ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Ancient named.conf options are now a fatal configuration error

Browse Source 
- options that were flagged as obsolete or not implemented in 9.0.0
  are now flagged as "ancient", and are a fatal error
- the ARM has been updated to remove these, along with other
  obsolete descriptions of BIND 8 behavior
- the log message for obsolete options explicitly recommends removal
This commit is contained in:
Evan Hunt
2019-01-20 23:50:17 -08:00
committed by Ondřej Surý
parent 5a623052a1
commit ff3dace139
13 changed files with 221 additions and 467 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
bin/named/named.conf.docbook
View File

@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2018-10-23</date>
<date>2018-12-07</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
@@ -203,9 +203,9 @@ options {
bindkeys-file <replaceable>quoted_string</replaceable>;
blackhole { <replaceable>address_match_element</replaceable>; ... };
cache-file <replaceable>quoted_string</replaceable>;
catalog-zones { zone <replaceable>quoted_string</replaceable> [ default-masters [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
catalog-zones { zone <replaceable>string</replaceable> [ default-masters [ port <replaceable>integer</replaceable> ]
[ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
<replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ]; ... };
check-dup-records ( fail | warn | ignore );
@@ -259,12 +259,15 @@ options {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
<replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
increment | timestamp ) ];
dnstap { ( all | auth | client | forwarder |
resolver | update ) [ ( query | response ) ];
... };
dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
hostname );
dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [
size ( unlimited | <replaceable>size</replaceable> ) ] [ versions (
unlimited | <replaceable>integer</replaceable> ) ] [ suffix ( increment
| timestamp ) ];
dnstap-version ( <replaceable>quoted_string</replaceable> | none );
dscp <replaceable>integer</replaceable>;
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
@@ -280,9 +283,6 @@ options {
fetches-per-server <replaceable>integer</replaceable> [ ( drop | fail ) ];
fetches-per-zone <replaceable>integer</replaceable> [ ( drop | fail ) ];
files ( default | unlimited | <replaceable>sizeval</replaceable> );
filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
flush-zones-on-shutdown <replaceable>boolean</replaceable>;
forward ( first | only );
forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
@@ -403,18 +403,17 @@ options {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>quoted_string</replaceable> [ log <replaceable>boolean</replaceable> ] [
max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [
policy ( cname | disabled | drop | given | no-op | nodata |
nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ break-dnssec <replaceable>boolean</replaceable> ] [
max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [
min-ns-dots <replaceable>integer</replaceable> ] [ nsip-wait-recurse <replaceable>boolean</replaceable> ] [
qname-wait-recurse <replaceable>boolean</replaceable> ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
[ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ] [ dnsrps-enable <replaceable>boolean</replaceable> ] [
dnsrps-options { <replaceable>unspecified-text</replaceable> } ];
root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
@@ -474,6 +473,14 @@ options {
</literallayout>
</refsection>
<refsection><info><title>PLUGIN</title></info>
<literallayout class="normal">
plugin ( query ) <replaceable>string</replaceable> [ { <replaceable>unspecified-text</replaceable>
} ];
</literallayout>
</refsection>
<refsection><info><title>SERVER</title></info>
<literallayout class="normal">
@@ -558,9 +565,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
auth-nxdomain <replaceable>boolean</replaceable>; // default changed
auto-dnssec ( allow | maintain | off );
cache-file <replaceable>quoted_string</replaceable>;
catalog-zones { zone <replaceable>quoted_string</replaceable> [ default-masters [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [
port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
catalog-zones { zone <replaceable>string</replaceable> [ default-masters [ port <replaceable>integer</replaceable> ]
[ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
<replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ]; ... };
check-dup-records ( fail | warn | ignore );
@@ -613,8 +620,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dnstap { ( all | auth | client | forwarder |
resolver | update ) [ ( query | response ) ];
... };
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
@@ -628,9 +636,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
fetch-quota-params <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
fetches-per-server <replaceable>integer</replaceable> [ ( drop | fail ) ];
fetches-per-zone <replaceable>integer</replaceable> [ ( drop | fail ) ];
filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
forward ( first | only );
forwarders [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>ipv4_address</replaceable>
| <replaceable>ipv6_address</replaceable> ) [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ]; ... };
@@ -671,6 +676,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
max-udp-size <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
message-compression <replaceable>boolean</replaceable>;
min-cache-ttl <replaceable>ttlval</replaceable>;
min-ncache-ttl <replaceable>ttlval</replaceable>;
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
@@ -689,6 +696,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
nta-lifetime <replaceable>ttlval</replaceable>;
nta-recheck <replaceable>ttlval</replaceable>;
nxdomain-redirect <replaceable>string</replaceable>;
plugin ( query ) <replaceable>string</replaceable> [ {
<replaceable>unspecified-text</replaceable> } ];
preferred-glue <replaceable>string</replaceable>;
prefetch <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
provide-ixfr <replaceable>boolean</replaceable>;
@@ -726,18 +735,17 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>quoted_string</replaceable> [ log <replaceable>boolean</replaceable> ] [
max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [
policy ( cname | disabled | drop | given | no-op | nodata |
nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ break-dnssec <replaceable>boolean</replaceable> ] [
max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [
min-ns-dots <replaceable>integer</replaceable> ] [ nsip-wait-recurse <replaceable>boolean</replaceable> ] [
qname-wait-recurse <replaceable>boolean</replaceable> ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ] [
dnsrps-enable <replaceable>boolean</replaceable> ] [ dnsrps-options { <replaceable>unspecified-text</replaceable>
} ];
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
[ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ] [ dnsrps-enable <replaceable>boolean</replaceable> ] [
dnsrps-options { <replaceable>unspecified-text</replaceable> } ];
root-delegation-only [ exclude { <replaceable>string</replaceable>; ... } ];
root-key-sentinel <replaceable>boolean</replaceable>;
rrset-order { [ class <replaceable>string</replaceable> ] [ type <replaceable>string</replaceable> ] [ name
@@ -873,9 +881,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable>
| * ) ] [ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
pubkey <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
<replaceable>integer</replaceable>
pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
request-expire <replaceable>boolean</replaceable>;
request-ixfr <replaceable>boolean</replaceable>;
serial-update-method ( date | increment | unixtime );
@@ -977,7 +983,6 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
[ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable>
request-expire <replaceable>boolean</replaceable>;
request-ixfr <replaceable>boolean</replaceable>;
serial-update-method ( date | increment | unixtime );

17
bin/tests/system/checkconf/ancient.conf Normal file
View File

@@ -0,0 +1,17 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Ancient options are fatal.
*/
options {
fake-iquery yes;
};

8
bin/tests/system/checkconf/good.conf
View File

@@ -26,16 +26,11 @@ options {
};
coresize 1073741824;
datasize 104857600;
deallocate-on-exit yes;
directory ".";
dscp 41;
dump-file "named_dumpdb";
fake-iquery yes;
files 1000;
has-old-clients no;
heartbeat-interval 30;
host-statistics yes;
host-statistics-max 100;
hostname none;
interface-interval 30;
keep-response-order {
@@ -52,14 +47,11 @@ options {
};
match-mapped-addresses yes;
memstatistics-file "named.memstats";
multiple-cnames no;
named-xfer "this is no longer needed";
pid-file none;
port 5300;
querylog yes;
recursing-file "named.recursing";
recursive-clients 3000;
serial-queries 10;
serial-query-rate 100;
server-id none;
max-cache-size 20000000000000;

9
bin/tests/system/checkconf/tests.sh
View File

@@ -77,6 +77,14 @@ do
status=`expr $status + $ret`
done
n=`expr $n + 1`
echo_i "checking that ancient options report a fatal error ($n)"
ret=0
$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
grep "no longer exists" ancient.out > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
ret=0
@@ -340,6 +348,7 @@ echo_i "check that named-checkconf -l print out the zone list ($n)"
ret=0
$CHECKCONF -l good.conf |
grep -v "is not implemented" |
grep -v "no longer exists" |
grep -v "is obsolete" > checkconf.out$n || ret=1
diff good.zonelist checkconf.out$n > diff.out$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi