upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 13:29:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch '3041-decide-what-to-do-with-reject-000-and-other-obscure-options-for-synth-from-dnssec-feature' into 'main'

Browse source 
remove reject-000 and broken-nsec options (related to synth-from-dnssec feature)

Closes #3041

See merge request isc-projects/bind9!5621
This commit is contained in:
Mark Andrews 2021-12-23 05:14:50 +00:00
commit 3959776b02
25 changed files with 23 additions and 291 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -43,13 +43,7 @@
5774. [func] Restore NSEC Aggressive Cache ("synth-from-dnssec")
as active by default. It is limited to NSEC only
and by default ignores NSEC records with next name
in form \000.domain.
Added 'server <prefix> { broken-nsec yes; };' to
identify servers from which NSEC records in negative
responses will not be cached. These records will
then not be available for synth-from-dnssec to use.
[GL #1265]
in form \000.domain. [GL #1265]
5773. [func] Change the message when accepting TCP connection has
failed to say "Accepting TCP connection failed" and

1
bin/named/config.c
View file

@ -177,7 +177,6 @@ options {\n\
query-source address *;\n\
query-source-v6 address *;\n\
recursion true;\n\
reject-000-label yes;\n\
request-expire true;\n\
request-ixfr true;\n\
require-server-cookie no;\n\

4
bin/named/named.conf.rst
View file

@ -388,7 +388,6 @@ OPTIONS
recursing-file quoted_string;
recursion boolean;
recursive-clients integer;
reject-000-label boolean;// deprecated
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
@ -514,7 +513,6 @@ SERVER
server netprefix {
bogus boolean;
broken-nsec boolean;// deprecated
edns boolean;
edns-udp-size integer;
edns-version integer;
@ -794,7 +792,6 @@ VIEW
window integer;
};
recursion boolean;
reject-000-label boolean;// deprecated
request-expire boolean;
request-ixfr boolean;
request-nsid boolean;
@ -825,7 +822,6 @@ VIEW
serial-update-method ( date | increment | unixtime );
server netprefix {
bogus boolean;
broken-nsec boolean;// deprecated
edns boolean;
edns-udp-size integer;
edns-version integer;

11
bin/named/server.c
View file

@ -1437,12 +1437,6 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
}
obj = NULL;
(void)cfg_map_get(cpeer, "broken-nsec", &obj);
if (obj != NULL) {
CHECK(dns_peer_setbrokennsec(peer, cfg_obj_asboolean(obj)));
}
obj = NULL;
(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
if (obj != NULL) {
@ -4456,11 +4450,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
INSIST(result == ISC_R_SUCCESS);
view->acceptexpired = cfg_obj_asboolean(obj);
obj = NULL;
result = named_config_get(maps, "reject-000-label", &obj);
INSIST(result == ISC_R_SUCCESS);
view->reject_000_label = cfg_obj_asboolean(obj);
obj = NULL;
/* 'optionmaps', not 'maps': don't check named_g_defaults yet */
(void)named_config_get(optionmaps, "dnssec-validation", &obj);

14
bin/tests/system/checkconf/good-broken-nsec.conf
View file

@ -1,14 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
server 10.0.0/24 {
broken-nsec yes;
};

2
bin/tests/system/checkconf/good-server-christmas-tree.conf.in
View file

@ -5,7 +5,6 @@ key example {
server 0.0.0.0 {
bogus no;
broken-nsec no;
edns no;
edns-udp-size 512;
edns-version 0;
@ -28,7 +27,6 @@ server 0.0.0.0 {
server :: {
bogus no;
broken-nsec no;
edns no;
edns-udp-size 512;
edns-version 0;

49
bin/tests/system/synthfromdnssec/ns7/named.conf.in
View file

@ -1,49 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-validation yes;
};
server 10.53.0.1 {
broken-nsec yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
statistics-channels {
inet 10.53.0.7 port @EXTRAPORT1@ allow { any; };
};
zone "." {
type hint;
file "root.hints";
};
include "../ns1/trusted.conf";

11
bin/tests/system/synthfromdnssec/ns7/root.hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. NS ns1
ns1 A 10.53.0.1

46
bin/tests/system/synthfromdnssec/ns8/named.conf.in
View file

@ -1,46 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.8; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-validation yes;
reject-000-label no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
statistics-channels {
inet 10.53.0.8 port @EXTRAPORT1@ allow { any; };
};
zone "." {
type hint;
file "root.hints";
};
include "../ns1/trusted.conf";

11
bin/tests/system/synthfromdnssec/ns8/root.hints
View file

@ -1,11 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. NS ns1
ns1 A 10.53.0.1

2
bin/tests/system/synthfromdnssec/setup.sh
View file

@ -20,8 +20,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
(
cd ns1

53
bin/tests/system/synthfromdnssec/tests.sh
View file

@ -19,7 +19,6 @@ set -e
status=0
n=1
synth_default=yes
reject_default=yes
rm -f dig.out.*
@ -99,15 +98,13 @@ check_auth_count() {
return 0
}
for ns in 2 4 5 6 7 8
for ns in 2 4 5 6
do
case $ns in
2) ad=yes; description="<default>";;
4) ad=yes; description="no";;
5) ad=yes; description="yes";;
6) ad=no; description="yes; dnssec-validation no";;
7) ad=yes; description="yes; server 10.53.0.1 { broken-nsec yes; };";;
8) ad=yes; description="yes; reject-000-label no;";;
*) exit 1;;
esac
echo_i "prime negative NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
@ -333,15 +330,13 @@ status=$((status+ret))
#
sleep 1
for ns in 2 4 5 6 7 8
for ns in 2 4 5 6
do
case $ns in
2) ad=yes synth=${synth_default} reject=${reject_default} description="<default>";;
4) ad=yes synth=no reject=${reject_default} description="no";;
5) ad=yes synth=yes reject=${reject_default} description="yes";;
6) ad=no synth=no reject=${reject_default} description="yes; dnssec-validation no";;
7) ad=yes synth=no reject=${reject_default} description="yes; server 10.53.0.1 { broken-nsec yes; };";;
8) ad=yes synth=yes reject=no description="yes; reject-000-label no;";;
2) ad=yes synth=${synth_default} description="<default>";;
4) ad=yes synth=no description="no";;
5) ad=yes synth=yes description="yes";;
6) ad=no synth=no description="yes; dnssec-validation no";;
*) exit 1;;
esac
echo_i "check synthesized NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
@ -591,20 +586,14 @@ do
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "check back lie NODATA response (synth-from-dnssec ${description};) ($n)"
echo_i "check black lie NODATA response (synth-from-dnssec ${description};) ($n)"
ret=0
nextpart ns1/named.run > /dev/null
dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
check_status NOERROR dig.out.ns${ns}.test$n || ret=1
if [ ${synth} = yes -a ${reject} = no ]
then
check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1
else
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
fi
check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
digcomp black.out dig.out.ns${ns}.test$n || ret=1
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -665,11 +654,11 @@ do
count=$(grep "cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
test $count = 2 || ret=1
zero=$(grep "0 cache NSEC auxiliary database nodes" ns${ns}/named.stats | wc -l)
if [ ${ad} = no -o $ns = 7 ]
if [ ${ad} = yes ]
then
test $zero = 2 || ret=1
else
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -679,7 +668,7 @@ do
do
case $synthesized in
NXDOMAIN) count=1;;
no-data) if [ ${reject} = yes ]; then count=4; else count=5; fi;;
no-data) count=4;;
wildcard) count=2;;
esac
echo_i "check 'rndc stats' output for 'synthesized a ${synthesized} response' (synth-from-dnssec ${description};) ($n)"
@ -726,11 +715,11 @@ do
count=$(echo "$counter" | grep CacheNSECNodes | wc -l)
test $count = 1 || ret=1
zero=$(echo "$counter" | grep ">0<" | wc -l)
if [ ${ad} = no -o $ns = 7 ]
if [ ${ad} = yes ]
then
test $zero = 1 || ret=1
else
test $zero = 0 || ret=1
else
test $zero = 1 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -740,7 +729,7 @@ do
do
case $synthesized in
SynthNXDOMAIN) count=1;;
SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;;
SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac
@ -789,11 +778,11 @@ do
count=$(grep '"CacheNSECNodes":' $json | wc -l)
test $count = 2 || ret=1
zero=$(grep '"CacheNSECNodes":0' $json | wc -l)
if [ ${ad} = no -o $ns = 7 ]
if [ ${ad} = yes ]
then
test $zero = 2 || ret=1
else
test $zero = 1 || ret=1
else
test $zero = 2 || ret=1
fi
n=$((n+1))
if [ $ret != 0 ]; then echo_i "failed"; fi
@ -803,7 +792,7 @@ do
do
case $synthesized in
SynthNXDOMAIN) count=1;;
SynthNODATA) if [ $reject = yes ]; then count=4; else count=5; fi;;
SynthNODATA) count=4;;
SynthWILDCARD) count=2;;
esac

27
doc/arm/reference.rst
View file

@ -2100,17 +2100,6 @@ Boolean Options
default is ``no``. Setting this option to ``yes`` leaves ``named``
vulnerable to replay attacks.
.. _reject_000_label:
``reject-000-label``
This controls whether NSEC records whose Next Owner Name field starts
with a ``\000`` label are cached for use by the ``synth-from-dnssec``
feature. The default is ``yes``, which means these records are not
used for negative response synthesis. This is a temporary measure to
improve interoperability with authoritative servers that generate
incorrect NSEC records. The default value of this option may change
in a future release, or it may be removed altogether.
``querylog``
Query logging provides a complete log of all incoming queries and all query
errors. This provides more insight into the server's activity, but with a
@ -2257,12 +2246,6 @@ Boolean Options
have been proved to be correct using DNSSEC.
The default is ``yes``.
The ``reject-000-label`` :ref:`option <reject_000_label>` and the
``broken-nsec`` :ref:`server configuration clause
<server_broken_nsec>` can be used to prevent broken NSEC records from
causing incorrect negative responses to be synthesized when
``synth-from-dnssec`` is set to ``yes``.
.. note:: DNSSEC validation must be enabled for this option to be effective.
This initial implementation only covers synthesis of answers from
NSEC records; synthesis from NSEC3 is planned for the future. This
@ -4556,16 +4539,6 @@ If a remote server is giving out bad data, marking it
as bogus prevents further queries to it. The default value of
``bogus`` is ``no``.
.. _server_broken_nsec:
The ``broken-nsec`` clause determines whether the NSEC records found in
negative responses sent by the remote server are ignored for the purpose
of synthesizing negative responses or not. The default is ``no``.
Setting this to ``yes`` can be used to prevent broken NSEC records from
causing incorrect negative responses to be synthesized when
``synth-from-dnssec`` is set to ``yes``. This option may be removed in a
future release.
The ``provide-ixfr`` clause determines whether the local server, acting
as primary, responds with an incremental zone transfer when the given
remote server, a secondary, requests it. If set to ``yes``, incremental

4
doc/man/named.conf.5in
View file

@ -455,7 +455,6 @@ options {
recursing\-file quoted_string;
recursion boolean;
recursive\-clients integer;
reject\-000\-label boolean;// deprecated
request\-expire boolean;
request\-ixfr boolean;
request\-nsid boolean;
@ -597,7 +596,6 @@ primaries string [ port integer ] [ dscp
.ft C
server netprefix {
bogus boolean;
broken\-nsec boolean;// deprecated
edns boolean;
edns\-udp\-size integer;
edns\-version integer;
@ -897,7 +895,6 @@ view string [ class ] {
window integer;
};
recursion boolean;
reject\-000\-label boolean;// deprecated
request\-expire boolean;
request\-ixfr boolean;
request\-nsid boolean;
@ -928,7 +925,6 @@ view string [ class ] {
serial\-update\-method ( date | increment | unixtime );
server netprefix {
bogus boolean;
broken\-nsec boolean;// deprecated
edns boolean;
edns\-udp\-size integer;
edns\-version integer;

4
doc/misc/options
View file

@ -313,7 +313,6 @@ options {
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
@ -420,7 +419,6 @@ primaries <string> [ port <integer> ] [ dscp
server <netprefix> {
bogus <boolean>;
broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
@ -674,7 +672,6 @@ view <string> [ <class> ] {
window <integer>;
};
recursion <boolean>;
reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
@ -705,7 +702,6 @@ view <string> [ <class> ] {
serial-update-method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;

4
doc/misc/options.active
View file

@ -311,7 +311,6 @@ options {
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
@ -417,7 +416,6 @@ primaries <string> [ port <integer> ] [ dscp
server <netprefix> {
bogus <boolean>;
broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;
@ -670,7 +668,6 @@ view <string> [ <class> ] {
window <integer>;
};
recursion <boolean>;
reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;
@ -701,7 +698,6 @@ view <string> [ <class> ] {
serial-update-method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;

1
doc/misc/options.grammar.rst
View file

@ -231,7 +231,6 @@
recursing-file <quoted_string>;
recursion <boolean>;
recursive-clients <integer>;
reject-000-label <boolean>; // deprecated
request-expire <boolean>;
request-ixfr <boolean>;
request-nsid <boolean>;

1
doc/misc/server.grammar.rst
View file

@ -2,7 +2,6 @@
server <netprefix> {
bogus <boolean>;
broken-nsec <boolean>; // deprecated
edns <boolean>;
edns-udp-size <integer>;
edns-version <integer>;

1
lib/bind9/check.c
View file

@ -4099,7 +4099,6 @@ static struct {
isc_result_t (*set)(dns_peer_t *peer, bool newval);
} bools[] = {
{ "bogus", dns_peer_setbogus },
{ "broken-nsec", dns_peer_setbrokennsec },
{ "edns", dns_peer_setsupportedns },
{ "provide-ixfr", dns_peer_setprovideixfr },
{ "request-expire", dns_peer_setrequestexpire },

6
lib/dns/include/dns/peer.h
View file

@ -86,12 +86,6 @@ dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
void
dns_peer_detach(dns_peer_t **list);
isc_result_t
dns_peer_setbrokennsec(dns_peer_t *peer, bool newval);
isc_result_t
dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval);
isc_result_t
dns_peer_setbogus(dns_peer_t *peer, bool newval);

1
lib/dns/include/dns/view.h
View file

@ -130,7 +130,6 @@ struct dns_view {
bool synthfromdnssec;
bool trust_anchor_telemetry;
bool root_key_sentinel;
bool reject_000_label;
dns_transfer_format_t transfer_format;
dns_acl_t *cacheacl;
dns_acl_t *cacheonacl;

29
lib/dns/peer.c
View file

@ -58,7 +58,6 @@ struct dns_peer {
bool force_tcp;
bool tcp_keepalive;
bool check_axfr_id;
bool broken_nsec;
dns_name_t *key;
isc_sockaddr_t *transfer_source;
isc_dscp_t transfer_dscp;
@ -97,7 +96,6 @@ struct dns_peer {
#define FORCE_TCP_BIT 15
#define SERVER_PADDING_BIT 16
#define REQUEST_TCP_KEEPALIVE_BIT 17
#define BROKEN_NSEC 18
static void
peerlist_delete(dns_peerlist_t **list);
@ -592,33 +590,6 @@ dns_peer_gettcpkeepalive(dns_peer_t *peer, bool *retval) {
}
}
isc_result_t
dns_peer_setbrokennsec(dns_peer_t *peer, bool newval) {
bool existed;
REQUIRE(DNS_PEER_VALID(peer));
existed = DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags);
peer->broken_nsec = newval;
DNS_BIT_SET(BROKEN_NSEC, &peer->bitflags);
return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
}
isc_result_t
dns_peer_getbrokennsec(dns_peer_t *peer, bool *retval) {
REQUIRE(DNS_PEER_VALID(peer));
REQUIRE(retval != NULL);
if (DNS_BIT_CHECK(BROKEN_NSEC, &peer->bitflags)) {
*retval = peer->broken_nsec;
return (ISC_R_SUCCESS);
} else {
return (ISC_R_NOTFOUND);
}
}
isc_result_t
dns_peer_settransfers(dns_peer_t *peer, uint32_t newval) {
bool existed;

21
lib/dns/resolver.c
View file

@ -5343,7 +5343,6 @@ validated(isc_task_t *task, isc_event_t *event) {
dns_valarg_t *valarg;
dns_validatorevent_t *vevent;
fetchctx_t *fctx = NULL;
bool broken_nsec = false;
bool chaining;
bool negative;
bool sentresponse;
@ -5356,8 +5355,6 @@ validated(isc_task_t *task, isc_event_t *event) {
dns_fixedname_t fwild;
dns_name_t *wild = NULL;
dns_message_t *message = NULL;
dns_peer_t *peer = NULL;
isc_netaddr_t ipaddr;
UNUSED(task); /* for now */
@ -5686,11 +5683,6 @@ validated(isc_task_t *task, isc_event_t *event) {
answer_response:
isc_netaddr_fromsockaddr(&ipaddr, &addrinfo->sockaddr);
(void)dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
if (peer != NULL) {
(void)dns_peer_getbrokennsec(peer, &broken_nsec);
}
/*
* Cache any SOA/NS/NSEC records that happened to be validated.
*/
@ -5724,15 +5716,6 @@ answer_response:
continue;
}
/*
* If this peer has been marked as emitting broken
* NSEC records do not cache it.
*/
if (rdataset->type == dns_rdatatype_nsec && broken_nsec)
{
continue;
}
/*
* Don't cache NSEC if missing NSEC or RRSIG types.
*/
@ -5765,9 +5748,7 @@ answer_response:
* Look for \000 label in next name.
*/
if (rdataset->type == dns_rdatatype_nsec &&
fctx->res->view->reject_000_label &&
has_000_label(rdataset))
{
has_000_label(rdataset)) {
continue;
}

1
lib/dns/view.c
View file

@ -240,7 +240,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, const char *name,
view->synthfromdnssec = true;
view->trust_anchor_telemetry = true;
view->root_key_sentinel = true;
view->reject_000_label = true;
view->new_zone_dir = NULL;
view->new_zone_file = NULL;
view->new_zone_db = NULL;

2
lib/isccfg/namedconf.c
View file

@ -2118,7 +2118,6 @@ static cfg_clausedef_t view_clauses[] = {
{ "queryport-pool-updateinterval", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "rate-limit", &cfg_type_rrl, 0 },
{ "recursion", &cfg_type_boolean, 0 },
{ "reject-000-label", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "request-nsid", &cfg_type_boolean, 0 },
{ "request-sit", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "require-server-cookie", &cfg_type_boolean, 0 },
@ -2515,7 +2514,6 @@ static cfg_type_t cfg_type_key = { "key", cfg_parse_named_map,
*/
static cfg_clausedef_t server_clauses[] = {
{ "bogus", &cfg_type_boolean, 0 },
{ "broken-nsec", &cfg_type_boolean, CFG_CLAUSEFLAG_DEPRECATED },
{ "edns", &cfg_type_boolean, 0 },
{ "edns-udp-size", &cfg_type_uint32, 0 },
{ "edns-version", &cfg_type_uint32, 0 },