From f9845dd1288e4cff30bb7b7c4a3ab108fbd991ca Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 11 Nov 2022 14:39:07 +0100 Subject: [PATCH 1/2] Deprecate auto-dnssec Deprecate auto-dnssec, add specific log warning to migrate to dnssec-policy. --- bin/tests/system/checkconf/dnssec.3 | 18 ++++++++++++++++++ bin/tests/system/checkconf/tests.sh | 17 +++++++++++------ doc/man/named.conf.5in | 8 ++++---- doc/misc/options | 4 ++-- doc/misc/primary.zoneopt | 2 +- doc/misc/secondary.zoneopt | 2 +- lib/bind9/check.c | 4 ++++ lib/isccfg/namedconf.c | 2 +- 8 files changed, 42 insertions(+), 15 deletions(-) create mode 100644 bin/tests/system/checkconf/dnssec.3 diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3 new file mode 100644 index 0000000000..cd37d14278 --- /dev/null +++ b/bin/tests/system/checkconf/dnssec.3 @@ -0,0 +1,18 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +zone "test" { + type primary; + file "test.db"; + auto-dnssec maintain; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index d4aa341cb9..e4afd713fa 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -145,12 +145,17 @@ n=`expr $n + 1` echo_i "checking named-checkconf dnssec warnings ($n)" ret=0 # dnssec.1: auto-dnssec warning -$CHECKCONF dnssec.1 > checkconf.out$n.2 2>&1 -grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 -# dnssec.2: should have no warnings -$CHECKCONF dnssec.2 > checkconf.out$n.3 2>&1 -grep '.*' < checkconf.out$n.3 > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; fi +$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 +grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1 +# dnssec.2: should have no warnings (other than deprecation warning) +$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 +grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1 +lines=$(wc -l < "checkconf.out$n.2") +if [ $lines != 1 ]; then ret=1; fi +# dnssec.3: should have specific deprecation warning +$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index b110355210..8cf7eb93ad 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -132,7 +132,7 @@ options { answer\-cookie ; attach\-cache ; auth\-nxdomain ; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off ); // deprecated automatic\-interface\-scan ; avoid\-v4\-udp\-ports { ; ... }; avoid\-v6\-udp\-ports { ; ... }; @@ -446,7 +446,7 @@ view [ ] { alt\-transfer\-source\-v6 ( | * ) [ port ( | * ) ] [ dscp ]; attach\-cache ; auth\-nxdomain ; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off ); // deprecated catalog\-zones { zone [ default\-primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone\-directory ] [ in\-memory ] [ min\-update\-interval ]; ... }; check\-dup\-records ( fail | warn | ignore ); check\-integrity ; @@ -673,7 +673,7 @@ zone [ ] { also\-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt\-transfer\-source ( | * ) [ port ( | * ) ] [ dscp ]; alt\-transfer\-source\-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off ); // deprecated check\-dup\-records ( fail | warn | ignore ); check\-integrity ; check\-mx ( fail | warn | ignore ); @@ -747,7 +747,7 @@ zone [ ] { also\-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt\-transfer\-source ( | * ) [ port ( | * ) ] [ dscp ]; alt\-transfer\-source\-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto\-dnssec ( allow | maintain | off ); + auto\-dnssec ( allow | maintain | off ); // deprecated check\-names ( fail | warn | ignore ); database ; dialup ( notify | notify\-passive | passive | refresh | ); diff --git a/doc/misc/options b/doc/misc/options index 23d82d6c14..7b427a5bd4 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -75,7 +75,7 @@ options { answer-cookie ; attach-cache ; auth-nxdomain ; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated automatic-interface-scan ; avoid-v4-udp-ports { ; ... }; avoid-v6-udp-ports { ; ... }; @@ -389,7 +389,7 @@ view [ ] { alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; attach-cache ; auth-nxdomain ; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated catalog-zones { zone [ default-primaries [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt index 6f90200fcf..12034f3b05 100644 --- a/doc/misc/primary.zoneopt +++ b/doc/misc/primary.zoneopt @@ -7,7 +7,7 @@ zone [ ] { also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); diff --git a/doc/misc/secondary.zoneopt b/doc/misc/secondary.zoneopt index ecb7b7b5d4..dfeb63eee8 100644 --- a/doc/misc/secondary.zoneopt +++ b/doc/misc/secondary.zoneopt @@ -8,7 +8,7 @@ zone [ ] { also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; alt-transfer-source-v6 ( | * ) [ port ( | * ) ] [ dscp ]; - auto-dnssec ( allow | maintain | off ); + auto-dnssec ( allow | maintain | off ); // deprecated check-names ( fail | warn | ignore ); database ; dialup ( notify | notify-passive | passive | refresh | ); diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 8d9ac580e5..857f2dd997 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -3470,6 +3470,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, res3 = cfg_map_get(zoptions, "auto-dnssec", &obj); if (res3 == ISC_R_SUCCESS) { arg = cfg_obj_asstring(obj); + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "'auto-dnssec' option is deprecated and " + "will be removed in BIND 9.19. Please " + "migrate to dnssec-policy"); } if (strcasecmp(arg, "off") != 0) { if (!ddns && !signing && !has_dnssecpolicy) { diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index cd729bcca0..e1e31aa62d 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2245,7 +2245,7 @@ static cfg_clausedef_t zone_clauses[] = { { "alt-transfer-source-v6", &cfg_type_sockaddr6wild, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, { "auto-dnssec", &cfg_type_autodnssec, - CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, + CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_DEPRECATED }, { "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY }, { "check-integrity", &cfg_type_boolean, CFG_ZONE_PRIMARY }, { "check-mx", &cfg_type_checkmode, CFG_ZONE_PRIMARY }, From fde1d89d0363d8f4b742924f84a1ae15216ece42 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 11 Nov 2022 14:43:36 +0100 Subject: [PATCH 2/2] Add CHANGES and release note for GL #3667 Announce deprecation of 'auto-dnssec'. --- CHANGES | 2 ++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 59ed14a3f3..b4b966c8e4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6024. [func] Deprecate 'auto-dnssec'. [GL #3667] + 6023. [func] Remove dynamic update DNSSEC management feature. [GL #3686] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 8834c61db5..e5f3b8870a 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -37,6 +37,9 @@ Feature Changes settings that required different values based on "workload" have been either removed or a sensible default has been picked. :gl:`#3664` +- The option :any:`auto-dnssec` is deprecated and will be removed in 9.19. + Please migrate to :any:`dnssec-policy`. :gl:`#3667` + - Deprecate setting the operating system limit (``coresize``, ``datasize``, ``files`` and ``stacksize``) from ``named.conf``. These options should be set from the operating system (``ulimit``) or from the process supervisor