mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Merge branch '3667-deprecate-auto-dnssec' into 'main'

Browse Source 
Deprecate auto-dnssec

Closes #3667

See merge request isc-projects/bind9!7075
This commit is contained in:
Matthijs Mekking
2022-11-23 10:00:33 +00:00
parent 9128e540f0 fde1d89d03
commit f9018a63cf
10 changed files with 47 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,3 +1,5 @@
6024. [func] Deprecate 'auto-dnssec'. [GL #3667]
6023. [func] Remove dynamic update DNSSEC management feature. 6023. [func] Remove dynamic update DNSSEC management feature.
[GL #3686] [GL #3686]

18
bin/tests/system/checkconf/dnssec.3 Normal file
View File

@@ -0,0 +1,18 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
zone "test" {
type primary;
file "test.db";
auto-dnssec maintain;
};

17
bin/tests/system/checkconf/tests.sh
View File

@@ -145,12 +145,17 @@ n=`expr $n + 1`
echo_i "checking named-checkconf dnssec warnings ($n)" echo_i "checking named-checkconf dnssec warnings ($n)"
ret=0 ret=0
# dnssec.1: auto-dnssec warning # dnssec.1: auto-dnssec warning
$CHECKCONF dnssec.1 > checkconf.out$n.2 2>&1 $CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1
grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1
# dnssec.2: should have no warnings # dnssec.2: should have no warnings (other than deprecation warning)
$CHECKCONF dnssec.2 > checkconf.out$n.3 2>&1 $CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1
grep '.*' < checkconf.out$n.3 > /dev/null && ret=1 grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi lines=$(wc -l < "checkconf.out$n.2")
if [ $lines != 1 ]; then ret=1; fi
# dnssec.3: should have specific deprecation warning
$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1
grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1` n=`expr $n + 1`

8
doc/man/named.conf.5in
View File

@@ -132,7 +132,7 @@ options {
answer\-cookie <boolean>; answer\-cookie <boolean>;
attach\-cache <string>; attach\-cache <string>;
auth\-nxdomain <boolean>; auth\-nxdomain <boolean>;
auto\-dnssec ( allow | maintain | off ); auto\-dnssec ( allow | maintain | off ); // deprecated
automatic\-interface\-scan <boolean>; automatic\-interface\-scan <boolean>;
avoid\-v4\-udp\-ports { <portrange>; ... }; avoid\-v4\-udp\-ports { <portrange>; ... };
avoid\-v6\-udp\-ports { <portrange>; ... }; avoid\-v6\-udp\-ports { <portrange>; ... };
@@ -446,7 +446,7 @@ view <string> [ <class> ] {
alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
attach\-cache <string>; attach\-cache <string>;
auth\-nxdomain <boolean>; auth\-nxdomain <boolean>;
auto\-dnssec ( allow | maintain | off ); auto\-dnssec ( allow | maintain | off ); // deprecated
catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... }; catalog\-zones { zone <string> [ default\-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone\-directory <quoted_string> ] [ in\-memory <boolean> ] [ min\-update\-interval <duration> ]; ... };
check\-dup\-records ( fail | warn | ignore ); check\-dup\-records ( fail | warn | ignore );
check\-integrity <boolean>; check\-integrity <boolean>;
@@ -673,7 +673,7 @@ zone <string> [ <class> ] {
also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto\-dnssec ( allow | maintain | off ); auto\-dnssec ( allow | maintain | off ); // deprecated
check\-dup\-records ( fail | warn | ignore ); check\-dup\-records ( fail | warn | ignore );
check\-integrity <boolean>; check\-integrity <boolean>;
check\-mx ( fail | warn | ignore ); check\-mx ( fail | warn | ignore );
@@ -747,7 +747,7 @@ zone <string> [ <class> ] {
also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; also\-notify [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt\-transfer\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt\-transfer\-source\-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto\-dnssec ( allow | maintain | off ); auto\-dnssec ( allow | maintain | off ); // deprecated
check\-names ( fail | warn | ignore ); check\-names ( fail | warn | ignore );
database <string>; database <string>;
dialup ( notify | notify\-passive | passive | refresh | <boolean> ); dialup ( notify | notify\-passive | passive | refresh | <boolean> );

4
doc/misc/options
View File

@@ -75,7 +75,7 @@ options {
answer-cookie <boolean>; answer-cookie <boolean>;
attach-cache <string>; attach-cache <string>;
auth-nxdomain <boolean>; auth-nxdomain <boolean>;
auto-dnssec ( allow | maintain | off ); auto-dnssec ( allow | maintain | off ); // deprecated
automatic-interface-scan <boolean>; automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... }; avoid-v4-udp-ports { <portrange>; ... };
avoid-v6-udp-ports { <portrange>; ... }; avoid-v6-udp-ports { <portrange>; ... };
@@ -389,7 +389,7 @@ view <string> [ <class> ] {
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
attach-cache <string>; attach-cache <string>;
auth-nxdomain <boolean>; auth-nxdomain <boolean>;
auto-dnssec ( allow | maintain | off ); auto-dnssec ( allow | maintain | off ); // deprecated
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
check-dup-records ( fail | warn | ignore ); check-dup-records ( fail | warn | ignore );
check-integrity <boolean>; check-integrity <boolean>;

2
doc/misc/primary.zoneopt
View File

@@ -7,7 +7,7 @@ zone <string> [ <class> ] {
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off ); auto-dnssec ( allow | maintain | off ); // deprecated
check-dup-records ( fail | warn | ignore ); check-dup-records ( fail | warn | ignore );
check-integrity <boolean>; check-integrity <boolean>;
check-mx ( fail | warn | ignore ); check-mx ( fail | warn | ignore );

2
doc/misc/secondary.zoneopt
View File

@@ -8,7 +8,7 @@ zone <string> [ <class> ] {
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
auto-dnssec ( allow | maintain | off ); auto-dnssec ( allow | maintain | off ); // deprecated
check-names ( fail | warn | ignore ); check-names ( fail | warn | ignore );
database <string>; database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> ); dialup ( notify | notify-passive | passive | refresh | <boolean> );

3
doc/notes/notes-current.rst
View File

@@ -37,6 +37,9 @@ Feature Changes
settings that required different values based on "workload" have been either settings that required different values based on "workload" have been either
removed or a sensible default has been picked. :gl:`#3664` removed or a sensible default has been picked. :gl:`#3664`
- The option :any:`auto-dnssec` is deprecated and will be removed in 9.19.
Please migrate to :any:`dnssec-policy`. :gl:`#3667`
- Deprecate setting the operating system limit (``coresize``, ``datasize``, - Deprecate setting the operating system limit (``coresize``, ``datasize``,
``files`` and ``stacksize``) from ``named.conf``. These options should be set ``files`` and ``stacksize``) from ``named.conf``. These options should be set
from the operating system (``ulimit``) or from the process supervisor from the operating system (``ulimit``) or from the process supervisor

4
lib/bind9/check.c
View File

@@ -3470,6 +3470,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res3 = cfg_map_get(zoptions, "auto-dnssec", &obj); res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (res3 == ISC_R_SUCCESS) { if (res3 == ISC_R_SUCCESS) {
arg = cfg_obj_asstring(obj); arg = cfg_obj_asstring(obj);
cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
"'auto-dnssec' option is deprecated and "
"will be removed in BIND 9.19. Please "
"migrate to dnssec-policy");
} }
if (strcasecmp(arg, "off") != 0) { if (strcasecmp(arg, "off") != 0) {
if (!ddns && !signing && !has_dnssecpolicy) { if (!ddns && !signing && !has_dnssecpolicy) {

2
lib/isccfg/namedconf.c
View File

@@ -2245,7 +2245,7 @@ static cfg_clausedef_t zone_clauses[] = {
{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, { "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "auto-dnssec", &cfg_type_autodnssec, { "auto-dnssec", &cfg_type_autodnssec,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY }, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_DEPRECATED },
{ "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY }, { "check-dup-records", &cfg_type_checkmode, CFG_ZONE_PRIMARY },
{ "check-integrity", &cfg_type_boolean, CFG_ZONE_PRIMARY }, { "check-integrity", &cfg_type_boolean, CFG_ZONE_PRIMARY },
{ "check-mx", &cfg_type_checkmode, CFG_ZONE_PRIMARY }, { "check-mx", &cfg_type_checkmode, CFG_ZONE_PRIMARY },