From 362ba054cf264fc6aa5db8b1c918a37c6129c47d Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 8 Feb 2023 10:33:06 -0800
Subject: [PATCH] clean up some deprecated/obsolete options and doc

- removed documentation of -S option from named man page
- removed documentation of reserved-sockets from ARM
- simplified documentation of dnssec-secure-to-insecure - it
  now just says it's obsolete rather than describing what it
  doesn't do anymore
- marked three formerly obsolete options as ancient:
  parent-registration-delay, reserved-sockets, and
  suppress-initial-notify
---
 bin/named/config.c          |  1 -
 bin/named/named.rst         | 16 ----------------
 bin/plugins/filter-aaaa.rst |  2 +-
 doc/arm/reference.rst       | 14 ++------------
 doc/misc/options            |  4 ----
 lib/dns/include/dns/zone.h  | 19 +++++++++----------
 lib/isccfg/namedconf.c      |  6 +++---
 7 files changed, 15 insertions(+), 47 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index 378582d2ed..2ae6ac8e7e 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -100,7 +100,6 @@ options {\n\
 	recursing-file \"named.recursing\";\n\
 	recursive-clients 1000;\n\
 	request-nsid false;\n\
-	reserved-sockets 512;\n\
 	resolver-query-timeout 10;\n\
 	rrset-order { order random; };\n\
 	secroots-file \"named.secroots\";\n\
diff --git a/bin/named/named.rst b/bin/named/named.rst
index dc6e46d3f6..9bda28e8c2 100644
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@@ -143,22 +143,6 @@ Options
       This option is mainly of interest to BIND 9 developers and may be
       removed or changed in a future release.
 
-.. option:: -S #max-socks
-
-   This option is deprecated and no longer has any function.
-
-.. warning::
-
-      This option should be unnecessary for the vast majority of users.
-      The use of this option could even be harmful, because the specified
-      value may exceed the limitation of the underlying system API. It
-      is therefore set only when the default configuration causes
-      exhaustion of file descriptors and the operational environment is
-      known to support the specified number of sockets. Note also that
-      the actual maximum number is normally slightly fewer than the
-      specified value, because :program:`named` reserves some file descriptors
-      for its internal use.
-
 .. option:: -t directory
 
    This option tells :program:`named` to chroot to ``directory`` after processing the command-line arguments, but
diff --git a/bin/plugins/filter-aaaa.rst b/bin/plugins/filter-aaaa.rst
index 8cd7556915..89904da741 100644
--- a/bin/plugins/filter-aaaa.rst
+++ b/bin/plugins/filter-aaaa.rst
@@ -30,7 +30,7 @@ Description
 
 Until BIND 9.12, this feature was implemented natively in :iscman:`named` and
 enabled with the ``filter-aaaa`` ACL and the ``filter-aaaa-on-v4`` and
-``filter-aaaa-on-v6`` options. These options are now deprecated in
+``filter-aaaa-on-v6`` options. These options are no longer available in
 :iscman:`named.conf` but can be passed as parameters to the
 ``filter-aaaa.so`` plugin, for example:
 
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index db1a6fcaa7..9745952403 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2823,11 +2823,9 @@ Boolean Options
    ``yes``.
 
 .. namedconf:statement:: dnssec-secure-to-insecure
-   :tags: dnssec
-   :short: Allows a dynamic zone to transition from secure to insecure by deleting all DNSKEY records (obsoleted).
+   :tags: obsolete
 
-   This option used to allow a dynamic zone to transition from secure to insecure by deleting all DNSKEY records.
-   It has been obsoleted because DNSSEC key operations triggered by dynamic updates are no longer supported.
+   This option no longer has any effect.
 
 .. namedconf:statement:: synth-from-dnssec
    :tags: dnssec
@@ -3774,11 +3772,6 @@ system.
    arguments are all fixed-point numbers with precision of 1/100; at
    most two places after the decimal point are significant.
 
-.. namedconf:statement:: reserved-sockets
-   :tags: deprecated
-
-   This option is deprecated and no longer has any effect.
-
 .. namedconf:statement:: max-cache-size
    :tags: server
    :short: Sets the maximum amount of memory to use for an individual cache database and its associated metadata.
@@ -7214,9 +7207,6 @@ Zone Options
    The use of this option in :any:`zone` blocks is deprecated and
    will be rendered nonoperational in a future release.
 
-:any:`dnssec-secure-to-insecure`
-   See the description of :any:`dnssec-secure-to-insecure` in :ref:`boolean_options`.
-
 .. _dynamic_update_policies:
 
 Dynamic Update Policies
diff --git a/doc/misc/options b/doc/misc/options
index 2d373bcf13..d665a1f07c 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -17,7 +17,6 @@ dnssec-policy <string> {
 	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
 	parent-ds-ttl <duration>;
 	parent-propagation-delay <duration>;
-	parent-registration-delay <duration>; // obsolete
 	publish-safety <duration>;
 	purge-keys <duration>;
 	retire-safety <duration>;
@@ -244,7 +243,6 @@ options {
 	request-ixfr <boolean>;
 	request-nsid <boolean>;
 	require-server-cookie <boolean>;
-	reserved-sockets <integer>; // deprecated
 	resolver-nonbackoff-tries <integer>;
 	resolver-query-timeout <integer>;
 	resolver-retry-interval <integer>;
@@ -275,7 +273,6 @@ options {
 	stale-refresh-time <duration>;
 	startup-notify-rate <integer>;
 	statistics-file <quoted_string>;
-	suppress-initial-notify <boolean>; // obsolete
 	synth-from-dnssec <boolean>;
 	tcp-advertised-timeout <integer>;
 	tcp-clients <integer>;
@@ -568,7 +565,6 @@ view <string> [ <class> ] {
 	stale-answer-ttl <duration>;
 	stale-cache-enable <boolean>;
 	stale-refresh-time <duration>;
-	suppress-initial-notify <boolean>; // obsolete
 	synth-from-dnssec <boolean>;
 	transfer-format ( many-answers | one-answer );
 	transfer-source ( <ipv4_address> | * );
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 2ee576d525..019effd051 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -90,16 +90,15 @@ typedef enum {
 					      */
 	DNS_ZONEOPT_NOTIFYTOSOA = 1 << 21,   /*%< Notify the SOA MNAME */
 	DNS_ZONEOPT_NSEC3TESTZONE = 1 << 22, /*%< nsec3-test-zone */
-	DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, /*%< dnssec-secure-to-insecure,
-						 * obsoleted */
-	DNS_ZONEOPT_DNSKEYKSKONLY = 1 << 24,	/*%< dnssec-dnskey-kskonly */
-	DNS_ZONEOPT_CHECKDUPRR = 1 << 25,	/*%< check-dup-records */
-	DNS_ZONEOPT_CHECKDUPRRFAIL = 1 << 26,	/*%< fatal check-dup-records
-						 * failures */
-	DNS_ZONEOPT_CHECKSPF = 1 << 27,		/*%< check SPF records */
-	DNS_ZONEOPT_CHECKTTL = 1 << 28,		/*%< check max-zone-ttl */
-	DNS_ZONEOPT_AUTOEMPTY = 1 << 29,	/*%< automatic empty zone */
-	DNS_ZONEOPT_CHECKSVCB = 1 << 30,	/*%< check SVBC records */
+	/* DNS_ZONEOPT_SECURETOINSECURE = 1 << 23, */
+	DNS_ZONEOPT_DNSKEYKSKONLY = 1 << 24,  /*%< dnssec-dnskey-kskonly */
+	DNS_ZONEOPT_CHECKDUPRR = 1 << 25,     /*%< check-dup-records */
+	DNS_ZONEOPT_CHECKDUPRRFAIL = 1 << 26, /*%< fatal check-dup-records
+					       * failures */
+	DNS_ZONEOPT_CHECKSPF = 1 << 27,	      /*%< check SPF records */
+	DNS_ZONEOPT_CHECKTTL = 1 << 28,	      /*%< check max-zone-ttl */
+	DNS_ZONEOPT_AUTOEMPTY = 1 << 29,      /*%< automatic empty zone */
+	DNS_ZONEOPT_CHECKSVCB = 1 << 30,      /*%< check SVBC records */
 	DNS_ZONEOPT___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
 } dns_zoneopt_t;
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 35e2310371..b3f35c52e2 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1307,7 +1307,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "recursing-file", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reuseport", &cfg_type_boolean, 0 },
-	{ "reserved-sockets", &cfg_type_uint32, CFG_CLAUSEFLAG_DEPRECATED },
+	{ "reserved-sockets", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT },
 	{ "secroots-file", &cfg_type_qstring, 0 },
 	{ "serial-queries", NULL, CFG_CLAUSEFLAG_ANCIENT },
 	{ "serial-query-rate", &cfg_type_uint32, 0 },
@@ -2152,7 +2152,7 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "stale-cache-enable", &cfg_type_boolean, 0 },
 	{ "stale-refresh-time", &cfg_type_duration, 0 },
 	{ "suppress-initial-notify", &cfg_type_boolean,
-	  CFG_CLAUSEFLAG_OBSOLETE },
+	  CFG_CLAUSEFLAG_ANCIENT },
 	{ "synth-from-dnssec", &cfg_type_boolean, 0 },
 	{ "topology", NULL, CFG_CLAUSEFLAG_ANCIENT },
 	{ "transfer-format", &cfg_type_transferformat, 0 },
@@ -2201,7 +2201,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "parent-ds-ttl", &cfg_type_duration, 0 },
 	{ "parent-propagation-delay", &cfg_type_duration, 0 },
 	{ "parent-registration-delay", &cfg_type_duration,
-	  CFG_CLAUSEFLAG_OBSOLETE },
+	  CFG_CLAUSEFLAG_ANCIENT },
 	{ "publish-safety", &cfg_type_duration, 0 },
 	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },