ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Remove dnssec-must-be-secure feature

Browse Source 
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.  There are no
reasons to keep this feature in the production code anymore.

Remove the feature to simplify the code.
This commit is contained in:
Ondřej Surý
2024-12-06 13:11:59 +01:00
parent 5bee088dd1
commit dcd1f5b842
20 changed files with 16 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
doc/arm/reference.rst
View File

@@ -1680,19 +1680,6 @@ default is used.
If all supported digest types are disabled, the zones covered by
:any:`disable-ds-digests` are treated as insecure.
.. namedconf:statement:: dnssec-must-be-secure
:tags: deprecated
:short: Defines hierarchies that must or may not be secure (signed and validated).
This option is deprecated and will be removed in a future release.
This specifies hierarchies which must be or may not be secure (signed and
validated). If ``yes``, then :iscman:`named` only accepts answers if
they are secure. If ``no``, then normal DNSSEC validation applies,
allowing insecure answers to be accepted. The specified domain
must be defined as a trust anchor, for instance in a :any:`trust-anchors`
statement, or ``dnssec-validation auto`` must be active.
.. namedconf:statement:: dns64
:tags: query
:short: Instructs :iscman:`named` to return mapped IPv4 addresses to AAAA queries when there are no AAAA records.

2
doc/misc/options
View File

@@ -124,7 +124,6 @@ options {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign ); // obsolete
@@ -431,7 +430,6 @@ view <string> [ <class> ] {
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>; // obsolete
dnssec-loadkeys-interval <integer>;
dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
dnssec-policy <string>;
dnssec-secure-to-insecure <boolean>; // obsolete
dnssec-update-mode ( maintain | no-resign ); // obsolete