Merge branch '3399-random-device-ancient' into 'main'

flag "random-device" as ancient

Closes #3399

See merge request isc-projects/bind9!6769

CHANGES

@@ -1,3 +1,6 @@
+5967.	[cleanup]	Flagged the obsolete "random-device" option as
+			ancient; it is now an error to configure it. [GL #3399]
+
 5966.	[func]		You can now specify if a server must return a DNS
 			COOKIE before accepting the response over UDP.
 			[GL #2295]

bin/tests/system/checkconf/bad-random-device.conf

@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+        random-device "/dev/urandom";
+};

doc/arm/reference.rst

@@ -1647,31 +1647,6 @@ default is used.
    classify outgoing DNS traffic, on operating systems that support DSCP.
    Valid values are 0 through 63. It is not configured by default.
 
-.. namedconf:statement:: random-device
-   :tags: server, security
-   :short: Specifies a source of entropy to be used by the server.
-
-   This specifies a source of entropy to be used by the server; it is a
-   device or file from which to read entropy. If it is a file,
-   operations requiring entropy will fail when the file has been
-   exhausted.
-
-   Entropy is needed for cryptographic operations such as TKEY
-   transactions, dynamic update of signed zones, and generation of TSIG
-   session keys. It is also used for seeding and stirring the
-   pseudo-random number generator which is used for less critical
-   functions requiring randomness, such as generation of DNS message
-   transaction IDs.
-
-   If :any:`random-device` is not specified, or if it is set to ``none``,
-   entropy is read from the random number generation function
-   supplied by the cryptographic library with which BIND was linked
-   (i.e. OpenSSL or a PKCS#11 provider).
-
-   The :any:`random-device` option takes effect during the initial
-   configuration load at server startup time and is ignored on
-   subsequent reloads.
-
 .. namedconf:statement:: preferred-glue
    :tags: query
    :short: Controls the order of glue records in an A or AAAA response.

doc/man/named.conf.5in

@@ -282,7 +282,6 @@ options {
 	query\-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	query\-source\-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	querylog <boolean>;
-	random\-device ( <quoted_string> | none );
 	rate\-limit {
 		all\-per\-second <integer>;
 		errors\-per\-second <integer>;

doc/misc/options

@@ -225,7 +225,6 @@ options {
 	query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	querylog <boolean>;
-	random-device ( <quoted_string> | none );
 	rate-limit {
 		all-per-second <integer>;
 		errors-per-second <integer>;

lib/isccfg/namedconf.c

@@ -1305,7 +1305,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "https-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
 	{ "querylog", &cfg_type_boolean, 0 },
-	{ "random-device", &cfg_type_qstringornone, 0 },
+	{ "random-device", &cfg_type_qstringornone, CFG_CLAUSEFLAG_ANCIENT },
 	{ "recursing-file", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reuseport", &cfg_type_boolean, 0 },