deprecate delegation-only and root-delegation only

These options and zone type were created to address the SiteFinder controversy, in which certain TLD's redirected queries rather than returning NXDOMAIN. since TLD's are now DNSSEC-signed, this is no longer likely to be a problem. The deprecation message for 'type delegation-only' is issued from the configuration checker rather than the parser. therefore, isccfg_check_namedconf() has been modified to take a 'nodeprecate' parameter to suppress the warning when named-checkconf is used with the command-line option to ignore warnings on deprecated options (-i).
2026-03-11 10:40:56 -04:00 · 2023-03-22 15:01:30 -07:00 · 2023-03-22 15:01:30 -07:00 · 2399556bee
commit 2399556bee
parent c8c091b7f5
12 changed files with 63 additions and 26 deletions
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@ -733,7 +733,8 @@ main(int argc, char **argv) {
 		exit(1);
 	}

-	result = isccfg_check_namedconf(config, loadplugins, logc, mctx);
+	result = isccfg_check_namedconf(config, loadplugins, nodeprecate, logc,
+					mctx);
 	if (result != ISC_R_SUCCESS) {
 		exit_status = 1;
 	}
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -8428,7 +8428,7 @@ load_configuration(const char *filename, named_server_t *server,
 	 * checked later when the modules are actually loaded and
 	 * registered.)
 	 */
-	result = isccfg_check_namedconf(config, false, named_g_lctx,
+	result = isccfg_check_namedconf(config, false, false, named_g_lctx,
 					named_g_mctx);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup_config;
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@ -23,6 +23,8 @@ options {
 	use-v6-udp-ports { range 1024 65535; };
 	avoid-v4-udp-ports { range 1 1023; };
 	avoid-v6-udp-ports { range 1 1023; };
+
+	root-delegation-only exclude { "them"; };
 };

 trusted-keys {
@ -48,7 +50,17 @@ managed-keys {
 };

 zone example.com {
-        type primary;
+	type primary;
 	file "maxttl-bad.db";
 	max-zone-ttl 120;
 };
+
+zone "." {
+	type hint;
+	file "shared.example.db";
+	delegation-only yes;
+};
+
+zone com {
+	type delegation-only;
+};
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@ -169,6 +169,9 @@ grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null |
 grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -1599,7 +1599,7 @@ default is used.
   IPv4 and AAAA when responding to queries that arrived via IPv6.

 .. namedconf:statement:: root-delegation-only
-   :tags: query
+   :tags: deprecated
   :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list.

   This turns on enforcement of delegation-only in top-level domains (TLDs)
@ -1635,6 +1635,9 @@ default is used.
          root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
      };

+   This option is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: disable-algorithms
   :tags: dnssec
   :short: Disables DNSSEC algorithms from a specified zone.
@ -6870,19 +6873,22 @@ Zone Types
   zones are reloaded along with other zones.

 .. namedconf:statement:: type delegation-only
-   :tags: query
+   :tags: deprecated
   :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.).

-   This zone type is used to enforce the delegation-only status of infrastructure
-   zones (e.g., COM, NET, ORG). Any answer that is received without an
-   explicit or implicit delegation in the authority section is treated
-   as NXDOMAIN. This does not apply to the zone apex, and should not be
-   applied to leaf zones.
+   This zone type is used to enforce the delegation-only status of
+   infrastructure zones (e.g., COM, NET, ORG). Any answer that is received
+   without an explicit or implicit delegation in the authority section is
+   treated as NXDOMAIN. This does not apply to the zone apex, and should
+   not be applied to leaf zones.

   :any:`delegation-only` has no effect on answers received from forwarders.

   See caveats in :any:`root-delegation-only`.

+   This zone type is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: in-view
   :tags: view, zone
   :short: Specifies the view in which a given zone is defined.
@ -7011,7 +7017,7 @@ Zone Options
   See the description of :any:`dialup` in :ref:`boolean_options`.

 .. namedconf:statement:: delegation-only
-   :tags: zone
+   :tags: deprecated
   :short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone.

   This flag only applies to forward, hint, and stub zones. If set to
@ -7020,6 +7026,9 @@ Zone Options

   See caveats in :any:`root-delegation-only`.

+   This option is deprecated, and will be rendered non-operational in a
+   future release.
+
 .. namedconf:statement:: file
   :tags: zone
   :short: Specifies the zone's filename.
--- a/doc/misc/forward.zoneopt
+++ b/doc/misc/forward.zoneopt
@ -1,6 +1,6 @@
 zone <string> [ <class> ] {
 	type forward;
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	forward ( first | only );
 	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
 };
--- a/doc/misc/hint.zoneopt
+++ b/doc/misc/hint.zoneopt
@ -1,6 +1,6 @@
 zone <string> [ <class> ] {
 	type hint;
 	check-names ( fail | warn | ignore );
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	file <quoted_string>;
 };
--- a/doc/misc/options
+++ b/doc/misc/options
@ -250,7 +250,7 @@ options {
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
 	reuseport <boolean>;
-	root-delegation-only [ exclude { <string>; ... } ];
+	root-delegation-only [ exclude { <string>; ... } ]; // deprecated
 	root-key-sentinel <boolean>;
 	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
 	secroots-file <quoted_string>;
@ -524,7 +524,7 @@ view <string> [ <class> ] {
 	resolver-retry-interval <integer>;
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
-	root-delegation-only [ exclude { <string>; ... } ];
+	root-delegation-only [ exclude { <string>; ... } ]; // deprecated
 	root-key-sentinel <boolean>;
 	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
 	send-cookie <boolean>;
--- a/doc/misc/stub.zoneopt
+++ b/doc/misc/stub.zoneopt
@ -4,7 +4,7 @@ zone <string> [ <class> ] {
 	allow-query-on { <address_match_element>; ... };
 	check-names ( fail | warn | ignore );
 	database <string>;
-	delegation-only <boolean>;
+	delegation-only <boolean>; // deprecated
 	dialup ( notify | notify-passive | passive | refresh | <boolean> );
 	file <quoted_string>;
 	forward ( first | only );
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@ -2886,7 +2886,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	       const cfg_obj_t *config, isc_symtab_t *symtab,
 	       isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview,
 	       const char *viewname, dns_rdataclass_t defclass,
-	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) {
+	       bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx,
+	       isc_mem_t *mctx) {
 	const char *znamestr;
 	const char *typestr = NULL;
 	const char *target = NULL;
@ -2972,6 +2973,11 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			ztype = CFG_ZONE_HINT;
 		} else if (strcasecmp(typestr, "delegation-only") == 0) {
 			ztype = CFG_ZONE_DELEGATION;
+			if (!nodeprecate) {
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "'type delegation-only' is "
+					    "deprecated");
+			}
 		} else if (strcasecmp(typestr, "redirect") == 0) {
 			ztype = CFG_ZONE_REDIRECT;
 		} else {
@ -5230,7 +5236,8 @@ static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       const char *viewname, dns_rdataclass_t vclass,
 	       isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins,
-	       isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) {
+	       bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx,
+	       isc_mem_t *mctx) {
 	const cfg_obj_t *zones = NULL;
 	const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL;
 	const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL;
@ -5288,7 +5295,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,

 		tresult = check_zoneconf(zone, voptions, config, symtab, files,
 					 keydirs, inview, viewname, vclass,
-					 actx, logctx, mctx);
+					 nodeprecate, actx, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
 		}
@ -5901,7 +5908,7 @@ check_controls(const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {

 isc_result_t
 isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
-		       isc_log_t *logctx, isc_mem_t *mctx) {
+		       bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) {
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *views = NULL;
 	const cfg_obj_t *acls = NULL;
@ -5990,8 +5997,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,

 	if (views == NULL) {
 		tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
-					 files, keydirs, check_plugins, inview,
-					 logctx, mctx);
+					 files, keydirs, check_plugins,
+					 nodeprecate, inview, logctx, mctx);
 		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
 		}
@ -6083,7 +6090,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 		if (tresult == ISC_R_SUCCESS) {
 			tresult = check_viewconf(config, voptions, key, vclass,
 						 files, keydirs, check_plugins,
-						 inview, logctx, mctx);
+						 nodeprecate, inview, logctx,
+						 mctx);
 		}
 		if (tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
--- a/lib/isccfg/include/isccfg/check.h
+++ b/lib/isccfg/include/isccfg/check.h
@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS

 isc_result_t
 isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
-		       isc_log_t *logctx, isc_mem_t *mctx);
+		       bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx);
 /*%<
 * Check the syntactic validity of a configuration parse tree generated from
 * a named.conf file.
@ -44,6 +44,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 * If 'check_plugins' is true, load plugins and check the validity of their
 * parameters as well.
 *
+ * If 'nodeprecate' is true, do not warn about deprecated configuration.
+ *
 * Requires:
 *\li	config is a valid parse tree
 *
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2126,7 +2126,8 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "response-padding", &cfg_type_resppadding, 0 },
 	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT },
-	{ "root-delegation-only", &cfg_type_optional_exclude, 0 },
+	{ "root-delegation-only", &cfg_type_optional_exclude,
+	  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "root-key-sentinel", &cfg_type_boolean, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "send-cookie", &cfg_type_boolean, 0 },
@ -2374,7 +2375,8 @@ static cfg_clausedef_t zone_only_clauses[] = {
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
 		  CFG_ZONE_STUB },
 	{ "delegation-only", &cfg_type_boolean,
-	  CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD },
+	  CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD |
+		  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "dlz", &cfg_type_astring,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT },
 	{ "file", &cfg_type_qstring,