remove "sortlist"

this commit removes the deprecated "sortlist" option. the option is now marked as ancient; it is a fatal error to use it in named.conf. the sortlist system test has been removed, and other tests that referenced the option have been modified. the enabling functions, dns_message_setsortorder() and dns_rdataset_towiresorted(), have also been removed.
2025-08-22 10:10:06 +00:00 · 2024-12-05 13:16:02 -08:00 · 2024-12-05 13:16:02 -08:00 · 3394aa9c25
commit 3394aa9c25
parent ef6dc36e53
31 changed files with 44 additions and 822 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -193,7 +193,6 @@ options {\n\
 	require-server-cookie no;\n\
 	root-key-sentinel yes;\n\
 	servfail-ttl 1;\n\
 #	sortlist <none>\n\
 	stale-answer-client-timeout off;\n\
 	stale-answer-enable false;\n\
 	stale-answer-ttl 30; /* 30 seconds */\n\
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -584,51 +584,6 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	return result;
 }
 /*%
 * Configure a sortlist at '*aclp'.  Essentially the same as
 * configure_view_acl() except it calls cfg_acl_fromconfig with a
 * nest_level value of 2.
 */
 static isc_result_t
 configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
 			dns_acl_t **aclp) {
 	isc_result_t result;
 	const cfg_obj_t *maps[3];
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 	if (*aclp != NULL) {
 		dns_acl_detach(aclp);
 	}
 	if (vconfig != NULL) {
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	}
 	if (config != NULL) {
 		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
 			maps[i++] = options;
 		}
 	}
 	maps[i] = NULL;
 	(void)named_config_get(maps, "sortlist", &aclobj);
 	if (aclobj == NULL) {
 		return ISC_R_SUCCESS;
 	}
 	/*
 	 * Use a nest level of 3 for the "top level" of the sortlist;
 	 * this means each entry in the top three levels will be stored
 	 * as lists of separate, nested ACLs, rather than merged together
 	 * into IP tables as is usually done with ACLs.
 	 */
 	result = cfg_acl_fromconfig(aclobj, config, actx, mctx, 3, aclp);
 	return result;
 }
 static isc_result_t
 configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 			 const char *confname, const char *conftuplename,
@ -5121,12 +5076,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 				       "except-from", named_g_mctx,
 				       &view->answernames_exclude));
 	/*
 	 * Configure sortlist, if set
 	 */
 	CHECK(configure_view_sortlist(vconfig, config, actx, named_g_mctx,
 				      &view->sortlist));
 	/*
 	 * Configure default allow-update and allow-update-forwarding ACLs,
 	 * so they can be inherited by zones. (XXX: These are not
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@ -150,7 +150,6 @@ TESTS =				\
 	sfcache			\
 	shutdown		\
 	smartsign		\
 	sortlist		\
 	spf			\
 	staticstub		\
 	statistics		\
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@ -14,8 +14,6 @@
 options {
 	dnssec-validation yes;
 	max-zone-ttl 600;
 	sortlist { };
 };
 trust-anchors {
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -184,7 +184,6 @@ echo_i "checking named-checkconf deprecate warnings ($n)"
 ret=0
 $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
 grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'sortlist' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 # set -i to ignore deprecate warnings
--- a/bin/tests/system/sortlist/ns1/example.db
+++ b/bin/tests/system/sortlist/ns1/example.db
@ -1,37 +0,0 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; SPDX-License-Identifier: MPL-2.0
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0.  If a copy of the MPL was not distributed with this
 ; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 300	; 5 minutes
@			IN SOA	ns1.example. hostmaster.example. (
 				2000042795 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
 				3600       ; minimum (1 hour)
 				)
 example.		NS	ns1.example.
 ns1.example.		A	10.53.0.1
 ; Let's see what the sortlist picks out of this...
 a			A	1.1.1.1
 a			A	1.1.1.5
 a			A	1.1.1.2
 a			A	192.168.3.1
 a			A	1.1.1.3
 a			A	192.168.1.1
 a			A	1.1.1.4
 b			A	10.53.0.1
 b			A	10.53.0.2
 b			A	10.53.0.3
 b			A	10.53.0.4
 b			A	10.53.0.5
--- a/bin/tests/system/sortlist/ns1/named.conf.in
+++ b/bin/tests/system/sortlist/ns1/named.conf.in
@ -1,46 +0,0 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0.  If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
 	transfer-source 10.53.0.1;
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
 	dnssec-validation no;
 	notify yes;
 	sortlist {
 	    { 10.53.0.1;				   // IF 10.53.0.1
 		{
 		    !1.1.1.4; !1.1.1.2; !1.1.1.3; !1.1.1.1; // sort these last,
 		    192.168.3/24;			    // this first
 		    { 192.168.2/24; 192.168.1/24; }; }; };  // and these next
 	    { { 10.53.0.2; 10.53.0.3; }; };		    // Prefer self
 	    10.53.0.4;					    // BIND 8 compat
 	    { 10.53.0.5; 10.53.0.5; };    		    // BIND 8 compat
 	};
 };
 zone "." {
 	type primary;
 	file "root.db";
 };
 zone "example" {
 	type primary;
 	file "example.db";
 };
--- a/bin/tests/system/sortlist/ns1/root.db
+++ b/bin/tests/system/sortlist/ns1/root.db
@ -1,24 +0,0 @@
 ; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 ;
 ; SPDX-License-Identifier: MPL-2.0
 ;
 ; This Source Code Form is subject to the terms of the Mozilla Public
 ; License, v. 2.0.  If a copy of the MPL was not distributed with this
 ; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 ;
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
 				2000042100   	; serial
 				600         	; refresh
 				600         	; retry
 				1200    	; expire
 				600       	; minimum
 				)
 .			NS	a.root-servers.nil.
 a.root-servers.nil.	A	10.53.0.1
 example.		NS	ns2.example.
 ns2.example.		A	10.53.0.2
--- a/bin/tests/system/sortlist/setup.sh
+++ b/bin/tests/system/sortlist/setup.sh
@ -1,16 +0,0 @@
 #!/bin/sh
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # SPDX-License-Identifier: MPL-2.0
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0.  If a copy of the MPL was not distributed with this
 # file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 . ../conf.sh
 copy_setports ns1/named.conf.in ns1/named.conf
--- a/bin/tests/system/sortlist/tests_sortlist.py
+++ b/bin/tests/system/sortlist/tests_sortlist.py
@ -1,53 +0,0 @@
 # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # SPDX-License-Identifier: MPL-2.0
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0.  If a copy of the MPL was not distributed with this
 # file, you can obtain one at https://mozilla.org/MPL/2.0/.
 #
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 import dns.message
 import pytest
 import isctest
 def test_sortlist():
    """Test two-element sortlist statement"""
    msg = dns.message.make_query("a.example.", "A")
    resp = isctest.query.tcp(msg, "10.53.0.1", source="10.53.0.1")
    sortlist = [
        "192.168.3.1",
        "192.168.1.1",
        "1.1.1.5",
        "1.1.1.1",
        "1.1.1.3",
        "1.1.1.2",
        "1.1.1.4",
    ]
    rrset = dns.rrset.from_text_list("a.example.", 300, "IN", "A", sortlist)
    assert len(resp.answer) == 1
    assert resp.answer[0] == rrset
    assert list(resp.answer[0].items) == list(rrset.items)
@pytest.mark.parametrize(
    "source_ip,possible_results",
    [
        ("10.53.0.2", ["10.53.0.2", "10.53.0.3"]),
        ("10.53.0.3", ["10.53.0.2", "10.53.0.3"]),
        ("10.53.0.4", ["10.53.0.4"]),
        ("10.53.0.5", ["10.53.0.5"]),
    ],
 )
 def test_sortlist_compat(possible_results, source_ip):
    """Test one-element sortlist statement and undocumented BIND 8 features"""
    msg = dns.message.make_query("b.example.", "A")
    resp = isctest.query.tcp(msg, "10.53.0.1", source=source_ip)
    assert (
        resp.answer[0][0].to_text() in possible_results
    ), f"{possible_results} not found"
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -240,7 +240,7 @@ Definition and Usage
 Address match lists are primarily used to determine access control for
 various server operations. They are also used in the :any:`listen-on` and
-:any:`sortlist` statements. The elements which constitute an address match
+:any:`listen-on-v6` statements. The elements which constitute an address match
 list can be any of the following:
 - :term:`ip_address`: an IP address (IPv4 or IPv6)
@ -269,8 +269,8 @@ comparisons require that the list of keys be traversed until a matching
 key is found, and therefore may be somewhat slower.
 The interpretation of a match depends on whether the list is being used
-for access control, defining :any:`listen-on` ports, or in a :any:`sortlist`,
+for access control or for defining :any:`listen-on` ports, and whether
-and whether the element was negated.
+the element was negated.
 When used as an access control list, a non-negated match allows access
 and a negated match denies access. If there is no match, access is
@ -3948,94 +3948,6 @@ Periodic Task Intervals
   gone away. For convenience, TTL-style time-unit suffixes may be used to
   specify the value. It also accepts ISO 8601 duration formats.
 The :any:`sortlist` Statement
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 The response to a DNS query may consist of multiple resource records
 (RRs) forming a resource record set (RRset). The name server
 normally returns the RRs within the RRset in an indeterminate order (but
 see the :any:`rrset-order` statement in :ref:`rrset_ordering`). The client resolver code should
 rearrange the RRs as appropriate: that is, using any addresses on the
 local net in preference to other addresses. However, not all resolvers
 can do this or are correctly configured. When a client is using a local
 server, the sorting can be performed in the server, based on the
 client's address. This only requires configuring the name servers, not
 all the clients.
 .. namedconf:statement:: sortlist
   :tags: query, deprecated
   :short: Controls the ordering of RRs returned to the client, based on the client's IP address.
   This option is deprecated and will be removed in a future release.
   The :any:`sortlist` statement (see below) takes an :term:`address_match_list` and
   interprets it in a special way. Each top-level statement in the :any:`sortlist`
   must itself be an explicit :term:`address_match_list` with one or two elements. The
   first element (which may be an IP address, an IP prefix, an ACL name, or a nested
   :term:`address_match_list`) of each top-level list is checked against the source
   address of the query until a match is found. When the addresses in the first
   element overlap, the first rule to match is selected.
   Once the source address of the query has been matched, if the top-level
   statement contains only one element, the actual primitive element that
   matched the source address is used to select the address in the response
   to move to the beginning of the response. If the statement is a list of
   two elements, then the second element is interpreted as a topology
   preference list. Each top-level element is assigned a distance, and the
   address in the response with the minimum distance is moved to the
   beginning of the response.
   In the following example, any queries received from any of the addresses
   of the host itself get responses preferring addresses on any of the
   locally connected networks. Next most preferred are addresses on the
   192.168.1/24 network, and after that either the 192.168.2/24 or
   192.168.3/24 network, with no preference shown between these two
   networks. Queries received from a host on the 192.168.1/24 network
   prefer other addresses on that network to the 192.168.2/24 and
   192.168.3/24 networks. Queries received from a host on the 192.168.4/24
   or the 192.168.5/24 network only prefer other addresses on their
   directly connected networks.
 ::
   sortlist {
       // IF the local host
       // THEN first fit on the following nets
       { localhost;
       { localnets;
           192.168.1/24;
           { 192.168.2/24; 192.168.3/24; }; }; };
       // IF on class C 192.168.1 THEN use .1, or .2 or .3
       { 192.168.1/24;
       { 192.168.1/24;
           { 192.168.2/24; 192.168.3/24; }; }; };
       // IF on class C 192.168.2 THEN use .2, or .1 or .3
       { 192.168.2/24;
       { 192.168.2/24;
           { 192.168.1/24; 192.168.3/24; }; }; };
       // IF on class C 192.168.3 THEN use .3, or .1 or .2
       { 192.168.3/24;
       { 192.168.3/24;
           { 192.168.1/24; 192.168.2/24; }; }; };
       // IF .4 or .5 THEN prefer that net
       { { 192.168.4/24; 192.168.5/24; };
       };
   };
 The following example illustrates reasonable behavior for the local host
 and hosts on directly connected networks. Responses sent to queries from the
 local host favor any of the directly connected networks. Responses
 sent to queries from any other hosts on a directly connected network
 prefer addresses on that same network. Responses to other queries
 are not sorted.
 ::
   sortlist {
          { localhost; localnets; };
          { localnets; };
   };
 .. _rrset_ordering:
 RRset Ordering
@ -4053,8 +3965,7 @@ RRset Ordering
   :short: Defines the order in which equal RRs (RRsets) are returned.
   The :any:`rrset-order` statement permits configuration of the ordering of
-   the records in a multiple-record response. See also:
+   the records in a multiple-record response.
   :any:`sortlist`.
   Each rule in an :any:`rrset-order` statement is defined as follows:
--- a/doc/arm/zones.inc.rst
+++ b/doc/arm/zones.inc.rst
@ -29,7 +29,7 @@ of RRs in a set is not significant and need not be preserved by name
 servers, resolvers, or other parts of the DNS. However, sorting of
 multiple RRs is permitted for optimization purposes: for example, to
 specify that a particular nearby server be tried first. See
-:any:`sortlist` and :ref:`rrset_ordering`.
+:ref:`rrset_ordering`.
 The components of a Resource Record are:
--- a/doc/misc/options
+++ b/doc/misc/options
@ -278,7 +278,6 @@ options {
 	sig-validity-interval <integer> [ <integer> ]; // obsolete
 	sig0checks-quota <integer>; // experimental
 	sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
 	sortlist { <address_match_element>; ... }; // deprecated
 	stale-answer-client-timeout ( disabled | off | <integer> );
 	stale-answer-enable <boolean>;
 	stale-answer-ttl <duration>;
@ -574,7 +573,6 @@ view <string> [ <class> ] {
 	sig-signing-signatures <integer>;
 	sig-signing-type <integer>;
 	sig-validity-interval <integer> [ <integer> ]; // obsolete
 	sortlist { <address_match_element>; ... }; // deprecated
 	stale-answer-client-timeout ( disabled | off | <integer> );
 	stale-answer-enable <boolean>;
 	stale-answer-ttl <duration>;
--- a/fuzz/isc_lex_getmastertoken.in/named.conf
+++ b/fuzz/isc_lex_getmastertoken.in/named.conf
--- a/fuzz/isc_lex_gettoken.in/named.conf
+++ b/fuzz/isc_lex_gettoken.in/named.conf
@ -167,22 +167,6 @@ options {
 	interface - interval 1002;
 	statistics - interval 1003;
 	topology {
 		10 / 8;
 		!1.2.3 / 24;
 		{
 			1.2 / 16;
 			3 / 8;
 		};
 	};
 	sortlist {
 		10 / 8;
 		11 / 8;
 	};
 	tkey - domain "foo.com";
 	tkey - dhkey "xyz" 666;
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@ -233,8 +233,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
 	      const dns_acl_t *acl, dns_aclenv_t *env, int *match,
 	      const dns_aclelement_t **matchelt);
 /*%<
- * General, low-level ACL matching.  This is expected to
+ * General, low-level ACL matching.
 * be useful even for weird stuff like the topology and sortlist statements.
 *
 * Match the address 'reqaddr', and optionally the key name 'reqsigner',
 * against 'acl'.  'reqsigner' may be NULL.
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@ -257,12 +257,6 @@ typedef enum dns_message_intent {
 typedef struct dns_msgblock dns_msgblock_t;
 struct dns_sortlist_arg {
 	dns_aclenv_t	       *env;
 	dns_acl_t	       *acl;
 	const dns_aclelement_t *element;
 };
 typedef struct dns_minttl {
 	bool	  is_set;
 	dns_ttl_t ttl;
@ -354,9 +348,6 @@ struct dns_message {
 	 */
 	isc_stdtime_t fuzztime;
 	dns_rdatasetorderfunc_t order;
 	dns_sortlist_arg_t	order_arg;
 	dns_indent_t indent;
 	dns_minttl_t minttl[DNS_SECTION_MAX];
@ -1388,26 +1379,6 @@ dns_message_getrawmessage(dns_message_t *msg);
 *	a pointer to a region which refers the dns message.
 */
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
 			 dns_aclenv_t *env, dns_acl_t *acl,
 			 const dns_aclelement_t *element);
 /*%<
 * Define the order in which RR sets get rendered by
 * dns_message_rendersection() to be the ascending order
 * defined by the integer value returned by 'order' when
 * given each RR and a ns_sortlist_arg_t constructed from 'env',
 * 'acl', and 'element' as arguments.
 *
 * If 'order' is NULL, a default order is used.
 *
 * Requires:
 *\li	msg be a valid message.
 *\li	If 'env' is NULL, 'order' must be NULL.
 *\li	If 'env' is not NULL, 'order' must not be NULL and at least one of
 *	'acl' and 'element' must also not be NULL.
 */
 void
 dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
 /*%<
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@ -481,31 +481,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 *	dns_name_towire().
 */
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t   *rdataset,
 			  const dns_name_t *owner_name, dns_compress_t *cctx,
 			  isc_buffer_t *target, dns_rdatasetorderfunc_t order,
 			  const void *order_arg, unsigned int options,
 			  unsigned int *countp);
 /*%<
 * Like dns_rdataset_towire(), but sorting the rdatasets according to
 * the integer value returned by 'order' when called with the rdataset
 * and 'order_arg' as arguments.
 *
 * Requires:
 *\li	All the requirements of dns_rdataset_towire(), and
 *	that order_arg is NULL if and only if order is NULL.
 */
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t   *rdataset,
 			   const dns_name_t *owner_name, dns_compress_t *cctx,
-			   isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			   isc_buffer_t *target, unsigned int options,
 			   const void *order_arg, unsigned int options,
 			   unsigned int *countp, void **state);
 /*%<
- * Like dns_rdataset_towiresorted() except that a partial rdataset
+ * Like dns_rdataset_towire() except that a partial rdataset may be written.
 * may be written.
 *
 * Requires:
 *\li	All the requirements of dns_rdataset_towiresorted().
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@ -153,7 +153,6 @@ typedef struct dns_signature	dns_signature_t;
 typedef struct dns_skr		dns_skr_t;
 typedef struct dns_slabheader	dns_slabheader_t;
 typedef ISC_LIST(dns_slabheader_t) dns_slabheaderlist_t;
 typedef struct dns_sortlist_arg	  dns_sortlist_arg_t;
 typedef struct dns_ssurule	  dns_ssurule_t;
 typedef struct dns_ssutable	  dns_ssutable_t;
 typedef struct dns_stats	  dns_stats_t;
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@ -132,7 +132,6 @@ struct dns_view {
 	dns_acl_t	     *queryonacl;
 	dns_acl_t	     *recursionacl;
 	dns_acl_t	     *recursiononacl;
 	dns_acl_t	     *sortlist;
 	dns_acl_t	     *notifyacl;
 	dns_acl_t	     *transferacl;
 	dns_acl_t	     *updateacl;
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@ -441,10 +441,6 @@ msginit(dns_message_t *m) {
 	m->tcp_continuation = 0;
 	m->verified_sig = 0;
 	m->verify_attempted = 0;
 	m->order = NULL;
 	m->order_arg.env = NULL;
 	m->order_arg.acl = NULL;
 	m->order_arg.element = NULL;
 	m->query.base = NULL;
 	m->query.length = 0;
 	m->free_query = 0;
@ -662,13 +658,6 @@ msgreset(dns_message_t *msg, bool everything) {
 		dynbuf = next_dynbuf;
 	}
 	if (msg->order_arg.env != NULL) {
 		dns_aclenv_detach(&msg->order_arg.env);
 	}
 	if (msg->order_arg.acl != NULL) {
 		dns_acl_detach(&msg->order_arg.acl);
 	}
 	/*
 	 * Set other bits to normal default values.
 	 */
@ -2104,19 +2093,16 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			    0 &&
 		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0)
 		{
 			const void *order_arg = &msg->order_arg;
 			st = *(msg->buffer);
 			count = 0;
 			if (partial) {
 				result = dns_rdataset_towirepartial(
 					rdataset, name, msg->cctx, msg->buffer,
-					msg->order, order_arg, rd_options,
+					rd_options, &count, NULL);
 					&count, NULL);
 			} else {
-				result = dns_rdataset_towiresorted(
+				result = dns_rdataset_towire(
 					rdataset, name, msg->cctx, msg->buffer,
-					msg->order, order_arg, rd_options,
+					rd_options, &count);
 					&count);
 			}
 			total += count;
 			if (partial && result == ISC_R_NOSPACE) {
@ -2178,14 +2164,12 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				if (partial) {
 					result = dns_rdataset_towirepartial(
 						rdataset, name, msg->cctx,
-						msg->buffer, msg->order,
+						msg->buffer, rd_options, &count,
-						&msg->order_arg, rd_options,
+						NULL);
 						&count, NULL);
 				} else {
-					result = dns_rdataset_towiresorted(
+					result = dns_rdataset_towire(
 						rdataset, name, msg->cctx,
-						msg->buffer, msg->order,
+						msg->buffer, rd_options,
 						&msg->order_arg, rd_options,
 						&count);
 				}
@ -4722,24 +4706,6 @@ dns_message_getrawmessage(dns_message_t *msg) {
 	return &msg->saved;
 }
 void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
 			 dns_aclenv_t *env, dns_acl_t *acl,
 			 const dns_aclelement_t *elem) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE((order == NULL) == (env == NULL));
 	REQUIRE(env == NULL || (acl != NULL || elem != NULL));
 	msg->order = order;
 	if (env != NULL) {
 		dns_aclenv_attach(env, &msg->order_arg.env);
 	}
 	if (acl != NULL) {
 		dns_acl_attach(acl, &msg->order_arg.acl);
 	}
 	msg->order_arg.element = elem;
 }
 void
 dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@ -221,13 +221,6 @@ struct towire_sort {
 	dns_rdata_t *rdata;
 };
 static int
 towire_compare(const void *av, const void *bv) {
 	const struct towire_sort *a = (const struct towire_sort *)av;
 	const struct towire_sort *b = (const struct towire_sort *)bv;
 	return a->key - b->key;
 }
 static void
 swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) {
 	dns_rdata_t rdata = in[a];
@ -236,18 +229,17 @@ swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) {
 }
 static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
-	     dns_compress_t *cctx, isc_buffer_t *target,
+       dns_compress_t *cctx, isc_buffer_t *target, bool partial,
-	     dns_rdatasetorderfunc_t order, const void *order_arg, bool partial,
+       unsigned int options, unsigned int *countp,
-	     unsigned int options, unsigned int *countp,
+       void **state ISC_ATTR_UNUSED) {
 	     void **state ISC_ATTR_UNUSED) {
 	isc_region_t r;
 	isc_result_t result;
 	unsigned int i, count = 0, added;
 	isc_buffer_t savedbuffer, rdlen, rrbuffer;
 	unsigned int headlen;
 	bool question = false;
-	bool shuffle = false, sort = false;
+	bool shuffle = false;
 	bool want_random, want_cyclic;
 	dns_rdata_t in_fixed[MAX_SHUFFLE];
 	dns_rdata_t *in = in_fixed;
@ -297,28 +289,25 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	}
 	/*
-	 * Do we want to sort and/or shuffle this answer?
+	 * Do we want to shuffle this answer?
 	 */
 	if (!question && count > 1 && rdataset->type != dns_rdatatype_rrsig) {
 		if (order != NULL) {
 			sort = true;
 		}
 		if (want_random || want_cyclic) {
 			shuffle = true;
 		}
 	}
-	if (shuffle || sort) {
+	if (shuffle) {
 		if (count > MAX_SHUFFLE) {
 			in = isc_mem_cget(cctx->mctx, count, sizeof(*in));
 			out = isc_mem_cget(cctx->mctx, count, sizeof(*out));
 			if (in == NULL || out == NULL) {
-				shuffle = sort = false;
+				shuffle = false;
 			}
 		}
 	}
-	if (shuffle || sort) {
+	if (shuffle) {
 		uint32_t seed = 0;
 		unsigned int j = 0;
@ -353,18 +342,12 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 				swap_rdata(in, j, j + seed % (count - j));
 			}
-			out[i].key = (sort) ? (*order)(&in[j], order_arg) : 0;
+			out[i].key = 0;
 			out[i].rdata = &in[j];
 			if (++j == count) {
 				j = 0;
 			}
 		}
 		/*
 		 * Sortlist order.
 		 */
 		if (sort) {
 			qsort(out, count, sizeof(out[0]), towire_compare);
 		}
 	}
 	savedbuffer = *target;
@ -415,7 +398,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			/*
 			 * Copy out the rdata
 			 */
-			if (shuffle || sort) {
+			if (shuffle) {
 				rdata = *(out[i].rdata);
 			} else {
 				dns_rdata_reset(&rdata);
@ -433,7 +416,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			added++;
 		}
-		if (shuffle || sort) {
+		if (shuffle) {
 			i++;
 			if (i == count) {
 				result = ISC_R_NOMORE;
@ -475,33 +458,22 @@ cleanup:
 	return result;
 }
 isc_result_t
 dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  const dns_name_t *owner_name, dns_compress_t *cctx,
 			  isc_buffer_t *target, dns_rdatasetorderfunc_t order,
 			  const void *order_arg, unsigned int options,
 			  unsigned int *countp) {
 	return towiresorted(rdataset, owner_name, cctx, target, order,
 			    order_arg, false, options, countp, NULL);
 }
 isc_result_t
 dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   const dns_name_t *owner_name, dns_compress_t *cctx,
-			   isc_buffer_t *target, dns_rdatasetorderfunc_t order,
+			   isc_buffer_t *target, unsigned int options,
 			   const void *order_arg, unsigned int options,
 			   unsigned int *countp, void **state) {
 	REQUIRE(state == NULL); /* XXX remove when implemented */
-	return towiresorted(rdataset, owner_name, cctx, target, order,
+	return towire(rdataset, owner_name, cctx, target, true, options, countp,
-			    order_arg, true, options, countp, state);
+		      state);
 }
 isc_result_t
 dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		    dns_compress_t *cctx, isc_buffer_t *target,
 		    unsigned int options, unsigned int *countp) {
-	return towiresorted(rdataset, owner_name, cctx, target, NULL, NULL,
+	return towire(rdataset, owner_name, cctx, target, false, options,
-			    false, options, countp, NULL);
+		      countp, NULL);
 }
 isc_result_t
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@ -324,9 +324,6 @@ destroy(dns_view_t *view) {
 	if (view->recursiononacl != NULL) {
 		dns_acl_detach(&view->recursiononacl);
 	}
 	if (view->sortlist != NULL) {
 		dns_acl_detach(&view->sortlist);
 	}
 	if (view->transferacl != NULL) {
 		dns_acl_detach(&view->transferacl);
 	}
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@ -812,9 +812,8 @@ cfg_acl_fromconfig(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
 			/*
 			 * If we're nesting ACLs, put the nested
 			 * ACL onto the elements list; otherwise
-			 * merge it into *this* ACL.  We nest ACLs
+			 * merge it into *this* ACL.  We nest the
-			 * in two cases: 1) sortlist, 2) if the
+			 * ACL if it contains negated members.
 			 * nested ACL contains negated members.
 			 */
 			if (inneracl != NULL) {
 				dns_acl_detach(&inneracl);
@ -953,7 +952,7 @@ cfg_acl_fromconfig(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
 		/*
 		 * This should only be reached for localhost, localnets
 		 * and keyname elements, and nested ACLs if nest_level is
-		 * nonzero (i.e., in sortlists).
+		 * nonzero.
 		 */
 		if (de->nestedacl != NULL &&
 		    de->type != dns_aclelementtype_nestedacl)
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@ -547,17 +547,13 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	int i = 0;
-	static const char *acls[] = { "allow-proxy",
+	static const char *acls[] = {
-				      "allow-proxy-on",
+		"allow-proxy",	      "allow-proxy-on",
-				      "allow-query",
+		"allow-query",	      "allow-query-on",
-				      "allow-query-on",
+		"allow-query-cache",  "allow-query-cache-on",
-				      "allow-query-cache",
+		"blackhole",	      "match-clients",
-				      "allow-query-cache-on",
+		"match-destinations", NULL
-				      "blackhole",
+	};
 				      "match-clients",
 				      "match-destinations",
 				      "sortlist",
 				      NULL };
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2119,7 +2119,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "send-cookie", &cfg_type_boolean, 0 },
 	{ "servfail-ttl", &cfg_type_duration, 0 },
-	{ "sortlist", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "sortlist", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_ANCIENT },
 	{ "stale-answer-enable", &cfg_type_boolean, 0 },
 	{ "stale-answer-client-timeout", &cfg_type_staleanswerclienttimeout,
 	  0 },
--- a/lib/ns/Makefile.am
+++ b/lib/ns/Makefile.am
@ -15,7 +15,6 @@ libns_la_HEADERS =			\
 	include/ns/notify.h		\
 	include/ns/query.h		\
 	include/ns/server.h		\
 	include/ns/sortlist.h		\
 	include/ns/stats.h		\
 	include/ns/types.h		\
 	include/ns/update.h		\
@ -31,7 +30,6 @@ libns_la_SOURCES =		\
 	probes.d		\
 	query.c			\
 	server.c		\
 	sortlist.c		\
 	stats.c			\
 	update.c		\
 	xfrout.c
--- a/lib/ns/include/ns/sortlist.h
+++ b/lib/ns/include/ns/sortlist.h
@ -1,68 +0,0 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 #pragma once
 /*! \file */
 #include <isc/types.h>
 #include <dns/acl.h>
 #include <dns/types.h>
 /*%
 * Type for callback functions that rank addresses.
 */
 typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address,
 				      const void	  *arg);
 /*%
 * Return value type for setup_sortlist.
 */
 typedef enum {
 	NS_SORTLISTTYPE_NONE,
 	NS_SORTLISTTYPE_1ELEMENT,
 	NS_SORTLISTTYPE_2ELEMENT
 } ns_sortlisttype_t;
 ns_sortlisttype_t
 ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
 		  void **argp);
 /*%<
 * Find the sortlist statement in 'acl' (for ACL environment 'env')
 * that applies to 'clientaddr', if any.
 *
 * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
 * make '*argp' point to the matching subelement.
 *
 * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
 * make '*argp' point to ACL that forms the second element.
 *
 * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
 * to NULL.
 */
 int
 ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg);
 /*%<
 * Find the sort order of 'addr' in 'arg', the matching element
 * of a 1-element top-level sortlist statement.
 */
 int
 ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg);
 /*%<
 * Find the sort order of 'addr' in 'arg', a topology-like
 * ACL forming the second element in a 2-element top-level
 * sortlist statement.
 */
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -69,7 +69,6 @@
 #include <ns/hooks.h>
 #include <ns/interfacemgr.h>
 #include <ns/server.h>
 #include <ns/sortlist.h>
 #include <ns/stats.h>
 #include <ns/xfrout.h>
@ -4396,35 +4395,6 @@ rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
 	return true;
 }
 /*
 * Extract a network address from the RDATA of an A or AAAA
 * record.
 *
 * Returns:
 *	ISC_R_SUCCESS
 *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
 */
 static isc_result_t
 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
 	switch (rdata->type) {
 	case dns_rdatatype_a:
 		INSIST(rdata->length == 4);
 		memmove(&ina.s_addr, rdata->data, 4);
 		isc_netaddr_fromin(netaddr, &ina);
 		return ISC_R_SUCCESS;
 	case dns_rdatatype_aaaa:
 		INSIST(rdata->length == 16);
 		memmove(in6a.s6_addr, rdata->data, 16);
 		isc_netaddr_fromin6(netaddr, &in6a);
 		return ISC_R_SUCCESS;
 	default:
 		return ISC_R_NOTIMPLEMENTED;
 	}
 }
 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
@ -11354,72 +11324,6 @@ query_addauth(query_ctx_t *qctx) {
 	}
 }
 /*
 * Find the sort order of 'rdata' in the topology-like
 * ACL forming the second element in a 2-element top-level
 * sortlist statement.
 */
 static int
 query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
 		return INT_MAX;
 	}
 	return ns_sortlist_addrorder2(&netaddr, arg);
 }
 /*
 * Find the sort order of 'rdata' in the matching element
 * of a 1-element top-level sortlist statement.
 */
 static int
 query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
 	isc_netaddr_t netaddr;
 	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) {
 		return INT_MAX;
 	}
 	return ns_sortlist_addrorder1(&netaddr, arg);
 }
 /*
 * Find the sortlist statement that applies to 'client' and set up
 * the sortlist info in in client->message appropriately.
 */
 static void
 query_setup_sortlist(query_ctx_t *qctx) {
 	isc_netaddr_t netaddr;
 	ns_client_t *client = qctx->client;
 	dns_aclenv_t *env = client->manager->aclenv;
 	dns_acl_t *acl = NULL;
 	dns_aclelement_t *elt = NULL;
 	void *order_arg = NULL;
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr,
 				  &order_arg))
 	{
 	case NS_SORTLISTTYPE_1ELEMENT:
 		elt = order_arg;
 		dns_message_setsortorder(client->message,
 					 query_sortlist_order_1element, env,
 					 NULL, elt);
 		break;
 	case NS_SORTLISTTYPE_2ELEMENT:
 		acl = order_arg;
 		dns_message_setsortorder(client->message,
 					 query_sortlist_order_2element, env,
 					 acl, NULL);
 		dns_acl_detach(&acl);
 		break;
 	case NS_SORTLISTTYPE_NONE:
 		break;
 	default:
 		UNREACHABLE();
 	}
 }
 /*
 * When sending a referral, if the answer to the question is
 * in the glue, sort it to the start of the additional section.
@ -11582,13 +11486,11 @@ ns_query_done(query_ctx_t *qctx) {
 	}
 	/*
-	 * We are done.  Set up sortlist data for the message
+	 * We are done. Sort the answer to the front of the
 	 * rendering code, sort the answer to the front of the
 	 * additional section if necessary, make a final tweak
 	 * to the AA bit if the auth-nxdomain config option
 	 * says so, then render and send the response.
 	 */
 	query_setup_sortlist(qctx);
 	query_glueanswer(qctx);
 	if (qctx->client->message->rcode == dns_rcode_nxdomain &&
--- a/lib/ns/sortlist.c
+++ b/lib/ns/sortlist.c
@ -1,150 +0,0 @@
 /*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */
 /*! \file */
 #include <isc/mem.h>
 #include <isc/result.h>
 #include <isc/util.h>
 #include <dns/acl.h>
 #include <dns/message.h>
 #include <ns/server.h>
 #include <ns/sortlist.h>
 ns_sortlisttype_t
 ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, isc_netaddr_t *clientaddr,
 		  void **argp) {
 	if (acl == NULL) {
 		goto dont_sort;
 	}
 	for (size_t i = 0; i < acl->length; i++) {
 		/*
 		 * 'e' refers to the current 'top level statement'
 		 * in the sortlist (see ARM).
 		 */
 		dns_aclelement_t *e = &acl->elements[i];
 		dns_aclelement_t *try_elt;
 		dns_aclelement_t *order_elt = NULL;
 		dns_aclelement_t *matched_elt = NULL;
 		if (e->type == dns_aclelementtype_nestedacl) {
 			dns_acl_t *inner = e->nestedacl;
 			if (inner->length == 0) {
 				try_elt = e;
 			} else if (inner->length > 2) {
 				goto dont_sort;
 			} else if (inner->elements[0].negative) {
 				goto dont_sort;
 			} else {
 				try_elt = &inner->elements[0];
 				if (inner->length == 2) {
 					order_elt = &inner->elements[1];
 				}
 			}
 		} else {
 			/*
 			 * BIND 8 allows bare elements at the top level
 			 * as an undocumented feature.
 			 */
 			try_elt = e;
 		}
 		if (!dns_aclelement_match(
 			    clientaddr, NULL, try_elt, env,
 			    (const dns_aclelement_t **)&matched_elt))
 		{
 			continue;
 		}
 		if (order_elt == NULL) {
 			INSIST(matched_elt != NULL);
 			*argp = matched_elt;
 			return NS_SORTLISTTYPE_1ELEMENT;
 		}
 		if (order_elt->type == dns_aclelementtype_nestedacl) {
 			dns_acl_t *inner = NULL;
 			dns_acl_attach(order_elt->nestedacl, &inner);
 			*argp = inner;
 			return NS_SORTLISTTYPE_2ELEMENT;
 		}
 		if (order_elt->type == dns_aclelementtype_localhost) {
 			rcu_read_lock();
 			dns_acl_t *inner = rcu_dereference(env->localhost);
 			if (inner != NULL) {
 				*argp = dns_acl_ref(inner);
 				rcu_read_unlock();
 				return NS_SORTLISTTYPE_2ELEMENT;
 			}
 			rcu_read_unlock();
 		}
 		if (order_elt->type == dns_aclelementtype_localnets) {
 			rcu_read_lock();
 			dns_acl_t *inner = rcu_dereference(env->localhost);
 			if (inner != NULL) {
 				*argp = dns_acl_ref(inner);
 				rcu_read_unlock();
 				return NS_SORTLISTTYPE_2ELEMENT;
 			}
 			rcu_read_unlock();
 		}
 		/*
 		 * BIND 8 allows a bare IP prefix as
 		 * the 2nd element of a 2-element
 		 * sortlist statement.
 		 */
 		*argp = order_elt;
 		return NS_SORTLISTTYPE_1ELEMENT;
 	}
 dont_sort:
 	*argp = NULL;
 	return NS_SORTLISTTYPE_NONE;
 }
 int
 ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) {
 	const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
 	dns_aclenv_t *env = sla->env;
 	const dns_acl_t *sortacl = sla->acl;
 	int match;
 	(void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL);
 	if (match > 0) {
 		return match;
 	} else if (match < 0) {
 		return INT_MAX - (-match);
 	} else {
 		return INT_MAX / 2;
 	}
 }
 int
 ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) {
 	const dns_sortlist_arg_t *sla = (const dns_sortlist_arg_t *)arg;
 	dns_aclenv_t *env = sla->env;
 	const dns_aclelement_t *element = sla->element;
 	if (dns_aclelement_match(addr, NULL, element, env, NULL)) {
 		return 0;
 	}
 	return INT_MAX;
 }
--- a/tests/ns/query_test.c
+++ b/tests/ns/query_test.c
@ -1383,7 +1383,6 @@ run_hookasync_e2e_test(const ns__query_hookasync_e2e_test_params_t *test) {
 	result = ns_test_qctx_create(&qctx_params, &qctx);
 	INSIST(result == ISC_R_SUCCESS);
 	isc_sockaddr_any(&qctx->client->peeraddr); /* for sortlist */
 	qctx->client->sendcb = send_noop;
 	/* Load a zone.  it should have ns.foo/A */