From 2399556beef5230f7632db48c09ca8d952903e08 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 22 Mar 2023 15:01:30 -0700 Subject: [PATCH] deprecate delegation-only and root-delegation only These options and zone type were created to address the SiteFinder controversy, in which certain TLD's redirected queries rather than returning NXDOMAIN. since TLD's are now DNSSEC-signed, this is no longer likely to be a problem. The deprecation message for 'type delegation-only' is issued from the configuration checker rather than the parser. therefore, isccfg_check_namedconf() has been modified to take a 'nodeprecate' parameter to suppress the warning when named-checkconf is used with the command-line option to ignore warnings on deprecated options (-i). --- bin/check/named-checkconf.c | 3 ++- bin/named/server.c | 2 +- bin/tests/system/checkconf/deprecated.conf | 14 +++++++++++- bin/tests/system/checkconf/tests.sh | 3 +++ doc/arm/reference.rst | 25 +++++++++++++++------- doc/misc/forward.zoneopt | 2 +- doc/misc/hint.zoneopt | 2 +- doc/misc/options | 4 ++-- doc/misc/stub.zoneopt | 2 +- lib/isccfg/check.c | 22 +++++++++++++------ lib/isccfg/include/isccfg/check.h | 4 +++- lib/isccfg/namedconf.c | 6 ++++-- 12 files changed, 63 insertions(+), 26 deletions(-) diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index a24435f03e..798adca581 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -733,7 +733,8 @@ main(int argc, char **argv) { exit(1); } - result = isccfg_check_namedconf(config, loadplugins, logc, mctx); + result = isccfg_check_namedconf(config, loadplugins, nodeprecate, logc, + mctx); if (result != ISC_R_SUCCESS) { exit_status = 1; } diff --git a/bin/named/server.c b/bin/named/server.c index f40a641e32..518f494eb2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8428,7 +8428,7 @@ load_configuration(const char *filename, named_server_t *server, * checked later when the modules are actually loaded and * registered.) */ - result = isccfg_check_namedconf(config, false, named_g_lctx, + result = isccfg_check_namedconf(config, false, false, named_g_lctx, named_g_mctx); if (result != ISC_R_SUCCESS) { goto cleanup_config; diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index a21e2cde14..55d0f79e0b 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -23,6 +23,8 @@ options { use-v6-udp-ports { range 1024 65535; }; avoid-v4-udp-ports { range 1 1023; }; avoid-v6-udp-ports { range 1 1023; }; + + root-delegation-only exclude { "them"; }; }; trusted-keys { @@ -48,7 +50,17 @@ managed-keys { }; zone example.com { - type primary; + type primary; file "maxttl-bad.db"; max-zone-ttl 120; }; + +zone "." { + type hint; + file "shared.example.db"; + delegation-only yes; +}; + +zone com { + type delegation-only; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index f65d603314..d67ab61ab9 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -169,6 +169,9 @@ grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null | grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 4ae2389719..02c578bcbf 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1599,7 +1599,7 @@ default is used. IPv4 and AAAA when responding to queries that arrived via IPv6. .. namedconf:statement:: root-delegation-only - :tags: query + :tags: deprecated :short: Turns on enforcement of delegation-only in top-level domains (TLDs) and root zones with an optional exclude list. This turns on enforcement of delegation-only in top-level domains (TLDs) @@ -1635,6 +1635,9 @@ default is used. root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; }; + This option is deprecated, and will be rendered non-operational in a + future release. + .. namedconf:statement:: disable-algorithms :tags: dnssec :short: Disables DNSSEC algorithms from a specified zone. @@ -6870,19 +6873,22 @@ Zone Types zones are reloaded along with other zones. .. namedconf:statement:: type delegation-only - :tags: query + :tags: deprecated :short: Enforces the delegation-only status of infrastructure zones (COM, NET, ORG, etc.). - This zone type is used to enforce the delegation-only status of infrastructure - zones (e.g., COM, NET, ORG). Any answer that is received without an - explicit or implicit delegation in the authority section is treated - as NXDOMAIN. This does not apply to the zone apex, and should not be - applied to leaf zones. + This zone type is used to enforce the delegation-only status of + infrastructure zones (e.g., COM, NET, ORG). Any answer that is received + without an explicit or implicit delegation in the authority section is + treated as NXDOMAIN. This does not apply to the zone apex, and should + not be applied to leaf zones. :any:`delegation-only` has no effect on answers received from forwarders. See caveats in :any:`root-delegation-only`. + This zone type is deprecated, and will be rendered non-operational in a + future release. + .. namedconf:statement:: in-view :tags: view, zone :short: Specifies the view in which a given zone is defined. @@ -7011,7 +7017,7 @@ Zone Options See the description of :any:`dialup` in :ref:`boolean_options`. .. namedconf:statement:: delegation-only - :tags: zone + :tags: deprecated :short: Indicates that a forward, hint, or stub zone is to be treated as a delegation-only type zone. This flag only applies to forward, hint, and stub zones. If set to @@ -7020,6 +7026,9 @@ Zone Options See caveats in :any:`root-delegation-only`. + This option is deprecated, and will be rendered non-operational in a + future release. + .. namedconf:statement:: file :tags: zone :short: Specifies the zone's filename. diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt index 6c5f38b013..a66d31e542 100644 --- a/doc/misc/forward.zoneopt +++ b/doc/misc/forward.zoneopt @@ -1,6 +1,6 @@ zone [ ] { type forward; - delegation-only ; + delegation-only ; // deprecated forward ( first | only ); forwarders [ port ] [ tls ] { ( | ) [ port ] [ tls ]; ... }; }; diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt index d7ec16c739..d14c3efec1 100644 --- a/doc/misc/hint.zoneopt +++ b/doc/misc/hint.zoneopt @@ -1,6 +1,6 @@ zone [ ] { type hint; check-names ( fail | warn | ignore ); - delegation-only ; + delegation-only ; // deprecated file ; }; diff --git a/doc/misc/options b/doc/misc/options index 8fd53159dd..714e225214 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -250,7 +250,7 @@ options { response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ ede ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; reuseport ; - root-delegation-only [ exclude { ; ... } ]; + root-delegation-only [ exclude { ; ... } ]; // deprecated root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; secroots-file ; @@ -524,7 +524,7 @@ view [ ] { resolver-retry-interval ; response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ ede ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; - root-delegation-only [ exclude { ; ... } ]; + root-delegation-only [ exclude { ; ... } ]; // deprecated root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; send-cookie ; diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt index ab1e49e189..414fd901b8 100644 --- a/doc/misc/stub.zoneopt +++ b/doc/misc/stub.zoneopt @@ -4,7 +4,7 @@ zone [ ] { allow-query-on { ; ... }; check-names ( fail | warn | ignore ); database ; - delegation-only ; + delegation-only ; // deprecated dialup ( notify | notify-passive | passive | refresh | ); file ; forward ( first | only ); diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 1846ee5df7..0469eaf969 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -2886,7 +2886,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, const cfg_obj_t *config, isc_symtab_t *symtab, isc_symtab_t *files, isc_symtab_t *keydirs, isc_symtab_t *inview, const char *viewname, dns_rdataclass_t defclass, - cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx) { + bool nodeprecate, cfg_aclconfctx_t *actx, isc_log_t *logctx, + isc_mem_t *mctx) { const char *znamestr; const char *typestr = NULL; const char *target = NULL; @@ -2972,6 +2973,11 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, ztype = CFG_ZONE_HINT; } else if (strcasecmp(typestr, "delegation-only") == 0) { ztype = CFG_ZONE_DELEGATION; + if (!nodeprecate) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "'type delegation-only' is " + "deprecated"); + } } else if (strcasecmp(typestr, "redirect") == 0) { ztype = CFG_ZONE_REDIRECT; } else { @@ -5230,7 +5236,8 @@ static isc_result_t check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, const char *viewname, dns_rdataclass_t vclass, isc_symtab_t *files, isc_symtab_t *keydirs, bool check_plugins, - isc_symtab_t *inview, isc_log_t *logctx, isc_mem_t *mctx) { + bool nodeprecate, isc_symtab_t *inview, isc_log_t *logctx, + isc_mem_t *mctx) { const cfg_obj_t *zones = NULL; const cfg_obj_t *view_tkeys = NULL, *global_tkeys = NULL; const cfg_obj_t *view_mkeys = NULL, *global_mkeys = NULL; @@ -5288,7 +5295,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, tresult = check_zoneconf(zone, voptions, config, symtab, files, keydirs, inview, viewname, vclass, - actx, logctx, mctx); + nodeprecate, actx, logctx, mctx); if (tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -5901,7 +5908,7 @@ check_controls(const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) { isc_result_t isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, - isc_log_t *logctx, isc_mem_t *mctx) { + bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx) { const cfg_obj_t *options = NULL; const cfg_obj_t *views = NULL; const cfg_obj_t *acls = NULL; @@ -5990,8 +5997,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, if (views == NULL) { tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in, - files, keydirs, check_plugins, inview, - logctx, mctx); + files, keydirs, check_plugins, + nodeprecate, inview, logctx, mctx); if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; } @@ -6083,7 +6090,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, if (tresult == ISC_R_SUCCESS) { tresult = check_viewconf(config, voptions, key, vclass, files, keydirs, check_plugins, - inview, logctx, mctx); + nodeprecate, inview, logctx, + mctx); } if (tresult != ISC_R_SUCCESS) { result = ISC_R_FAILURE; diff --git a/lib/isccfg/include/isccfg/check.h b/lib/isccfg/include/isccfg/check.h index b96e9f50e5..c1cccfef3b 100644 --- a/lib/isccfg/include/isccfg/check.h +++ b/lib/isccfg/include/isccfg/check.h @@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS isc_result_t isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, - isc_log_t *logctx, isc_mem_t *mctx); + bool nodeprecate, isc_log_t *logctx, isc_mem_t *mctx); /*%< * Check the syntactic validity of a configuration parse tree generated from * a named.conf file. @@ -44,6 +44,8 @@ isccfg_check_namedconf(const cfg_obj_t *config, bool check_plugins, * If 'check_plugins' is true, load plugins and check the validity of their * parameters as well. * + * If 'nodeprecate' is true, do not warn about deprecated configuration. + * * Requires: *\li config is a valid parse tree * diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 13eeed8580..d1c1b4208c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2126,7 +2126,8 @@ static cfg_clausedef_t view_clauses[] = { { "response-padding", &cfg_type_resppadding, 0 }, { "response-policy", &cfg_type_rpz, 0 }, { "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "root-delegation-only", &cfg_type_optional_exclude, 0 }, + { "root-delegation-only", &cfg_type_optional_exclude, + CFG_CLAUSEFLAG_DEPRECATED }, { "root-key-sentinel", &cfg_type_boolean, 0 }, { "rrset-order", &cfg_type_rrsetorder, 0 }, { "send-cookie", &cfg_type_boolean, 0 }, @@ -2374,7 +2375,8 @@ static cfg_clausedef_t zone_only_clauses[] = { CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB }, { "delegation-only", &cfg_type_boolean, - CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD }, + CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD | + CFG_CLAUSEFLAG_DEPRECATED }, { "dlz", &cfg_type_astring, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_REDIRECT }, { "file", &cfg_type_qstring,