From efa5f7ed548e7ff93e90c819a4822686c836b15a Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 7 Aug 2019 11:53:13 -0700
Subject: [PATCH] remove remaining DLV-related configuration checks

---
 bin/named/server.c                            |  54 +------
 .../system/checkconf/check-dlv-ksk-key.conf   |  20 ---
 bin/tests/system/checkconf/tests.sh           |  12 --
 lib/bind9/check.c                             | 134 +-----------------
 4 files changed, 2 insertions(+), 218 deletions(-)
 delete mode 100644 bin/tests/system/checkconf/check-dlv-ksk-key.conf

diff --git a/bin/named/server.c b/bin/named/server.c
index ea187d50ad..11a9bd4844 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3783,7 +3783,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	const cfg_obj_t *zonelist;
 	const cfg_obj_t *dlzlist;
 	const cfg_obj_t *dlz;
-	const cfg_obj_t *dlvobj = NULL;
 	unsigned int dlzargc;
 	char **dlzargv;
 	const cfg_obj_t *dyndb_list, *plugin_list;
@@ -4614,7 +4613,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	}
 
 	/*
-	 * Set supported DS/DLV digest types.
+	 * Set supported DS digest types.
 	 */
 	dns_resolver_reset_ds_digests(view->resolver);
 	disabled = NULL;
@@ -5204,57 +5203,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 			view->prefetch_eligible = view->prefetch_trigger + 6;
 	}
 
-	obj = NULL;
-	result = named_config_get(optionmaps, "dnssec-lookaside", &obj);
-	if (result == ISC_R_SUCCESS) {
-		/* "auto" is deprecated, log a warning if seen */
-		const char *dom;
-		dlvobj = cfg_listelt_value(cfg_list_first(obj));
-		dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
-		if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
-			/* If "no", skip; if "auto", log warning */
-			if (!strcasecmp(dom, "no")) {
-				result = ISC_R_NOTFOUND;
-			} else if (!strcasecmp(dom, "auto")) {
-				/*
-				 * Warning logged by libbind9.
-				 */
-				result = ISC_R_NOTFOUND;
-			}
-		}
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dns_name_t *dlv, *iscdlv;
-		dns_fixedname_t f;
-
-		/* Also log a warning if manually configured to dlv.isc.org */
-		iscdlv = dns_fixedname_initname(&f);
-		CHECK(dns_name_fromstring(iscdlv, "dlv.isc.org", 0, NULL));
-
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			obj = cfg_listelt_value(element);
-			obj = cfg_tuple_get(obj, "trust-anchor");
-
-			dlv = dns_fixedname_name(&view->dlv_fixed);
-			CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),
-						  DNS_NAME_DOWNCASE, NULL));
-			if (dns_name_equal(dlv, iscdlv)) {
-				/*
-				 * Warning logged by libbind9.
-				 */
-				view->dlv = NULL;
-			} else {
-				view->dlv = dlv;
-			}
-		}
-	} else {
-		view->dlv = NULL;
-	}
-
 	/*
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
diff --git a/bin/tests/system/checkconf/check-dlv-ksk-key.conf b/bin/tests/system/checkconf/check-dlv-ksk-key.conf
deleted file mode 100644
index 93a0040db0..0000000000
--- a/bin/tests/system/checkconf/check-dlv-ksk-key.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-dnssec-keys {
-	dlv.isc.org static-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWE
-		n4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8
-		+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ
-		2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnG
-		xPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mR
-		x/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWL
-		KjHzpT59k/VStTDN0YUuWrBNh";
-};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 94646ab35d..9bd631c6b9 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -389,7 +389,6 @@ echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)"
 ret=0
 $CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1
 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
-grep "dnssec-lookaside 'auto' is no longer supported" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
@@ -398,7 +397,6 @@ echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a wa
 ret=0
 $CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1
 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
-grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
@@ -406,8 +404,6 @@ n=`expr $n + 1`
 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)"
 ret=0
 $CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
-lines=$(wc -l < checkconf.out$n)
-if [ $lines != 1 ]; then ret=1; fi
 grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
@@ -457,14 +453,6 @@ grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
-echo_i "check that the dlv.isc.org KSK generates a warning ($n)"
-ret=0
-$CHECKCONF check-dlv-ksk-key.conf > checkconf.out$n 2>/dev/null || ret=1
-[ -s checkconf.out$n ] || ret=1
-grep "trust anchor for dlv.isc.org is present" < checkconf.out$n > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
-status=`expr $status + $ret`
-
 echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
 ret=0
 $CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 976235626a..a90fa15830 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -58,11 +58,6 @@
 
 #include <bind9/check.h>
 
-static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
-static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
-static dns_name_t const dlviscorg =
-	DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
-
 static isc_result_t
 fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
 	  isc_log_t *logctxlogc);
@@ -858,9 +853,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	const cfg_obj_t *resignobj = NULL;
 	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
-	dns_fixedname_t fixed;
 	const char *str;
-	dns_name_t *name;
 	isc_buffer_t b;
 	uint32_t lifetime = 3600;
 	const char *ccalg = "siphash24";
@@ -1069,7 +1062,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	}
 
 	/*
-	 * Set supported DS/DLV digest types.
+	 * Set supported DS digest types.
 	 */
 	obj = NULL;
 	(void)cfg_map_get(options, "disable-ds-digests", &obj);
@@ -1085,107 +1078,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 		}
 	}
 
-	name = dns_fixedname_initname(&fixed);
-
-	/*
-	 * Check the DLV zone name.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
-	if (obj != NULL) {
-		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    false, &symtab);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const char *dlv;
-			const cfg_obj_t *dlvobj, *anchor;
-
-			obj = cfg_listelt_value(element);
-
-			anchor = cfg_tuple_get(obj, "trust-anchor");
-			dlvobj = cfg_tuple_get(obj, "domain");
-			dlv = cfg_obj_asstring(dlvobj);
-
-			/*
-			 * If domain is "auto" or "no" and trust anchor
-			 * is missing, skip remaining tests
-			 */
-			if (cfg_obj_isvoid(anchor)) {
-				if (!strcasecmp(dlv, "no")) {
-					continue;
-				}
-				if (!strcasecmp(dlv, "auto")) {
-					cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-						    "dnssec-lookaside 'auto' "
-						    "is no longer supported");
-					continue;
-				}
-			}
-
-			tresult = dns_name_fromstring(name, dlv, 0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
-				result = tresult;
-				continue;
-			}
-			if (symtab != NULL) {
-				tresult = nameexist(obj, dlv, 1, symtab,
-						    "dnssec-lookaside '%s': "
-						    "already exists; previous "
-						    "definition: %s:%u",
-						    logctx, mctx);
-				if (tresult != ISC_R_SUCCESS &&
-				    result == ISC_R_SUCCESS)
-					result = tresult;
-			}
-
-			/*
-			 * XXXMPA to be removed when multiple lookaside
-			 * namespaces are supported.
-			 */
-			if (!dns_name_equal(dns_rootname, name)) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "dnssec-lookaside '%s': "
-					    "non-root not yet supported", dlv);
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
-			}
-
-			if (cfg_obj_isvoid(anchor)) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "dnssec-lookaside requires "
-					    "either or 'no' or a "
-					    "domain and trust anchor");
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
-				continue;
-			}
-
-			dlv = cfg_obj_asstring(anchor);
-			tresult = dns_name_fromstring(name, dlv, 0, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
-				if (result == ISC_R_SUCCESS)
-					result = tresult;
-				continue;
-			}
-			if (dns_name_equal(&dlviscorg, name)) {
-				cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
-					    "dlv.isc.org has been shut down");
-				continue;
-			}
-		}
-
-		if (symtab != NULL)
-			isc_symtab_destroy(&symtab);
-	}
-
 	/*
 	 * Check auto-dnssec at the view/options level
 	 */
@@ -3058,7 +2950,6 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 #define ROOT_KSK_ANY		0x03
 #define ROOT_KSK_2010		0x04
 #define ROOT_KSK_2017		0x08
-#define DLV_KSK_KEY		0x10
 
 static isc_result_t
 check_trusted_key(const cfg_obj_t *key, bool managed,
@@ -3235,13 +3126,6 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
 		}
 	}
 
-	/*
-	 * Flag any use of dlv.isc.org, regardless of content.
-	 */
-	if (dns_name_equal(keyname, &dlviscorg)) {
-		*keyflags |= DLV_KSK_KEY;
-	}
-
 	return (result);
 }
 
@@ -3830,14 +3714,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 					    "with initial-key instead.");
 			}
 
-			if ((flags & DLV_KSK_KEY) != 0) {
-				cfg_obj_log(check_keys[i], logctx,
-					    ISC_LOG_WARNING,
-					    "trust anchor for dlv.isc.org "
-					    "is present; dlv.isc.org has "
-					    "been shut down");
-			}
-
 			tflags |= flags;
 		}
 	}
@@ -3908,14 +3784,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 					    "the updated 2017 key");
 			}
 
-			if ((flags & DLV_KSK_KEY) != 0) {
-				cfg_obj_log(check_keys[i], logctx,
-					    ISC_LOG_WARNING,
-					    "trust anchor for dlv.isc.org "
-					    "is present; dlv.isc.org has "
-					    "been shut down");
-			}
-
 			dflags |= flags;
 		}
 	}