upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 14:10:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

flag "random-device" as obsolete

Browse source 
the "random-device" option was made non-functional in 9.13, but was
not marked as obsolete at that time. this is now fixed; configuring
"random-device" will trigger a warning.
This commit is contained in:
Evan Hunt 2022-09-13 18:29:20 -07:00
parent 0ffef8ceba
commit 17da7dee5c
6 changed files with 26 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bin/tests/system/checkconf/tests.sh
View file

@ -615,6 +615,13 @@ grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'"
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check obsolete options generate warnings ($n)"
ret=0
$CHECKCONF warn-random-device.conf > checkconf.out$n 2>/dev/null || ret=1
grep "option 'random-device' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
rmdir keys
echo_i "exit status: $status"

16
bin/tests/system/checkconf/warn-random-device.conf Normal file
View file

@ -0,0 +1,16 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
random-device "/dev/urandom";
};

25
doc/arm/reference.rst
View file

@ -1647,31 +1647,6 @@ default is used.
classify outgoing DNS traffic, on operating systems that support DSCP.
Valid values are 0 through 63. It is not configured by default.
.. namedconf:statement:: random-device
:tags: server, security
:short: Specifies a source of entropy to be used by the server.
This specifies a source of entropy to be used by the server; it is a
device or file from which to read entropy. If it is a file,
operations requiring entropy will fail when the file has been
exhausted.
Entropy is needed for cryptographic operations such as TKEY
transactions, dynamic update of signed zones, and generation of TSIG
session keys. It is also used for seeding and stirring the
pseudo-random number generator which is used for less critical
functions requiring randomness, such as generation of DNS message
transaction IDs.
If :any:`random-device` is not specified, or if it is set to ``none``,
entropy is read from the random number generation function
supplied by the cryptographic library with which BIND was linked
(i.e. OpenSSL or a PKCS#11 provider).
The :any:`random-device` option takes effect during the initial
configuration load at server startup time and is ignored on
subsequent reloads.
.. namedconf:statement:: preferred-glue
:tags: query
:short: Controls the order of glue records in an A or AAAA response.

2
doc/man/named.conf.5in
View file

@ -283,7 +283,7 @@ options {
query\-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
query\-source\-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
querylog <boolean>;
random\-device ( <quoted_string> | none );
random\-device ( <quoted_string> | none ); // obsolete
rate\-limit {
all\-per\-second <integer>;
errors\-per\-second <integer>;

2
doc/misc/options
View file

@ -226,7 +226,7 @@ options {
query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
querylog <boolean>;
random-device ( <quoted_string> | none );
random-device ( <quoted_string> | none ); // obsolete
rate-limit {
all-per-second <integer>;
errors-per-second <integer>;

2
lib/isccfg/namedconf.c
View file

@ -1304,7 +1304,7 @@ static cfg_clausedef_t options_clauses[] = {
{ "https-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "querylog", &cfg_type_boolean, 0 },
{ "random-device", &cfg_type_qstringornone, 0 },
{ "random-device", &cfg_type_qstringornone, CFG_CLAUSEFLAG_OBSOLETE },
{ "recursing-file", &cfg_type_qstring, 0 },
{ "recursive-clients", &cfg_type_uint32, 0 },
{ "reuseport", &cfg_type_boolean, 0 },