mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Merge branch '7-matthijs-deprecate-dnssec-lookaside' into 'master'

Browse Source 
Deprecate dnssec-lookaside option

Closes #7

See merge request isc-projects/bind9!2104
This commit is contained in:
Matthijs Mekking
2019-07-04 08:51:32 -04:00
parent 4cacdcc15b 77c2a8bcbd
commit c01679142a
15 changed files with 56 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
bin/named/named.conf.docbook
View File

@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf"> <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info> <info>
<date>2019-05-10</date> <date>2019-06-28</date>
</info> </info>
<refentryinfo> <refentryinfo>
<corpname>ISC</corpname> <corpname>ISC</corpname>
@@ -158,9 +158,10 @@ logging {
<refsection><info><title>MANAGED-KEYS</title></info> <refsection><info><title>MANAGED-KEYS</title></info>
<para>Deprecated - see DNSSEC-KEYS.</para> <para>Deprecated - see DNSSEC-KEYS.</para>
<literallayout class="normal"> <literallayout class="normal">
managed-keys { <replaceable>string</replaceable> ( static-key | managed-keys { <replaceable>string</replaceable> ( static-key
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> | initial-key ) <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; deprecated
</literallayout> </literallayout>
</refsection> </refsection>
@@ -220,7 +221,6 @@ options {
check-spf ( warn | ignore ); check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore );
check-wildcard <replaceable>boolean</replaceable>; check-wildcard <replaceable>boolean</replaceable>;
cleaning-interval <replaceable>integer</replaceable>;
clients-per-query <replaceable>integer</replaceable>; clients-per-query <replaceable>integer</replaceable>;
cookie-algorithm ( aes | sha1 | sha256 ); cookie-algorithm ( aes | sha1 | sha256 );
cookie-secret <replaceable>string</replaceable>; cookie-secret <replaceable>string</replaceable>;
@@ -253,8 +253,9 @@ options {
dnssec-accept-expired <replaceable>boolean</replaceable>; dnssec-accept-expired <replaceable>boolean</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>; dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable>
<replaceable>string</replaceable> | auto | no ); trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>; dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign ); dnssec-update-mode ( maintain | no-resign );
@@ -534,7 +535,7 @@ statistics-channels {
<literallayout class="normal"> <literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated <replaceable>quoted_string</replaceable>; ... }; deprecated
</literallayout> </literallayout>
</refsection> </refsection>
@@ -579,7 +580,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
check-spf ( warn | ignore ); check-spf ( warn | ignore );
check-srv-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore );
check-wildcard <replaceable>boolean</replaceable>; check-wildcard <replaceable>boolean</replaceable>;
cleaning-interval <replaceable>integer</replaceable>;
clients-per-query <replaceable>integer</replaceable>; clients-per-query <replaceable>integer</replaceable>;
deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [ deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
except-from { <replaceable>string</replaceable>; ... } ]; except-from { <replaceable>string</replaceable>; ... } ];
@@ -614,8 +614,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
dnssec-loadkeys-interval <replaceable>integer</replaceable>; dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor dnssec-lookaside ( <replaceable>string</replaceable>
<replaceable>string</replaceable> | auto | no ); trust-anchor <replaceable>string</replaceable> |
auto | no ); deprecated
dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>; dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>; dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign ); dnssec-update-mode ( maintain | no-resign );
@@ -650,9 +651,11 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
key-directory <replaceable>quoted_string</replaceable>; key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>; lame-ttl <replaceable>ttlval</replaceable>;
lmdb-mapsize <replaceable>sizeval</replaceable>; lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> ( static-key | managed-keys { <replaceable>string</replaceable> (
initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> static-key | initial-key
<replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; deprecated
masterfile-format ( map | raw | text ); masterfile-format ( map | raw | text );
masterfile-style ( full | relative ); masterfile-style ( full | relative );
match-clients { <replaceable>address_match_element</replaceable>; ... }; match-clients { <replaceable>address_match_element</replaceable>; ... };
@@ -805,7 +808,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
trusted-keys { <replaceable>string</replaceable> trusted-keys { <replaceable>string</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated <replaceable>quoted_string</replaceable>; ... }; deprecated
try-tcp-refresh <replaceable>boolean</replaceable>; try-tcp-refresh <replaceable>boolean</replaceable>;
update-check-ksk <replaceable>boolean</replaceable>; update-check-ksk <replaceable>boolean</replaceable>;
use-alt-transfer-source <replaceable>boolean</replaceable>; use-alt-transfer-source <replaceable>boolean</replaceable>;

1
bin/tests/system/checkconf/deprecated.conf
View File

@@ -11,6 +11,7 @@
options { options {
dnssec-validation yes; dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.example.com;
}; };
trusted-keys { trusted-keys {

1
bin/tests/system/checkconf/dnssec.3
View File

@@ -24,7 +24,6 @@ view view3 {
view view4 { view view4 {
match-clients { none; }; match-clients { none; };
dnssec-lookaside no;
}; };
view view5 { view view5 {

1
bin/tests/system/checkconf/good.conf
View File

@@ -107,7 +107,6 @@ view "second" {
1.2.3.4; 1.2.3.4;
}; };
}; };
dnssec-lookaside "." trust-anchor "example.org.";
dnssec-validation auto; dnssec-validation auto;
zone-statistics full; zone-statistics full;
}; };

7
bin/tests/system/checkconf/tests.sh
View File

@@ -130,6 +130,7 @@ n=`expr $n + 1`
echo_i "checking named-checkconf deprecate warnings ($n)" echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0 ret=0
$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -401,10 +402,12 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' does not generate a warning ($n)" echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)"
ret=0 ret=0
$CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1 lines=$(wc -l < checkconf.out$n)
if [ $lines != 1 ]; then ret=1; fi
grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`

3
doc/arm/Bv9ARM-book.xml
View File

@@ -5103,6 +5103,9 @@ options {
<userinput>no</userinput>, then dnssec-lookaside <userinput>no</userinput>, then dnssec-lookaside
is not used. is not used.
</para> </para>
<para>
This option is deprecated and its use is discouraged.
</para>
<para> <para>
NOTE: The ISC-provided DLV service at NOTE: The ISC-provided DLV service at
<literal>dlv.isc.org</literal>, has been shut down. <literal>dlv.isc.org</literal>, has been shut down.

7
doc/arm/managed-keys.grammar.xml
View File

@@ -12,7 +12,8 @@
<!-- Generated by doc/misc/docbook-options.pl --> <!-- Generated by doc/misc/docbook-options.pl -->
<programlisting> <programlisting>
<command>managed-keys</command> { <replaceable>string</replaceable> ( static-key | <command>managed-keys</command> { <replaceable>string</replaceable> ( static-key
<command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> | initial-key ) <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... }; deprecated
</programlisting> </programlisting>

8
doc/arm/notes.xml
View File

@@ -195,7 +195,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
The <command>dnssec-enable</command> option has been deprecated and The <command>dnssec-enable</command> option has been obsoleted and
no longer has any effect. DNSSEC responses are always enabled no longer has any effect. DNSSEC responses are always enabled
if signatures and other DNSSEC data are present. [GL #866] if signatures and other DNSSEC data are present. [GL #866]
</para> </para>
@@ -206,6 +206,12 @@
removed. [GL !1731] removed. [GL !1731]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <command>dnssec-lookaside</command> option has been deprecated.
The feature still works, but it is discouraged to use it. [GL #7]
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

6
doc/arm/options.grammar.xml
View File

@@ -57,7 +57,6 @@
<command>check-spf</command> ( warn | ignore ); <command>check-spf</command> ( warn | ignore );
<command>check-srv-cname</command> ( fail | warn | ignore ); <command>check-srv-cname</command> ( fail | warn | ignore );
<command>check-wildcard</command> <replaceable>boolean</replaceable>; <command>check-wildcard</command> <replaceable>boolean</replaceable>;
<command>cleaning-interval</command> <replaceable>integer</replaceable>;
<command>clients-per-query</command> <replaceable>integer</replaceable>; <command>clients-per-query</command> <replaceable>integer</replaceable>;
<command>cookie-algorithm</command> ( aes | sha1 | sha256 ); <command>cookie-algorithm</command> ( aes | sha1 | sha256 );
<command>cookie-secret</command> <replaceable>string</replaceable>; <command>cookie-secret</command> <replaceable>string</replaceable>;
@@ -90,8 +89,9 @@
<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>; <command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>; <command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>; <command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor <command>dnssec-lookaside</command> ( <replaceable>string</replaceable>
<replaceable>string</replaceable> | auto | no ); <command>trust-anchor</command> <replaceable>string</replaceable> |
<command>auto</command> | no ); deprecated
<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>; <command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>; <command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign ); <command>dnssec-update-mode</command> ( maintain | no-resign );

2
doc/arm/trusted-keys.grammar.xml
View File

@@ -14,5 +14,5 @@
<programlisting> <programlisting>
<command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable> <command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable>
<replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
<replaceable>quoted_string</replaceable>; ... };, deprecated <replaceable>quoted_string</replaceable>; ... }; deprecated
</programlisting> </programlisting>

2
doc/misc/docbook-grammars.pl
View File

@@ -67,7 +67,7 @@ while (<FH>) {
s{ // not configured}{}; s{ // not configured}{};
s{ // non-operational}{}; s{ // non-operational}{};
s{ // may occur multiple times}{}; s{ // may occur multiple times,*}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>}; s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
s{[[]}{[}g; s{[[]}{[}g;

2
doc/misc/docbook-options.pl
View File

@@ -128,7 +128,7 @@ while (<FH>) {
s{ // not configured}{}; s{ // not configured}{};
s{ // non-operational}{}; s{ // non-operational}{};
s{ (// )*may occur multiple times}{}; s{ (// )*may occur multiple times,*}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
s{ // deprecated,*}{// deprecated}; s{ // deprecated,*}{// deprecated};
s{[[]}{[}g; s{[[]}{[}g;

2
doc/misc/docbook-zoneopt.pl
View File

@@ -51,7 +51,7 @@ while (<FH>) {
} }
s{ // not configured}{}; s{ // not configured}{};
s{ // may occur multiple times}{}; s{ // may occur multiple times,*}{};
s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>}; s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
s{[[]}{[}g; s{[[]}{[}g;

16
doc/misc/options
View File

@@ -146,8 +146,9 @@ options {
dnssec-dnskey-kskonly <boolean>; dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete dnssec-enable <boolean>; // obsolete
dnssec-loadkeys-interval <integer>; dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor dnssec-lookaside ( <string>
<string> | auto | no ); // may occur multiple times trust-anchor <string> |
auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>; dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign ); dnssec-update-mode ( maintain | no-resign );
@@ -192,7 +193,7 @@ options {
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>; glue-cache <boolean>;
has-old-clients <boolean>; // ancient has-old-clients <boolean>; // ancient
@@ -213,7 +214,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp listen-on-v6 [ port <integer> ] [ dscp
<integer> ] { <integer> ] {
<address_match_element>; ... }; // may occur multiple times <address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none ); lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>; managed-keys-directory <quoted_string>;
@@ -524,8 +525,9 @@ view <string> [ <class> ] {
initial-key ) <integer> <integer> initial-key ) <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times <integer> <quoted_string>; ... }; // may occur multiple times
dnssec-loadkeys-interval <integer>; dnssec-loadkeys-interval <integer>;
dnssec-lookaside ( <string> trust-anchor dnssec-lookaside ( <string>
<string> | auto | no ); // may occur multiple times trust-anchor <string> |
auto | no ); // may occur multiple times, deprecated
dnssec-must-be-secure <string> <boolean>; // may occur multiple times dnssec-must-be-secure <string> <boolean>; // may occur multiple times
dnssec-secure-to-insecure <boolean>; dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign ); dnssec-update-mode ( maintain | no-resign );
@@ -563,7 +565,7 @@ view <string> [ <class> ] {
}; // may occur multiple times }; // may occur multiple times
key-directory <quoted_string>; key-directory <quoted_string>;
lame-ttl <ttlval>; lame-ttl <ttlval>;
lmdb-mapsize <sizeval>; // non-operational lmdb-mapsize <sizeval>;
maintain-ixfr-base <boolean>; // ancient maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> ( managed-keys { <string> (
static-key | initial-key static-key | initial-key

3
lib/isccfg/namedconf.c
View File

@@ -1879,7 +1879,8 @@ view_clauses[] = {
#endif #endif
{ "dnssec-accept-expired", &cfg_type_boolean, 0 }, { "dnssec-accept-expired", &cfg_type_boolean, 0 },
{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI }, { "dnssec-lookaside", &cfg_type_lookaside,
CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
{ "dnssec-must-be-secure", &cfg_type_mustbesecure, { "dnssec-must-be-secure", &cfg_type_mustbesecure,
CFG_CLAUSEFLAG_MULTI }, CFG_CLAUSEFLAG_MULTI },
{ "dnssec-validation", &cfg_type_boolorauto, 0 }, { "dnssec-validation", &cfg_type_boolorauto, 0 },