warn | ignore );
 	database <string>;
@@ -796,7 +796,7 @@ zone <string> [ <class> ] {
 	transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	try\-tcp\-refresh <boolean>;
 	update\-check\-ksk <boolean>;
-	use\-alt\-transfer\-source <boolean>;
+	use\-alt\-transfer\-source <boolean>; // deprecated
 	zero\-no\-soa\-ttl <boolean>;
 	zone\-statistics ( full | terse | none | <boolean> );
 };
@@ -818,8 +818,8 @@ zone <string> [ <class> ] {
 	allow\-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow\-update\-forwarding { <address_match_element>; ... };
 	also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	check\-names ( fail | warn | ignore );
 	database <string>;
 	file <quoted_string>;
@@ -849,7 +849,7 @@ zone <string> [ <class> ] {
 	transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	try\-tcp\-refresh <boolean>;
-	use\-alt\-transfer\-source <boolean>;
+	use\-alt\-transfer\-source <boolean>; // deprecated
 	zero\-no\-soa\-ttl <boolean>;
 	zone\-statistics ( full | terse | none | <boolean> );
 };
@@ -963,7 +963,7 @@ zone <string> [ <class> ] {
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	use\-alt\-transfer\-source <boolean>;
+	use\-alt\-transfer\-source <boolean>; // deprecated
 	zone\-statistics ( full | terse | none | <boolean> );
 };
 
diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt
index 8b673c2409..90a0b97a59 100644
--- a/doc/misc/mirror.zoneopt
+++ b/doc/misc/mirror.zoneopt
@@ -6,8 +6,8 @@ zone <string> [ <class> ] {
 	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow-update-forwarding { <address_match_element>; ... };
 	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	check-names ( fail | warn | ignore );
 	database <string>;
 	file <quoted_string>;
@@ -37,7 +37,7 @@ zone <string> [ <class> ] {
 	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	try-tcp-refresh <boolean>;
-	use-alt-transfer-source <boolean>;
+	use-alt-transfer-source <boolean>; // deprecated
 	zero-no-soa-ttl <boolean>;
 	zone-statistics ( full | terse | none | <boolean> );
 };
diff --git a/doc/misc/options b/doc/misc/options
index 8fda662714..fdd59edb72 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -70,8 +70,8 @@ options {
 	allow-update { <address_match_element>; ... };
 	allow-update-forwarding { <address_match_element>; ... };
 	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	answer-cookie <boolean>;
 	attach-cache <string>;
 	auth-nxdomain <boolean>;
@@ -310,7 +310,7 @@ options {
 	udp-receive-buffer <integer>;
 	udp-send-buffer <integer>;
 	update-check-ksk <boolean>;
-	use-alt-transfer-source <boolean>;
+	use-alt-transfer-source <boolean>; // deprecated
 	use-v4-udp-ports { <portrange>; ... };
 	use-v6-udp-ports { <portrange>; ... };
 	v6-bias <integer>;
@@ -385,8 +385,8 @@ view <string> [ <class> ] {
 	allow-update { <address_match_element>; ... };
 	allow-update-forwarding { <address_match_element>; ... };
 	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	attach-cache <string>;
 	auth-nxdomain <boolean>;
 	auto-dnssec ( allow | maintain | off ); // deprecated
@@ -586,7 +586,7 @@ view <string> [ <class> ] {
 	trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
 	try-tcp-refresh <boolean>;
 	update-check-ksk <boolean>;
-	use-alt-transfer-source <boolean>;
+	use-alt-transfer-source <boolean>; // deprecated
 	v6-bias <integer>;
 	validate-except { <string>; ... };
 	zero-no-soa-ttl <boolean>;
diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt
index c4c83ce2dd..16a0333032 100644
--- a/doc/misc/primary.zoneopt
+++ b/doc/misc/primary.zoneopt
@@ -5,8 +5,8 @@ zone <string> [ <class> ] {
 	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow-update { <address_match_element>; ... };
 	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	auto-dnssec ( allow | maintain | off ); // deprecated
 	check-dup-records ( fail | warn | ignore );
 	check-integrity <boolean>;
diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt
index dfeb63eee8..75c99e3973 100644
--- a/doc/misc/secondary.zoneopt
+++ b/doc/misc/secondary.zoneopt
@@ -6,8 +6,8 @@ zone <string> [ <class> ] {
 	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
 	allow-update-forwarding { <address_match_element>; ... };
 	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
-	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
+	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; // deprecated
 	auto-dnssec ( allow | maintain | off ); // deprecated
 	check-names ( fail | warn | ignore );
 	database <string>;
@@ -59,7 +59,7 @@ zone <string> [ <class> ] {
 	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	try-tcp-refresh <boolean>;
 	update-check-ksk <boolean>;
-	use-alt-transfer-source <boolean>;
+	use-alt-transfer-source <boolean>; // deprecated
 	zero-no-soa-ttl <boolean>;
 	zone-statistics ( full | terse | none | <boolean> );
 };
diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt
index 305585b9e0..d5b0ba5144 100644
--- a/doc/misc/stub.zoneopt
+++ b/doc/misc/stub.zoneopt
@@ -22,6 +22,6 @@ zone <string> [ <class> ] {
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-	use-alt-transfer-source <boolean>;
+	use-alt-transfer-source <boolean>; // deprecated
 	zone-statistics ( full | terse | none | <boolean> );
 };
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7925d53f8e..a5c890bc00 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2241,9 +2241,11 @@ static cfg_clausedef_t zone_clauses[] = {
 	{ "also-notify", &cfg_type_namesockaddrkeylist,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
 	{ "alt-transfer-source", &cfg_type_sockaddr4wild,
-	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
-	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
+	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+		  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "auto-dnssec", &cfg_type_autodnssec,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_DEPRECATED },
 	{ "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
@@ -2348,7 +2350,8 @@ static cfg_clausedef_t zone_clauses[] = {
 	{ "update-check-ksk", &cfg_type_boolean,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY },
 	{ "use-alt-transfer-source", &cfg_type_boolean,
-	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
+	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
+		  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "zero-no-soa-ttl", &cfg_type_boolean,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
 	{ "zone-statistics", &cfg_type_zonestat,